Certificate Enrollment with PIN Authenticated Profile - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to enroll a certificate using a PIN-authenticated profile (e.g. caDirPinUserCert).

Availability: Since PKI 11.6.

Prerequisites

  • Configure PIN-authenticated profile.

  • Generate a certificate request and store it in a file (e.g. testuser.csr).

Enrollment using pki ca-cert-issue

The enrollment can be done using pki ca-cert-issue command.

Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:

$ pki ca-cert-issue \
    --profile caDirPinUserCert \
    --csr-file testuser.csr \
    --username testuser \
    --password \
    --pin \
    --output-file testuser.crt
Password: ********
PIN: ********

The password and PIN can also be specified with --password-file and --pin-file options.

The certificate will be stored into testuser.crt.

Availability: Since PKI 11.6

Enrollment using pki ca-cert-request-submit

The enrollment can be done using pki ca-cert-request-submit command.

Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:

$ pki ca-cert-request-submit \
    --profile caDirPinUserCert \
    --csr-file testuser.csr \
    --username testuser \
    --password \
    --pin
Password: ********
PIN: ********
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 0xfd5377c93db8f0ed016de1d688e27f7e
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x784127bb5291d998224a9426aea15c2b

The password and PIN can also be specified with --password-file and --pin-file options.

The certificate can be retrieved with the following command:

$ pki ca-cert-export <cert ID> --output-file testuser.crt

Enrollment using XML

The enrollment can also be done manually using XML messages.

Then retrieve the template for the XML request for the profile with the following command:

$ curl \
    -k \
    -s \
    -H "Content-Type: application/xml" \
    -H "Accept: application/xml" \
    https://$HOSTNAME:8443/ca/rest/certrequests/profiles/caDirPinUserCert \
    | xmllint --format - \
    > request.xml

Insert the username of the LDAP user with the following command:

$ xmlstarlet edit --inplace \
    -s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "testuser" \
    -i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "uid" \
    request.xml

Insert the password of the LDAP user with the following command:

$ xmlstarlet edit --inplace \
    -s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "Secret.123" \
    -i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "pwd" \
    request.xml

Insert the PIN of the LDAP user with the following command:

$ xmlstarlet edit --inplace \
    -s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "5yD9VI" \
    -i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "pin" \
    request.xml

Insert the request type with the following command:

$ xmlstarlet edit --inplace \
    -u "/CertEnrollmentRequest/Input/Attribute[@name='cert_request_type']/Value" \
    -v "pkcs10" \
    request.xml

Insert the CSR with the following command:

$ xmlstarlet edit --inplace \
    -u "/CertEnrollmentRequest/Input/Attribute[@name='cert_request']/Value" \
    -v "$(cat testuser.csr)" \
    request.xml

The final XML request should look like the following:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <Attributes>
        <Attribute name="uid">testuser</Attribute>
        <Attribute name="pwd">Secret.123</Attribute>
        <Attribute name="pin">5yD9VI</Attribute>
    </Attributes>
    ...
    <Input ...>
        ...
        <Attribute name="cert_request_type">
            <Value>pkcs10</Value>
            ...
        </Attribute>
        <Attribute name="cert_request">
            <Value>-----BEGIN CERTIFICATE REQUEST-----
MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALvbVD1U6nzYh61tjjKC24mBqeKjABpEpl5CqyrT
guX5PtHdrlOUbWOro8vNzXMWccm3IVEgJHTQyQdxenIkIGcwMXu9XlwI6zph1UaT
oJ1CRh8z2Tn5Ncg6LvOejDJg+XtKEXEOTq0qzztBXTEe9uuKYb9AKc6iSmtfM7ZO
nCZPAgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN
BgkqhkiG9w0BAQQFAAOBgQBeVpuaZ1Sr1tHznU/0xSQ3OvEd3poJ0mk44KRYFdwu
NbeZaGtvhYFwLfQH0mMOWrzvrh0a2eXWC8z51iuqvNJCHDX+rUGIYpZH8mtY3jMp
8mlDWClrcpAdmJTj0ztFggmBd0Zvl4EqPqp0SY5YYLxwEwcKXT/g8bDdS5UM68hq
QA==
-----END CERTIFICATE REQUEST-----</Value>
            ...
        </Attribute>
    </Input>
</CertEnrollmentRequest>

Then submit the request with the following command:

$ curl \
    -k \
    -s \
    -X POST \
    -d @request.xml \
    -H "Content-Type: application/xml" \
    -H "Accept: application/xml" \
    https://$HOSTNAME:8443/ca/rest/certrequests \
    | xmllint --format -
<CertRequestInfos>
  <total>1</total>
  <CertRequestInfo ...>
    <requestID>0xfd5377c93db8f0ed016de1d688e27f7e</requestID>
    <requestType>enrollment</requestType>
    <requestStatus>complete</requestStatus>
    ...
    <certID>0x784127bb5291d998224a9426aea15c2b</certID>
    ...
    <certRequestType>pkcs10</certRequestType>
    <operationResult>success</operationResult>
  </CertRequestInfo>
</CertRequestInfos>

The certificate can be retrieved with the following commands:

$ curl \
    -k \
    -s \
    -H "Content-Type: application/xml" \
    -H "Accept: application/xml" \
    https://$HOSTNAME:8443/ca/rest/certs/<cert ID> \
    | xmllint --format - \
    > cert.xml
$ xmlstarlet sel -t -v '/CertData/Encoded' cert.xml \
    | sed 's/&#13;$//' \
    > testuser.crt

Enrollment using JSON

The enrollment can also be done manually using JSON messages.

Retrieve the template for the JSON request for the profile with the following command:

$ curl \
    -k \
    -s \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    https://$HOSTNAME:8443/ca/rest/certrequests/profiles/caDirPinUserCert \
    | python -m json.tool \
    > request.json

Insert the username of the LDAP user with the following command:

$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "uid", "value": "testuser" }' \
    request.json | sponge request.json

Insert the password of the LDAP user with the following command:

$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pwd", "value": "Secret.123" }' \
    request.json | sponge request.json

Insert the PIN of the LDAP user with the following command:

$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pin", "value": "5yD9VI" }' \
    request.json | sponge request.json

Insert the request type with the following command:

$ jq '( .Input[].Attribute[] | select(.name=="cert_request_type") ).Value |= "pkcs10"' \
    request.json | sponge request.json

Insert the CSR with the following command:

$ jq --rawfile cert_request testuser.csr '( .Input[].Attribute[] | select(.name=="cert_request") ).Value |= $cert_request' \
    request.json | sponge request.json

The final JSON request should look like the following:

{
    ...,
    "Input": [
        {
            ...,
            "Attribute": [
                {
                    "name": "cert_request_type",
                    "Value": "pkcs10",
                    ...
                },
                {
                    "name": "cert_request",
                    "Value": "-----BEGIN CERTIFICATE REQUEST-----\nMIICnjCCAYYCAQAwWTETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1w\r\nbGUxDzANBgNVBAsMBnBlb3BsZTEYMBYGCgmSJomT8ixkAQEMCHRlc3R1c2VyMIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRip472Jza92YAPnCZ6vyF32QGC+hpPnLbJv9kXRHWCVIHnM\r\nJ/Ifxa8MGitf3jqsy7pZMwW4MJwPMa4ai2jwE4u14dOVH4NMxjwM+IuEbWVbyenMS3HO1vCpo49X\r\nmwZbL3wvM83UJgd89l6qtqY5t9vmgzixDB83cxsoIQBXK2MiBl6ndn5lMP2CPdtF6vRt6CVOneN6\r\nu/nBlLv4FFJUDYep5fVLz8HvaQhcApa3/rIMxf1L919Eu+gj6WfvbW/vk+UM6UswoRQSgTr2Yl4n\r\nZyqt7H0c8wOsEqkESKrCvZYiBC8rMOgYJ2uoBGJBjvXXAFo6Br1OvVOSB/h+oJtq2wIDAQABoAAw\r\nDQYJKoZIhvcNAQELBQADggEBAIF8nUIwYPjPLDd61XO7Ai5uA5NhzHj/QIL25KdzSuDguURSsLMQ\r\nX4APwvCvmS77VL6wqrKx3yRoND3JhoU8WZ619vrpb76WXgs0Zm8zO8YigTbAJiFIak3BU6H+2wdX\r\nOhPSFZjdAdx4rY/qt2HwpkiJhuh1SkbboW8pKWwOeJmpPEc7GzzGxz/BcxfuAGg7FAwJTFFQWnZu\r\nrsN6Sls1sdkp7DFm+kA5IhVkv2IL9Pqc5IJoqvGAwrz/vBGGm5gZS/stEadHwBPdOHjK/3htWfwh\r\nQ7M9P7pkGWo/D1hTox//hpO29Lxxx6drmxVJpA4PAQLXtcd91EKkkYPEFBKv/pc=\r\n-----END CERTIFICATE REQUEST-----",
                    ...
                }
            ]
        }
    ],
    ...,
    "Attributes": {
        "Attribute": [
            {
                "name": "uid",
                "value": "testuser"
            },
            {
                "name": "pwd",
                "value": "Secret.123"
            },
            {
                "name": "pin",
                "value": "5yD9VI"
            }
        ]
    }
}

Then submit the request with the following command:

$ curl \
    -k \
    -s \
    -X POST \
    -d @request.json \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    https://$HOSTNAME:8443/ca/rest/certrequests \
    | python -m json.tool
{
    "total": 1,
    "entries": [
        {
            "requestID": "0xfd5377c93db8f0ed016de1d688e27f7e",
            "requestType": "enrollment",
            "requestStatus": "complete",
            ...,
            "certId": "0x784127bb5291d998224a9426aea15c2b",
            ...,
            "certRequestType": "pkcs10",
            "operationResult": "success",
            ...
        }
    ]
}

The certificate can be retrieved with the following commands:

$ curl \
    -k \
    -s \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    https://$HOSTNAME:8443/ca/rest/certs/<cert ID> \
    | python -m json.tool \
    > cert.json
$ jq -j '.Encoded' cert.json | tee testuser.crt

See Also

⚠️ **GitHub.com Fallback** ⚠️