Certificate Enrollment with PIN Authenticated Profile - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to enroll a certificate using a PIN-authenticated profile (e.g. caDirPinUserCert).

Availability: Since PKI 11.6.

Prerequisites

  • Configure PIN-authenticated profile.

  • Generate a certificate request and store it in a file (e.g. testuser.csr).

Enrollment using pki ca-cert-request-submit

The pki ca-cert-request-submit command can be used for certificate enrollment with PIN authentication.

Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:

$ pki ca-cert-request-submit \
    --profile caDirPinUserCert \
    --csr-file testuser.csr \
    --username testuser \
    --password \
    --pin
Password: ********
PIN: ********
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 0xfd5377c93db8f0ed016de1d688e27f7e
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x784127bb5291d998224a9426aea15c2b

The certificate will be issued immediately.

Enrollment using curl

The enrollment can also be done manually using curl command.

Retrieve the template for the JSON request for the profile with the following command:

$ curl \
    -k \
    -s \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    https://$HOSTNAME:8443/ca/rest/certrequests/profiles/caDirPinUserCert \
    | python -m json.tool > request.json

Insert the username of the LDAP user with the following command:

$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "uid", "value": "testuser" }' \
    request.json | sponge request.json

Insert the password of the LDAP user with the following command:

$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pwd", "value": "Secret.123" }' \
    request.json | sponge request.json

Insert the PIN of the LDAP user with the following command:

$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pin", "value": "5yD9VI" }' \
    request.json | sponge request.json

Insert the request type with the following command:

$ jq '( .Input[].Attribute[] | select(.name=="cert_request_type") ).Value |= "pkcs10"' \
    request.json | sponge request.json

Insert the CSR with the following command:

$ jq --rawfile cert_request testuser.csr '( .Input[].Attribute[] | select(.name=="cert_request") ).Value |= $cert_request' \
    request.json | sponge request.json

The final JSON request should look like the following:

{
    ...,
    "Input": [
        {
            ...,
            "Attribute": [
                {
                    "name": "cert_request_type",
                    "Value": "pkcs10",
                    ...
                },
                {
                    "name": "cert_request",
                    "Value": "-----BEGIN CERTIFICATE REQUEST-----\nMIICnjCCAYYCAQAwWTETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1w\r\nbGUxDzANBgNVBAsMBnBlb3BsZTEYMBYGCgmSJomT8ixkAQEMCHRlc3R1c2VyMIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRip472Jza92YAPnCZ6vyF32QGC+hpPnLbJv9kXRHWCVIHnM\r\nJ/Ifxa8MGitf3jqsy7pZMwW4MJwPMa4ai2jwE4u14dOVH4NMxjwM+IuEbWVbyenMS3HO1vCpo49X\r\nmwZbL3wvM83UJgd89l6qtqY5t9vmgzixDB83cxsoIQBXK2MiBl6ndn5lMP2CPdtF6vRt6CVOneN6\r\nu/nBlLv4FFJUDYep5fVLz8HvaQhcApa3/rIMxf1L919Eu+gj6WfvbW/vk+UM6UswoRQSgTr2Yl4n\r\nZyqt7H0c8wOsEqkESKrCvZYiBC8rMOgYJ2uoBGJBjvXXAFo6Br1OvVOSB/h+oJtq2wIDAQABoAAw\r\nDQYJKoZIhvcNAQELBQADggEBAIF8nUIwYPjPLDd61XO7Ai5uA5NhzHj/QIL25KdzSuDguURSsLMQ\r\nX4APwvCvmS77VL6wqrKx3yRoND3JhoU8WZ619vrpb76WXgs0Zm8zO8YigTbAJiFIak3BU6H+2wdX\r\nOhPSFZjdAdx4rY/qt2HwpkiJhuh1SkbboW8pKWwOeJmpPEc7GzzGxz/BcxfuAGg7FAwJTFFQWnZu\r\nrsN6Sls1sdkp7DFm+kA5IhVkv2IL9Pqc5IJoqvGAwrz/vBGGm5gZS/stEadHwBPdOHjK/3htWfwh\r\nQ7M9P7pkGWo/D1hTox//hpO29Lxxx6drmxVJpA4PAQLXtcd91EKkkYPEFBKv/pc=\r\n-----END CERTIFICATE REQUEST-----",
                    ...
                }
            ]
        }
    ],
    ...,
    "Attributes": {
        "Attribute": [
            {
                "name": "uid",
                "value": "testuser"
            },
            {
                "name": "pwd",
                "value": "Secret.123"
            },
            {
                "name": "pin",
                "value": "5yD9VI"
            }
        ]
    }
}

Then submit the request with the following command:

$ curl \
    -k \
    -s \
    -X POST \
    -d @request.json \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    https://$HOSTNAME:8443/ca/rest/certrequests | python -m json.tool
{
    "total": 1,
    "entries": [
        {
            "requestID": "0xfd5377c93db8f0ed016de1d688e27f7e",
            "requestType": "enrollment",
            "requestStatus": "complete",
            ...,
            "certId": "0x784127bb5291d998224a9426aea15c2b",
            ...,
            "certRequestType": "pkcs10",
            "operationResult": "success",
            ...
        }
    ]
}

The certificate will be issued immediately.

Retrieving Certificate

Once issued, the certificate can be retrieved with the following command:

$ pki ca-cert-export <certificate ID> --output-file testuser.crt

If necessary, the certificate can be imported into NSS database with the following command:

$ pki nss-cert-import testuser --cert testuser.crt

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️