Generating CMC Shared Token for Certificate Revocation - dogtagpki/pki GitHub Wiki
This page describe the process to generate a CMC shared token for revoking a certificate.
It assumes that:
-
Issuance protection certificate has been created.
To generate a CMC shared token:
$ CMCSharedToken \ -d /var/lib/pki/pki-tomcat/conf/alias \ -p Secret.123 \ -n ca_issuance_protection \ -s <token> \ -o testuser.b64
The token will be encrypted with issuance protection’s public key and stored into testuser.b64
in Base64 format. To convert the value into a single line:
$ SHARED_TOKEN=$(sed -e :a -e 'N;s/\r\n//;ba' testuser.b64)
To assign the CMC shared token to a certificate, store the token under revShrTok
property in the metaInfo
attribute of the certificate record in LDAP:
$ ldapmodify \ -H ldap://ds.example.com:3389 \ -x \ -D "cn=Directory Manager" \ -w Secret.123 \ << EOF dn: cn=<decimal serial number>,ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com changetype: modify add: metaInfo metaInfo: revShrTok:$SHARED_TOKEN EOF