Issuing Audit Signing Certificate with CMC - dogtagpki/pki GitHub Wiki

Overview

This document describes the process for a CA agent to issue an audit signing certificate with CMC in PKI 10.5 or later.

This process assumes that the CA agent has performed PKI CLI Initialization.

Creating CMC Request

To create a CMC request prepare the following configuration file (e.g. audit_signing-cmc-request.cfg):

# NSS database directory where CA agent certificate is stored.
dbdir=$HOME/.dogtag/nssdb

# NSS database password.
password=Secret.123

# Token name (default is internal).
tokenname=internal

# Nickname for CA agent certificate.
nickname=caadmin

# Request format: pkcs10 or crmf.
format=pkcs10

# Total number of PKCS10/CRMF requests.
numRequests=1

# Path to the PKCS10/CRMF request.
# The content must be in Base-64 encoded format.
# Multiple files are supported. They must be separated by space.
input=audit_signing.csr

# Path for the CMC request.
output=audit_signing-cmc-request.bin

Then execute the following command:

$ CMCRequest audit_signing-cmc-request.cfg

Submitting CMC Request

To submit a CMC request prepare the following configuration file (e.g. audit_signing-cmc-submit.cfg):

# PKI server host name.
host=pki.example.com

# PKI server port number.
port=8443

# Use secure connection.
# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
secure=true

# Use client authentication.
clientmode=true

# NSS database directory where CA agent certificate is stored.
dbdir=$HOME/.dogtag/nssdb

# NSS database password.
password=Secret.123

# Token name (default: internal).
tokenname=internal

# Nickname of CA agent certificate.
nickname=caadmin

# CMC servlet path
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCauditSigningCert

# Path for the CMC request.
input=audit_signing-cmc-request.bin

# Path for the CMC response.
output=audit_signing-cmc-response.bin

Then execute the following command:

$ HttpClient audit_signing-cmc-submit.cfg

Processing CMC Response

To convert CMC response into PKCS #7 cert chain:

$ CMCResponse -i audit_signing-cmc-response.bin -o audit_signing.crt

See Also

⚠️ **GitHub.com Fallback** ⚠️