Issuing OCSP Certificates with PKI CA - dogtagpki/pki GitHub Wiki
This page describes the process to issue OCSP certificates with pki ca command on PKI 10.8 or later.
For older versions, see:
The certificate requests can be submitted to a PKI CA with the following commands:
$ pki -U <CA URL> ca-cert-request-submit --profile caSignedLogCert --csr-file ocsp_audit_signing.csr $ pki -U <CA URL> ca-cert-request-submit --profile caOCSPCert --csr-file ocsp_signing.csr $ pki -U <CA URL> ca-cert-request-submit --profile caServerCert --csr-file ocsp_sslserver.csr $ pki -U <CA URL> ca-cert-request-submit --profile caSubsystemCert --csr-file ocsp_subsystem.csr $ pki -U <CA URL> ca-cert-request-submit --profile AdminCert --csr-file ocsp_admin.csr
The CA admin can approve the request by executing the following command:
$ pki -U <CA URL> -u caadmin -w Secret.123 ca-cert-request-approve <request ID>
The certificates and the CA signing certificate can be downloaded with the following commands:
$ pki -U <CA URL> ca-cert-export <cert ID> --output-file ocsp_admin.crt $ pki -U <CA URL> ca-cert-export <cert ID> --output-file ocsp_audit_signing.crt $ pki -U <CA URL> ca-cert-export <cert ID> --output-file ocsp_signing.crt $ pki -U <CA URL> ca-cert-export <cert ID> --output-file ocsp_sslserver.crt $ pki -U <CA URL> ca-cert-export <cert ID> --output-file ocsp_subsystem.crt $ pki -U <CA URL> ca-cert-signing-export --output-file ca_signing.crt