PKI 10.3 Issuing OCSP Certificates with PKI CA - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to issue OCSP certificates with pki ca command on PKI 10.3 or later.

Submitting Certificate Requests

The certificate requests can be submitted to a PKI CA with the following commands:

$ pki -U <CA URL> ca-cert-request-submit --profile caUserCert --csr-file ocsp_admin.csr --subject uid=ocspadmin
$ pki -U <CA URL> ca-cert-request-submit --profile caSignedLogCert --csr-file ocsp_audit_signing.csr
$ pki -U <CA URL> ca-cert-request-submit --profile caOCSPCert --csr-file ocsp_signing.csr
$ pki -U <CA URL> ca-cert-request-submit --profile caServerCert --csr-file ocsp_sslserver.csr
$ pki -U <CA URL> ca-cert-request-submit --profile caSubsystemCert --csr-file ocsp_subsystem.csr

Approving Certificate Requests

The CA admin can approve the request by executing the following command:

$ pki -U <CA URL> -c Secret.123 -n caadmin ca-cert-request-review <request ID> --action approve

Retrieving Issued Certificates

The certificates and the CA signing certificate can be downloaded with the following commands:

$ pki -U <CA URL> ca-cert-show <cert ID> --output ocsp_admin.crt
$ pki -U <CA URL> ca-cert-show <cert ID> --output ocsp_audit_signing.crt
$ pki -U <CA URL> ca-cert-show <cert ID> --output ocsp_signing.crt
$ pki -U <CA URL> ca-cert-show <cert ID> --output ocsp_sslserver.crt
$ pki -U <CA URL> ca-cert-show <cert ID> --output ocsp_subsystem.crt
$ pki -U <CA URL> ca-cert-show 0x1 --output ca_signing.crt
⚠️ **GitHub.com Fallback** ⚠️