Submitting Certificate Request - dogtagpki/pki GitHub Wiki

Overview

This document describes the process to submit a certificate request to the Certificate Authority. It assumes that the certificate request has been previously generated.

Note that the request still needs to be approved by a CA agent, then the certificate needs to be retrieved by the client. To submit the certificate request, approve the request, and immediately retrieve the certificate, see Issuing Certificates.

Submitting New Certificate Request

To generate a new key, new CSR, and submit the CSR to the CA, execute the following command:

$ pki client-cert-request \
    --profile caDualCert \
    --type crmf \
    --transport transport.crt \
     uid=testuser

Submitting Existing PKCS #10 Request

To submit an existing PKCS #10 request:

$ pki ca-cert-request-submit \
    --profile caServerCert \
    --csr-file sslserver.csr

Availability: Since PKI 10.3.

Submitting Existing CRMF Request

To submit an existing CRMF request:

$ pki ca-cert-request-submit \
    --request-type crmf \
    --csr-file testuser.csr \
    --profile caUserCert \
    --subject UID=testuser

Availability: Since PKI 11.7.

Submitting Certificate Request with XML Request

Getting XML Request Template

Download the request template into a file:

$ pki ca-cert-request-profile-show <profile> --output request.xml

Populate XML Request

Edit the template and enter the requested information (e.g. CSR, subject DN):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    ...
    <Input id="i1">
        <Attribute name="cert_request_type">
            <Value>pkcs10</Value>
            ...
        </Attribute>
        <Attribute name="cert_request">
            <Value>
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPEcxFJBu2lNmIS+MNaZKO43h0dIhKZWZ8wEomQc
tc9guIUGM5eFU+psj6n0XQCPMIVRe7mrzYHF8mlwAp416P5/97g9U6JOKkTXc5ia
HVE1JRhykHiQ17Lp7Y6xXxfe6xKAXDoLOPJ4fNdadtbVeIGjudWktjgwh5CQBXsA
GFP5AgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN
BgkqhkiG9w0BAQQFAAOBgQAXrm979HwcG63Z64u+aybYrfOgyWxQ4kTtCA+NKYge
HC6Z/mlb10J/wggOzrHUbE4IFyjbBo2k1FKe8zYcXIB6Ok5Z0TXueR1zKcb8hE35
o9dkH2sGJsSqMLN8NRyY5QeqOKmtaX8pm1aPhJ0wkvOYou52YqJdq6LF9KXmBGOH
hA==
-----END NEW CERTIFICATE REQUEST-----
            </Value>
            ...
        </Attribute>
    </Input>
    <Input id="i2">
        ...
        <Attribute name="sn_uid">
            <Value>testuser</Value>
            ...
        </Attribute>
    </Input>
    ...
</CertEnrollmentRequest>

Submitting XML Request

Submit the request with the following command:

$ pki ca-cert-request-submit request.xml
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 28
  Type: enrollment
  Request Status: pending
  Operation Result: success
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️