Submitting Certificate Request with Key Archival - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to generate and submit a CRMF request for key archival.

The following certificate profiles support key archival:

  • caUserCert

  • caECUserCert

  • caSigningUserCert

  • caDualCert

Generating and Submitting New CRMF Request with CRMFPopClient

First, obtain KRA transport certificate (see Getting KRA Transport Certificate).

To generate and submit a new CRMF request:

$ CRMFPopClient \
    -d ~/.dogtag/nssdb \
    -p "" \
    -m pki.example.com:8080 \
    -f caUserCert \
    -n UID=testuser \
    -u testuser \
    -b kra_transport.crt
Submitting CRMF request to pki.example.com:8080
Request ID: 10
Request Status: pending
Reason:

Generating and Submitting New CRMF Request with pki client-cert-request

To generate and submit a new CRMF request:

$ pki client-cert-request \
    --type crmf \
    --profile caUserCert \
    UID=testuser
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 10
  Type: enrollment
  Request Status: pending
  Operation Result: success

By default it will download the transport certificate from the CA. To use a transport certificate stored in a local file, specify --transport <filename>. Either way, the transport certificate will be imported into the client’s NSS database.

Submitting Existing CRMF Request with pki ca-cert-request-submit

To submit an existing CRMF request:

$ pki ca-cert-request-submit \
    --request-type crmf \
    --csr-file testuser.csr \
    --profile caUserCert \
    --subject UID=testuser
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 0x9f727c2f06ee07568c6e7eada5755d8a
  Type: enrollment
  Request Status: pending
  Operation Result: success

Availability: Since PKI 11.7.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️