4.4. Issuing Certificates Using CMC
- The Enrolling with CMC section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
- CMCRequest(1) man page
- CMCResponse(1) man page
4.4.1. The CMC Enrollment Process
- Create a Certificate Signing Request (CSR) in one of the following formats:
- PKCS #10 format:
# PKCS10Client -d /home/user_name/.dogtag/nssdb/ -p password \ -n "CN=subCA Signing Certificate,OU=pki-tomcat,O=security_domain" \ -o /home/user_name/ca_pkcs10.req
- Certificate Request Message Format (CRMF) format:
# CRMFPopClient -d /home/user_name/.dogtag/nssdb/ -p password \ -n "cn=user, uid=test" -q POP_SUCCESS -b kra.transport -y -v \ -o /home/user_name/crmf.req
- Create a configuration file for a CMC request, such as
/home/user_name/cmc-request.cfg, with the following content:
# NSS database directory where CA agent certificate is stored dbdir=/home/user_name/.dogtag/nssdb/ # NSS database password password=password # Token name (default is internal) tokenname=internal # Nickname for signing certificate nickname=subsystem_admin # Request format: pkcs10 or crmf format=pkcs10 # Total number of PKCS10/CRMF requests numRequests=1 # Path to the PKCS10/CRMF request # The content must be in Base-64 encoded format. # Multiple files are supported. They must be separated by space. input=/home/user_name/file.csr # Path for the CMC request output=/home/user_name/cmc-request.binFor further details, see the CMCRequest(1) man page.
- Create the CMC request:
# CMCRequest /home/user_name/cmc-request.cfgIf the command succeeds, the
CMCRequestutility stored the CMC request in the file specified in the
outputparameter in the request configuration file.
- Create a configuration file for
HttpClient, such as
/home/user_name/cmc-submit.cfg, which you use in a later step to submit the CMC request to the CA. Add the following content to the created file:
# PKI server host name host=server.example.com # PKI server port number port=8443 # Use secure connection # For secure connection with ECC, set environment variable # 'export NSS_USE_DECODED_CKA_EC_POINT=1'. secure=true # Use client authentication clientmode=true # NSS database directory where the CA agent certificate is stored. dbdir=/home/user_name/.dogtag/nssdb/ # NSS database password password=password # Token name (default: internal) tokenname=internal # Nickname of signing certificate nickname=subsystem_admin # Path for the CMC request input=/home/user_name/cmc-request.bin # Path for the CMC response output=/home/user_name/cmc-response.bin
- Depending on what type of certificate you request, add the following parameter to the configuration file created in the previous step:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=profile_nameFor example, for a CA signing certificate:
- Submit the CMC request to the CA:
# HttpClient /home/user_name/cmc-submit.cfg
- To convert the CMC response to a PKCS #7 certificate chain, pass the CMC response file to the
-iparameter of the
CMCResponseutility. For example:
# CMCResponse -i /home/user_name/cmc-response.bin -o /home/user_name/cert_chain.crt
4.4.2. Practical CMC Enrollment Scenarios
188.8.131.52. Obtaining System and Server Certificates
- Enrollment Profiles
- The agent must either use one of the existing CMC profiles listed in Section 184.108.40.206, “CMC Authentication Plug-ins” or, alternatively, create a custom profile that uses the
- CMC Signing Certificate
- For system certificates, the CA agent must generate and sign the CMC request. For this, set the
nicknameparameter in the
CMCRequestconfiguration file to the nickname of the CA agent.
NoteThe CA agent must have access to the own private key.
HttpClientSSL Client Nickname
- Use the same certificate for signing in the
CMCRequestutility's configuration file as for SSL client authentication in the configuration file for
servletin the configuration file passed to the
HttpClientutility refers to the CMC servlet and the enrollment profile which handles the request.Depending on what type of certificate you request, add one of the following entries to the configuration file created in the previous step:
- For a CA signing certificate:
- For a KRA transport certificate:
- For a OCSP signing certificate:
- For a audit signing certificate:
- For a subsystem certificate:
- For RSA certificates:
- For ECC certificates:
- For an SSL server certificate:
- For RSA certificates:
- For ECC certificates:
- For an admin certificate:
- When an agent pre-signs a CSR, the Proof of Identification is considered established because the agent examines the CSR for identification. No additional CMC-specific identification proof is required.
- PKCS #10 files already provide Proof of Possession information and no additional Proof of Possession (POP) is required.
- In agent pre-approved requests, the
PopLinkWittnessV2feature must be disabled because the identification is checked by the agent.
220.127.116.11. Obtaining the First Signing Certificate for a User
- An agent signs the CMC request. See Section 18.104.22.168.1, “Signing a CMC Request with an Agent Certificate”.
- Certificate enrollment is authenticated by using a Shared Secret. See Section 22.214.171.124.2, “Authenticating for Certificate Enrollment Using a Shared Secret”.
126.96.36.199.1. Signing a CMC Request with an Agent Certificate
188.8.131.52. Obtaining an Encryption-only Certificate for a User
- Use the cryptographic token stored in a Network Security Services (NSS) database or on a smart card that contains the user's signing certificate and keys.
- Generate the CSR in PKCS #10 or the CRMF format.
NoteUse the CRMF format, if key archival is required.
- Generate the CMC request.Since this is an encryption-only certificate, the private key is not able to sign. Therefore, Proof Of Possession (POP) is not included. For this reason, the enrollment requires two steps: If the initial request is successful, results in a CMC status with the
EncryptedPOPcontrol. The user then uses the response and generates a CMC request that contains the
DecryptedPOPcontrol and submits it in the second step.
- For the first step, in addition to the default parameters, the user must set the following parameters in the configuration file passed to the
For details, see the CMCRequest(1) man page.The response contains:
popLinkWitnessV2.enableif required by the CA
popLinkWitnessV2.keyGenAlgif required by the CA
popLinkWitnessV2.macAlgif required by the CA
- A CMC encrypted POP control
CMCStatusInfoV2control with the
- The request ID
- For the second step, in addition to the default parameters, the user must set the following parameters in the configuration file passed to the
For details, see the CMCRequest(1) man page.