4.3. Requesting and Receiving Certificates

The first step to obtain a certificate is generating the request, which is then submitted to the issuing CA. Some Certificate System profiles allow users to request a certificate right through the web services pages, and the profile generates and submits the request in a single step. For other profiles, the request must be generated separately.
Virtually, all certificate requests are processed through the end entities services for the CA, which provide the web-based profile forms, and the issued certificates are then retrieved from these pages. This section details the most common certificate enrollment processes.

4.3.1. Requesting and Receiving a User or Agent Certificate through the End-Entities Page

End entities can use the HTML enrollment forms on the Certificate Management end-entities page to create user certificates for email and SSL authentication. Other enrollment forms are available for adding certificates to tokens and signing files.
The following profiles are used to create user certificates:
  • Manual User Dual-Use Certificate Enrollment
  • Manual User Signing and Encryption Certificates Enrollment
  • Directory-Authenticated User Dual-Use Certificate Enrollment (if directory authentication has been configured)

Note

The agent or user have to generate and submit the client request from the computer that will be used later to access the subsystem. It is important because part of the request process generates a private key on the local machine. If location independence is required, the user can also use a hardware token, such as a smart card, to store the key pair and the certificate.
  1. Open the Certificate Manager's end-entities page, for example:
    https://server.example.com:8443/ca/ee/ca
  2. Select the user certificate enrollment form from the list of certificate profiles.
  3. Fill in the user information.

    Note

    The CA certificate request forms support all UTF-8 characters for the common name, organizational unit, and requester name fields. The common name and organization unit fields are included in the subject name of the certificate.
    This support does not include supporting internationalized domain names.

    Note

    CRMF requests are no longer supported in Firefox 35 or later.
  4. Click Submit.
  5. The key pairs for the user certificate are generated, and the certificate request is sent to the agent queue. Alternatively, if automatic enrollment is configured, the certificate is approved (or rejected) by the CA, and the new certificate is displayed in the web browser window.
  6. Once the certificate is approved and generated, the CA sends a notification that you can retrieve the certificate.
    1. Open the Certificate Manager end-entities page, for example:
      https://server.example.com:8443/ca/ee/ca
    2. Click the Retrieval tab.
    3. Fill in the request ID number that was created when the certificate request was submitted, and click Submit.
    4. The next page shows the status of the certificate request. If the status is complete, then there is a link to the certificate. Click the Issued certificate link.
    5. The new certificate information is shown in pretty-print format, in base-64 encoded format, and in PKCS #7 format.
      The following actions can be taken through this page:
      • To install this certificate on a server or other application, scroll down to the Installing This Certificate in a Server section, which contains the base-64 encoded certificate.
      • If this is a client certificate that will be installed directly in the web browser, scroll down to the Importing This Certificate section, and click the Import your certificate or Import S/MIME certificate button.
    6. Copy the base-64 encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to a text file. Save the text file, and use it to store a copy of the certificate in a subsystem's internal database. See Section 14.4.2.1, “Creating Users”.

4.3.2. Requesting Certificates Using certutil

  1. Change to the certificate database directory of the instance for which the certificate is being requested, for example:
    # cd /var/lib/pki/instance_name/alias
  2. Create the CSR:
    # certutil -R -k key_type -g key_size -s "subject_name" -o CSR_file_name -v validity_period -d . -1 -7 -8
    For further details about the parameters, see the certutil(1) man page.
  3. Ensure that the certificate request file is correct, for example:
    cat request.cert
    
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIICbTCCAVUCAQAwKDEQMA4GA1UEChMHRXhhbXBsZTEUMBIGA1UEAxMLZXhhbXBs
    ZSBuZXcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcH3CcFbSWFYCV
    WrR1pJf8OaLLvTJB45A+grnNqCAQHnsOKO7XLuO+oLt+r1oEtM7o5eXlwZT1BZT5
    bodglwJgo/GXxElqX49EnPdwyNLiK8bMKRkKnPiIi9jkaGbiTnQLrKMO8/sGKTB+
    DGu1VIsj9a/4tt2Kt5wwhtEMIfeNZ4Alk9UCWpC8r/0I3eNzyyk4pJ9qWDzYEpV3
    TVFco/1FWo+yangv7ThSnOJprILIOpcir0vm5zPSlON6JHyJq9O94wSqnIYs/xqC
    iR4SCEx2I3y0Gaym+C78zxJfGFyALFr8LISQLKWJBZhPrUgDwv44x9KSKIkRM9wa
    l6l4eLl5AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAo3+dEKvtKJlFadlNC7fH
    Ob/aiO2JYfjRFg4qZEXjAAvtl4OiJ0bqdimP5JYv5DLUpdqVZbXFPE5/2OmOCJOi
    kpBKdyBabOTPfoXQe2Nvzw5RoEwT4/vFtRm1bGTHUKQlugfdj26PnMlOWoMn9rCN
    dtEE5eDVeuyWzhj+Ik35AyVhvCXzBQRo3XjFS8Pb/VdhRL/s57eY+pwMaGIyOWgd
    dlf2nmU9e7LL6MrkkZmJeIm8YdDPwMUkK7uzPu3429CERgtkN1UnuIfniKg8rlt2
    gEm12Q6lfGYoZK8Yuaor4pSiQrMHi3xXDQqkjA/hz853wkSWpQAAtjqIzSljdLMY
    Ng==
    -----END NEW CERTIFICATE REQUEST-----
  4. Submit the certificate request to the CA.
    1. Copy the certificate request, including the marker lines -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- to a text file or into the clipboard.
    2. Open the end-entity services page of the Certificate Manager, for example:
      https://server.example.com:8443/ca/ee/ca
    3. In Certificate Profiles of the Enrollment tab, click on the appropriate form to submit the request. The default profiles are listed in Section 2.2.6, “List of Certificate Profiles”.
    4. In the certificate enrollment form, enter the required information.
      The standard requirements are as follows:
      • Certificate Request Type. This is either PKCS#10 or CRMF. Certificate requests created through the subsystem administrative console are PKCS #10; those created through the certutil tool and other utilities are usually PKCS #10.
      • Certificate Request. Paste the base-64 encoded blob, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines.
      • Requester Name. This is the common name of the person requesting the certificate.
      • Requester Email. This is the email address of the requester. The agent or CA system will use this address to contact the requester when the certificate is issued. For example, jdoe@someCompany.com.
      • Requester Phone. This is the contact phone number of the requester.
    The submitted request is queued for agent approval. An agent needs to process and approve the certificate request, which the CA signs then and delivers back to the email address specified in the request. If the requester has agent access, the requester can log in as an agent and approve the request.
  5. Retrieve the certificate.
    1. Open the Certificate Manager end-entities page, for example:
      https://server.example.com:8443/ca/ee/ca
    2. Click the Retrieval tab.
    3. Fill in the request ID number that was created when the certificate request was submitted, and click Submit.
    4. The next page shows the status of the certificate request. If the status is complete, then there is a link to the certificate. Click the Issued certificate link.
    5. The new certificate information is shown in pretty-print format, in base-64 encoded format, and in PKCS #7 format.
      The following actions can be taken through this page:
      • To install this certificate on a server or other application, scroll down to the Installing This Certificate in a Server section, which contains the base-64 encoded certificate.
      • If this is a client certificate that will be installed directly in the web browser, scroll down to the Importing This Certificate section, and click the Import your certificate or Import S/MIME certificate button.
    6. Copy the base-64 encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to a text file. Save the text file, and use it to store a copy of the certificate in a subsystem's internal database. See Section 14.4.2.1, “Creating Users”.
For information about using the certutil command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.