Chapter 16. CRMFPopClient (Sending an Encoded CRMF Request)

The CRMFPopClient utility is a tool to send a Certificate Request Message Format (CRMF) request to a Certificate System CA with the request encoded with proof of possession (POP) data that can be verified by the CA server. If a client provides POP information with a request, the server can verify that the requester possesses the private key for the new certificate.
The tool does all of the following:
  1. Has the CA enforce or verify POP information encoded within a CRMF request.
  2. Makes simple certificate requests without using the standard Certificate System agent page or interface.
  3. Makes a simple certificate request that includes a transport certificate for key archival from the KRA.

Note

A transport.txt file containing the KRA's transport certificate must be present in the directory from which the command is run. If the file is missing, the archival process will still be attempted, but it will fail with the following error message:
ERROR: File 'transport.txt' does not exist
Try 'CRMFPopClient --help' for more information.
The transport.txt must have the entire base 64-encoded transport certificate on a single line with the header and footer removed.

16.1. Syntax

There are two syntax styles for the CRMFPopClient utility, depending on the intended use.
This is for sending a simple certificate request to a CA:

CRMFPopClient token_password profile_name host port username requester_name pop_option subject_dn [ OUTPUT_CERT_REQ ]

This is for printing the certificate request to stdout, without sending it to a CA:

CRMFPopClient token_password pop_option OUTPUT_CERT_REQ subject_dn

Option Description
token_password
The password for the cryptographic token.
profile_name
The CA profile to which to submit the request.
host
The hostname of the CA instance. Depending on how DNS and the network is configured, this can be a machine name, fully-qualified domain name, or IPv4 or IPv6 address.
port
The non-SSL port of the Certificate System CA.
username
The Certificate System user for whom the certificate request is issued.
requester_name
The name of the person or entity who is requesting the certificate.
pop_option
Sets the type of POP request to generate; since this can generate invalid requests, this option can be used for testing. There are three values:
  • POP_SUCCESS. Generates a request with the correct POP information; the server verifies that the information is correct.
  • POP_FAIL. Generates a request with incorrect POP information; the server rejects this request if it is submitted. This is used to test server configuration.
  • POP_NONE. Generates a CRMF request with no POP information. If the server is configured to verify all the POP information, then it rejects this request. In that case, it can be used to test the server configuration.
subject_dn
The distinguished name of the requested certificate.
OUTPUT_CERT_REQ
Prints the generated certificate request to the screen. This is optional when the CRMF POP request is sent to a CA, but it is required when the command is used simply to return the request.