5.2. Creating Certificate Signing Requests

As explained in the Enrolling with CMC section in the Red Hat Certificate System Planning, Installation, and Deployment Guide (Common Criteria Edition), the CMCRequest utility accepts Certificate Signing Requests (CSR) in PKCS #10 and CRMF format.
Red Hat Certificate System supports using the following utilities to create CSRs:
  • certutil: Supports creating PKCS #10 requests.
  • PKCS10Client: Supports creating PKCS #10 requests.
  • CRMFPopClient: Supports creating CRMF requests.
The following sections provide some examples on how to use these utilities with the feature-rich enrollment profile framework.

5.2.1. Creating a CSR Using certutil

This section describes examples on how to use the certutil utility to create a CSR.
For further details about using certutil, see:
  • The certutil(1) man page
  • The output of the certutil --help command

5.2.1.1. Using certutil to Create a CSR with EC Keys

The following procedure demonstrates how to use the certutil utility to create an Elliptic Curve (EC) key pair and CSR:
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
  2. Create the binary CSR and store it in the /user_or_entity_database_directory/request.csr file: 
    $ certutil -d . -R -k ec -q nistp256 -s "CN=subject_name" -o /user_or_entity_database_directory/request-bin.csr
    Enter the required NSS database password when prompted.
    For further details about the parameters, see the certutil(1) man page.
  3. Convert the created binary format CSR to PEM format: 
    $ BtoA /user_or_entity_database_directory/request-bin.csr /user_or_entity_database_directory/request.csr
  4. Optionally, verify that the CSR file is correct: 
    $ cat /user_or_entity_database_directory/request.csr

MIICbTCCAVUCAQAwKDEQMA4GA1UEChMHRXhhbXBsZTEUMBIGA1UEAxMLZXhhbXBs
...
    This is a PKCS#10 PEM certificate request.
  5. For the next steps, see Section 5.3.1, “The CMC Enrollment Process”, but skip the step about creating the certificate request.

5.2.1.2. Using certutil to Create a CSR With User-defined Extensions

The following procedure demonstrates how to create a CSR with user-defined extensions using the certutil utility.
Note that the enrollment requests are constrained by the enrollment profiles defined by the CA. See Example B.3, “Multiple User Supplied Extensions in CSR”.
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
  2. Create the CSR with user-defined Key Usage extension as well as user-defined Extended Key Usage extension and store it in the /user_or_entity_database_directory/request.csr file: 
    $ certutil -d . -R -k rsa -g 1024 -s "CN=subject_name" --keyUsage keyEncipherment,dataEncipherment,critical --extKeyUsage timeStamp,msTrustListSign,critical -a -o /user_or_entity_database_directory/request.csr
    Enter the required NSS database password when prompted.
    For further details about the parameters, see the certutil(1) man page.
  3. Optionally, verify that the CSR file is correct: 
    $ cat /user_or_entity_database_directory/request.csr
Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: user 4-2-1-2
Email: (not specified)
Organization: (not specified)
State: (not specified)
Country: (not specified)
    This is a PKCS#10 PEM certificate request.
  4. For the next steps, see Section 5.3.1, “The CMC Enrollment Process”, but skip the step about creating the certificate request.

    Note

    Remove the header information from the CSR.

5.2.2. Creating a CSR Using PKCS10Client

This section describes examples how to use the PKCS10Client utility to create a CSR.
For further details about using PKCS10Client, see:
  • The PKCS10Client(1) man page
  • The output of the PKCS10Client --help command

5.2.2.1. Using PKCS10Client to Create a CSR

The following procedure explains how to use the PKCS10Client utility to create an Elliptic Curve (EC) key pair and CSR:
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
  2. Create the CSR and store it in the /user_or_entity_database_directory/example.csr file: 
    $ PKCS10Client -d . -p NSS_password -a ec -c nistp256 -o /user_or_entity_database_directory/example.csr -n "CN=subject_name"
    For further details about the parameters, see the PKCS10Client(1) man page.
  3. Optionally, verify that the CSR is correct: 
    $ cat /user_or_entity_database_directory/example.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICzzCCAbcCAQAwgYkx
...
-----END CERTIFICATE REQUEST-----

5.2.2.2. Using PKCS10Client to Create a CSR for SharedSecret-based CMC

The following procedure explains how to use the PKCS10Client utility to create an RSA key pair and CSR for SharedSecret-based CMC. Use it only with the CMC Shared Secret authentication method which is, by default, handled by the caFullCMCSharedTokenCert and caECFullCMCSharedTokenCert profiles.
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
  2. Create the CSR and store it in the /user_or_entity_database_directory/example.csr file: 
    $ PKCS10Client -d . -p NSS_password -o /user_or_entity_database_directory/example.csr -y true -n "CN=subject_name"
    For further details about the parameters, see the PKCS10Client(1) man page.
  3. Optionally, verify that the CSR is correct: 
    $ cat /user_or_entity_database_directory/example.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICzzCCAbcCAQAwgYkx
...
-----END CERTIFICATE REQUEST-----

5.2.3. Creating a CSR Using CRMFPopClient

Certificate Request Message Format (CRMF) is a CSR format accepted in CMC that allows key archival information to be securely embedded in the request.
This section describes examples how to use the CRMFPopClient utility to create a CSR.
For further details about using CRMFPopClient, see the CRMFPopClient(1) man page.

5.2.3.1. Using CRMFPopClient to Create a CSR with Key Archival

The following procedure explains how to use the CRMFPopClient utility to create an RSA key pair and a CSR with the key archival option:
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
  2. Retrieve the KRA transport certificate: 
    $ pki ca-cert-find --name "DRM Transport Certificate"
    ---------------
    1 entries found
    ---------------
      Serial Number: 0x7
      Subject DN: CN=DRM Transport Certificate,O=EXAMPLE
      Status: VALID
      Type: X.509 version 3
      Key A    lgorithm: PKCS #1 RSA with 2048-bit key
      Not Valid Before: Thu Oct 22 18:26:11 CEST 2015
      Not Valid After: Wed Oct 11 18:26:11 CEST 2017
      Issued On: Thu Oct 22 18:26:11 CEST 2015
      Issued By: caadmin
    ----------------------------
    Number of entries returned 1
  3. Export the KRA transport certificate: 
    $ pki ca-cert-show 0x7 --output kra.transport
  4. Create the CSR and store it in the /user_or_entity_database_directory/example.csr file: 
    $ CRMFPopClient -d . -p password -n "cn=subject_name" -q POP_SUCCESS -b kra.transport -w "AES/CBC/PKCS5Padding" -v -o /user_or_entity_database_directory/example.csr
    To create an Elliptic Curve (EC) key pair and CSR, pass the -a ec -t false options to the command.
    For further details about the parameters, see the CRMFPopClient(1) man page.
  5. Optionally, verify that the CSR is correct: 
    $ cat /user_or_entity_database_directory/example.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICzzCCAbcCAQAwgYkx
...
-----END CERTIFICATE REQUEST-----

5.2.3.2. Using CRMFPopClient to Create a CSR for SharedSecret-based CMC

The following procedure explains how to use the CRMFPopClient utility to create an RSA key pair and CSR for SharedSecret-based CMC. Use it only with the CMC Shared Secret authentication method which is, by default, handled by the caFullCMCSharedTokenCert and caECFullCMCSharedTokenCert profiles.
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
  2. Retrieve the KRA transport certificate: 
    $ pki ca-cert-find --name "DRM Transport Certificate"
    ---------------
    1 entries found
    ---------------
      Serial Number: 0x7
      Subject DN: CN=DRM Transport Certificate,O=EXAMPLE
      Status: VALID
      Type: X.509 version 3
      Key A    lgorithm: PKCS #1 RSA with 2048-bit key
      Not Valid Before: Thu Oct 22 18:26:11 CEST 2015
      Not Valid After: Wed Oct 11 18:26:11 CEST 2017
      Issued On: Thu Oct 22 18:26:11 CEST 2015
      Issued By: caadmin
    ----------------------------
    Number of entries returned 1
  3. Export the KRA transport certificate: 
    $ pki ca-cert-show 0x7 --output kra.transport
  4. Create the CSR and store it in the /user_or_entity_database_directory/example.csr file: 
    $ CRMFPopClient -d . -p password -n "cn=subject_name" -q POP_SUCCESS -b kra.transport -w "AES/CBC/PKCS5Padding" -y -v -o /user_or_entity_database_directory/example.csr
    To create an EC key pair and CSR, pass the -a ec -t false options to the command.
    For further details about the parameters, see the output of the CRMFPopClient --help command.
  5. Optionally, verify that the CSR is correct: 
    $ cat /user_or_entity_database_directory/example.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICzzCCAbcCAQAwgYkx
...
-----END CERTIFICATE REQUEST-----