Skip to content

Certificate Enrollment with PIN Authenticated Profile

Endi S. Dewata edited this page Sep 25, 2024 · 18 revisions

Overview

This page describes the process to enroll a certificate using a PIN-authenticated profile (e.g. caDirPinUserCert).

Availability: Since PKI 11.6.

Prerequisites

  • Configure PIN-authenticated profile.

  • Generate a certificate request and store it in a file (e.g. testuser.csr).

Enrollment using pki ca-cert-issue

The pki ca-cert-issue command can be used for certificate enrollment with PIN authentication.

Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:

$ pki ca-cert-issue \
    --profile caDirPinUserCert \
    --csr-file testuser.csr \
    --username testuser \
    --password \
    --pin \
    --output-file testuser.crt
Password: ********
PIN: ********

The certificate will be issued immediately and stored into testuser.crt.

Availability: Since PKI 11.6

Enrollment using pki ca-cert-request-submit

The pki ca-cert-request-submit command can be used for certificate enrollment with PIN authentication.

Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:

$ pki ca-cert-request-submit \
    --profile caDirPinUserCert \
    --csr-file testuser.csr \
    --username testuser \
    --password \
    --pin
Password: ********
PIN: ********
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 0xfd5377c93db8f0ed016de1d688e27f7e
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x784127bb5291d998224a9426aea15c2b

The certificate will be issued immediately and can be retrieved using pki ca-cert-export.

Enrollment using curl

The enrollment can also be done manually using curl command.

Retrieve the template for the JSON request for the profile with the following command:

$ curl \
    -k \
    -s \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    https://$HOSTNAME:8443/ca/rest/certrequests/profiles/caDirPinUserCert \
    | python -m json.tool > request.json

Insert the username of the LDAP user with the following command:

$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "uid", "value": "testuser" }' \
    request.json | sponge request.json

Insert the password of the LDAP user with the following command:

$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pwd", "value": "Secret.123" }' \
    request.json | sponge request.json

Insert the PIN of the LDAP user with the following command:

$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pin", "value": "5yD9VI" }' \
    request.json | sponge request.json

Insert the request type with the following command:

$ jq '( .Input[].Attribute[] | select(.name=="cert_request_type") ).Value |= "pkcs10"' \
    request.json | sponge request.json

Insert the CSR with the following command:

$ jq --rawfile cert_request testuser.csr '( .Input[].Attribute[] | select(.name=="cert_request") ).Value |= $cert_request' \
    request.json | sponge request.json

The final JSON request should look like the following:

{
    ...,
    "Input": [
        {
            ...,
            "Attribute": [
                {
                    "name": "cert_request_type",
                    "Value": "pkcs10",
                    ...
                },
                {
                    "name": "cert_request",
                    "Value": "-----BEGIN CERTIFICATE REQUEST-----\nMIICnjCCAYYCAQAwWTETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1w\r\nbGUxDzANBgNVBAsMBnBlb3BsZTEYMBYGCgmSJomT8ixkAQEMCHRlc3R1c2VyMIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRip472Jza92YAPnCZ6vyF32QGC+hpPnLbJv9kXRHWCVIHnM\r\nJ/Ifxa8MGitf3jqsy7pZMwW4MJwPMa4ai2jwE4u14dOVH4NMxjwM+IuEbWVbyenMS3HO1vCpo49X\r\nmwZbL3wvM83UJgd89l6qtqY5t9vmgzixDB83cxsoIQBXK2MiBl6ndn5lMP2CPdtF6vRt6CVOneN6\r\nu/nBlLv4FFJUDYep5fVLz8HvaQhcApa3/rIMxf1L919Eu+gj6WfvbW/vk+UM6UswoRQSgTr2Yl4n\r\nZyqt7H0c8wOsEqkESKrCvZYiBC8rMOgYJ2uoBGJBjvXXAFo6Br1OvVOSB/h+oJtq2wIDAQABoAAw\r\nDQYJKoZIhvcNAQELBQADggEBAIF8nUIwYPjPLDd61XO7Ai5uA5NhzHj/QIL25KdzSuDguURSsLMQ\r\nX4APwvCvmS77VL6wqrKx3yRoND3JhoU8WZ619vrpb76WXgs0Zm8zO8YigTbAJiFIak3BU6H+2wdX\r\nOhPSFZjdAdx4rY/qt2HwpkiJhuh1SkbboW8pKWwOeJmpPEc7GzzGxz/BcxfuAGg7FAwJTFFQWnZu\r\nrsN6Sls1sdkp7DFm+kA5IhVkv2IL9Pqc5IJoqvGAwrz/vBGGm5gZS/stEadHwBPdOHjK/3htWfwh\r\nQ7M9P7pkGWo/D1hTox//hpO29Lxxx6drmxVJpA4PAQLXtcd91EKkkYPEFBKv/pc=\r\n-----END CERTIFICATE REQUEST-----",
                    ...
                }
            ]
        }
    ],
    ...,
    "Attributes": {
        "Attribute": [
            {
                "name": "uid",
                "value": "testuser"
            },
            {
                "name": "pwd",
                "value": "Secret.123"
            },
            {
                "name": "pin",
                "value": "5yD9VI"
            }
        ]
    }
}

Then submit the request with the following command:

$ curl \
    -k \
    -s \
    -X POST \
    -d @request.json \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    https://$HOSTNAME:8443/ca/rest/certrequests | python -m json.tool
{
    "total": 1,
    "entries": [
        {
            "requestID": "0xfd5377c93db8f0ed016de1d688e27f7e",
            "requestType": "enrollment",
            "requestStatus": "complete",
            ...,
            "certId": "0x784127bb5291d998224a9426aea15c2b",
            ...,
            "certRequestType": "pkcs10",
            "operationResult": "success",
            ...
        }
    ]
}

The certificate will be issued immediately and can be retrieved using pki ca-cert-export.

Retrieving Certificate

Once issued, the certificate can be retrieved with the following command:

$ pki ca-cert-export <certificate ID> --output-file testuser.crt

If necessary, the certificate can be imported into NSS database with the following command:

$ pki nss-cert-import testuser --cert testuser.crt

See Also

Clone this wiki locally