-
Notifications
You must be signed in to change notification settings - Fork 139
Certificate Enrollment with PIN Authenticated Profile
This page describes the process to enroll a certificate using a PIN-authenticated profile (e.g. caDirPinUserCert).
Availability: Since PKI 11.6.
The enrollment can be done using pki ca-cert-issue command.
Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:
$ pki ca-cert-issue \
--profile caDirPinUserCert \
--csr-file testuser.csr \
--username testuser \
--password \
--pin \
--output-file testuser.crt
Password: ********
PIN: ********
The password and PIN can also be specified with --password-file and --pin-file options.
The certificate will be issued immediately and stored into testuser.crt.
Availability: Since PKI 11.6
The enrollment can be done using pki ca-cert-request-submit command.
Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:
$ pki ca-cert-request-submit \
--profile caDirPinUserCert \
--csr-file testuser.csr \
--username testuser \
--password \
--pin
Password: ********
PIN: ********
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 0xfd5377c93db8f0ed016de1d688e27f7e
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0x784127bb5291d998224a9426aea15c2b
The password and PIN can also be specified with --password-file and --pin-file options.
The certificate will be issued immediately and can be retrieved using pki ca-cert-export.
The enrollment can also be done manually using JSON messages.
Retrieve the template for the JSON request for the profile with the following command:
$ curl \
-k \
-s \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
https://$HOSTNAME:8443/ca/rest/certrequests/profiles/caDirPinUserCert \
| python -m json.tool > request.json
Insert the username of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "uid", "value": "testuser" }' \
request.json | sponge request.json
Insert the password of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pwd", "value": "Secret.123" }' \
request.json | sponge request.json
Insert the PIN of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pin", "value": "5yD9VI" }' \
request.json | sponge request.json
Insert the request type with the following command:
$ jq '( .Input[].Attribute[] | select(.name=="cert_request_type") ).Value |= "pkcs10"' \
request.json | sponge request.json
Insert the CSR with the following command:
$ jq --rawfile cert_request testuser.csr '( .Input[].Attribute[] | select(.name=="cert_request") ).Value |= $cert_request' \
request.json | sponge request.json
The final JSON request should look like the following:
{
...,
"Input": [
{
...,
"Attribute": [
{
"name": "cert_request_type",
"Value": "pkcs10",
...
},
{
"name": "cert_request",
"Value": "-----BEGIN CERTIFICATE REQUEST-----\nMIICnjCCAYYCAQAwWTETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1w\r\nbGUxDzANBgNVBAsMBnBlb3BsZTEYMBYGCgmSJomT8ixkAQEMCHRlc3R1c2VyMIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRip472Jza92YAPnCZ6vyF32QGC+hpPnLbJv9kXRHWCVIHnM\r\nJ/Ifxa8MGitf3jqsy7pZMwW4MJwPMa4ai2jwE4u14dOVH4NMxjwM+IuEbWVbyenMS3HO1vCpo49X\r\nmwZbL3wvM83UJgd89l6qtqY5t9vmgzixDB83cxsoIQBXK2MiBl6ndn5lMP2CPdtF6vRt6CVOneN6\r\nu/nBlLv4FFJUDYep5fVLz8HvaQhcApa3/rIMxf1L919Eu+gj6WfvbW/vk+UM6UswoRQSgTr2Yl4n\r\nZyqt7H0c8wOsEqkESKrCvZYiBC8rMOgYJ2uoBGJBjvXXAFo6Br1OvVOSB/h+oJtq2wIDAQABoAAw\r\nDQYJKoZIhvcNAQELBQADggEBAIF8nUIwYPjPLDd61XO7Ai5uA5NhzHj/QIL25KdzSuDguURSsLMQ\r\nX4APwvCvmS77VL6wqrKx3yRoND3JhoU8WZ619vrpb76WXgs0Zm8zO8YigTbAJiFIak3BU6H+2wdX\r\nOhPSFZjdAdx4rY/qt2HwpkiJhuh1SkbboW8pKWwOeJmpPEc7GzzGxz/BcxfuAGg7FAwJTFFQWnZu\r\nrsN6Sls1sdkp7DFm+kA5IhVkv2IL9Pqc5IJoqvGAwrz/vBGGm5gZS/stEadHwBPdOHjK/3htWfwh\r\nQ7M9P7pkGWo/D1hTox//hpO29Lxxx6drmxVJpA4PAQLXtcd91EKkkYPEFBKv/pc=\r\n-----END CERTIFICATE REQUEST-----",
...
}
]
}
],
...,
"Attributes": {
"Attribute": [
{
"name": "uid",
"value": "testuser"
},
{
"name": "pwd",
"value": "Secret.123"
},
{
"name": "pin",
"value": "5yD9VI"
}
]
}
}
Then submit the request with the following command:
$ curl \
-k \
-s \
-X POST \
-d @request.json \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
https://$HOSTNAME:8443/ca/rest/certrequests | python -m json.tool
{
"total": 1,
"entries": [
{
"requestID": "0xfd5377c93db8f0ed016de1d688e27f7e",
"requestType": "enrollment",
"requestStatus": "complete",
...,
"certId": "0x784127bb5291d998224a9426aea15c2b",
...,
"certRequestType": "pkcs10",
"operationResult": "success",
...
}
]
}
The certificate will be issued immediately and can be retrieved using pki ca-cert-export.
Once issued, the certificate can be retrieved with the following command:
$ pki ca-cert-export <certificate ID> --output-file testuser.crt
If necessary, the certificate can be imported into NSS database with the following command:
$ pki nss-cert-import testuser --cert testuser.crt
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |