-
Notifications
You must be signed in to change notification settings - Fork 139
Certificate Enrollment with PIN Authenticated Profile
This page describes the process to enroll a certificate using a PIN-authenticated profile (e.g. caDirPinUserCert).
Availability: Since PKI 11.6.
The pki ca-cert-issue command can be used for certificate enrollment with PIN authentication.
Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:
$ pki ca-cert-issue \
--profile caDirPinUserCert \
--csr-file testuser.csr \
--username testuser \
--password \
--pin \
--output-file testuser.crt
Password: ********
PIN: ********
The password and PIN can also be specified with --password-file and --pin-file options.
The certificate will be issued immediately and stored into testuser.crt.
Availability: Since PKI 11.6
The pki ca-cert-request-submit command can be used for certificate enrollment with PIN authentication.
Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:
$ pki ca-cert-request-submit \
--profile caDirPinUserCert \
--csr-file testuser.csr \
--username testuser \
--password \
--pin
Password: ********
PIN: ********
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 0xfd5377c93db8f0ed016de1d688e27f7e
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0x784127bb5291d998224a9426aea15c2b
The password and PIN can also be specified with --password-file and --pin-file options.
The certificate will be issued immediately and can be retrieved using pki ca-cert-export.
The enrollment can also be done manually using curl command.
Retrieve the template for the JSON request for the profile with the following command:
$ curl \
-k \
-s \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
https://$HOSTNAME:8443/ca/rest/certrequests/profiles/caDirPinUserCert \
| python -m json.tool > request.json
Insert the username of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "uid", "value": "testuser" }' \
request.json | sponge request.json
Insert the password of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pwd", "value": "Secret.123" }' \
request.json | sponge request.json
Insert the PIN of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pin", "value": "5yD9VI" }' \
request.json | sponge request.json
Insert the request type with the following command:
$ jq '( .Input[].Attribute[] | select(.name=="cert_request_type") ).Value |= "pkcs10"' \
request.json | sponge request.json
Insert the CSR with the following command:
$ jq --rawfile cert_request testuser.csr '( .Input[].Attribute[] | select(.name=="cert_request") ).Value |= $cert_request' \
request.json | sponge request.json
The final JSON request should look like the following:
{
...,
"Input": [
{
...,
"Attribute": [
{
"name": "cert_request_type",
"Value": "pkcs10",
...
},
{
"name": "cert_request",
"Value": "-----BEGIN CERTIFICATE REQUEST-----\nMIICnjCCAYYCAQAwWTETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1w\r\nbGUxDzANBgNVBAsMBnBlb3BsZTEYMBYGCgmSJomT8ixkAQEMCHRlc3R1c2VyMIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRip472Jza92YAPnCZ6vyF32QGC+hpPnLbJv9kXRHWCVIHnM\r\nJ/Ifxa8MGitf3jqsy7pZMwW4MJwPMa4ai2jwE4u14dOVH4NMxjwM+IuEbWVbyenMS3HO1vCpo49X\r\nmwZbL3wvM83UJgd89l6qtqY5t9vmgzixDB83cxsoIQBXK2MiBl6ndn5lMP2CPdtF6vRt6CVOneN6\r\nu/nBlLv4FFJUDYep5fVLz8HvaQhcApa3/rIMxf1L919Eu+gj6WfvbW/vk+UM6UswoRQSgTr2Yl4n\r\nZyqt7H0c8wOsEqkESKrCvZYiBC8rMOgYJ2uoBGJBjvXXAFo6Br1OvVOSB/h+oJtq2wIDAQABoAAw\r\nDQYJKoZIhvcNAQELBQADggEBAIF8nUIwYPjPLDd61XO7Ai5uA5NhzHj/QIL25KdzSuDguURSsLMQ\r\nX4APwvCvmS77VL6wqrKx3yRoND3JhoU8WZ619vrpb76WXgs0Zm8zO8YigTbAJiFIak3BU6H+2wdX\r\nOhPSFZjdAdx4rY/qt2HwpkiJhuh1SkbboW8pKWwOeJmpPEc7GzzGxz/BcxfuAGg7FAwJTFFQWnZu\r\nrsN6Sls1sdkp7DFm+kA5IhVkv2IL9Pqc5IJoqvGAwrz/vBGGm5gZS/stEadHwBPdOHjK/3htWfwh\r\nQ7M9P7pkGWo/D1hTox//hpO29Lxxx6drmxVJpA4PAQLXtcd91EKkkYPEFBKv/pc=\r\n-----END CERTIFICATE REQUEST-----",
...
}
]
}
],
...,
"Attributes": {
"Attribute": [
{
"name": "uid",
"value": "testuser"
},
{
"name": "pwd",
"value": "Secret.123"
},
{
"name": "pin",
"value": "5yD9VI"
}
]
}
}
Then submit the request with the following command:
$ curl \
-k \
-s \
-X POST \
-d @request.json \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
https://$HOSTNAME:8443/ca/rest/certrequests | python -m json.tool
{
"total": 1,
"entries": [
{
"requestID": "0xfd5377c93db8f0ed016de1d688e27f7e",
"requestType": "enrollment",
"requestStatus": "complete",
...,
"certId": "0x784127bb5291d998224a9426aea15c2b",
...,
"certRequestType": "pkcs10",
"operationResult": "success",
...
}
]
}
The certificate will be issued immediately and can be retrieved using pki ca-cert-export.
Once issued, the certificate can be retrieved with the following command:
$ pki ca-cert-export <certificate ID> --output-file testuser.crt
If necessary, the certificate can be imported into NSS database with the following command:
$ pki nss-cert-import testuser --cert testuser.crt
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |