Certificate Key Archival

From Dogtag
Jump to: navigation, search

Overview

This page describes the process to issue certificates with key archival.

Initializing Client

$ pki -c Secret.123 client-init
------------------
Client initialized
------------------

Submitting Certificate Request

Use a profile that will perform a key archival, e.g. caSigningUserCert. Prior to PKI 10.3 use caDualCert profile.

Submitting certificate request with CRMFPopClient

First, find the serial number of the transport certificate:

$ pki ca-cert-find --name "DRM Transport Certificate"
---------------
1 entries found
---------------
  Serial Number: 0x7
  Subject DN: CN=DRM Transport Certificate,O=EXAMPLE
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Thu Oct 22 18:26:11 CEST 2015
  Not Valid After: Wed Oct 11 18:26:11 CEST 2017
  Issued On: Thu Oct 22 18:26:11 CEST 2015
  Issued By: caadmin
----------------------------
Number of entries returned 1
----------------------------

Use the serial number to download the transport certificate into a file:

$ pki ca-cert-show 0x7 --output transport.pem
-----------------
Certificate "0x7"
-----------------
  Serial Number: 0x7
  Issuer: CN=CA Signing Certificate,O=EXAMPLE
  Subject: CN=DRM Transport Certificate,O=EXAMPLE
  Status: VALID
  Not Before: Thu Oct 22 18:26:11 CEST 2015
  Not After: Wed Oct 11 18:26:11 CEST 2017

Then submit the certificate request with the following command:

$ CRMFPopClient -d ~/.dogtag/nssdb -p Secret.123 -n CN=testuser -f caSigningUserCert -b transport.pem \
-m $HOSTNAME:8080 -u testuser -r testuser
Submitting CRMF request to server.example.com:8080
Request ID: 10
Request Status: pending
Reason:

Submitting certificate request with pki client-cert-request

Submit a certificate request with the following command:

$ pki -c Secret.123 client-cert-request CN=testuser --profile caSigningUserCert --type crmf
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 10
  Type: enrollment
  Request Status: pending
  Operation Result: success

By default it will download the transport certificate from the CA. To use a different transport certificate stored in a file, specify --transport <filename>. Since PKI 10.5, the --transport parameter can also be used to used to specify a transport certificate already in client NSS database.

See also requesting client certificate with CRMF request.

Issuing Certificate

As a CA agent, approve the request:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review 10 --action approve
-------------------------------
Approved certificate request 10
-------------------------------
  Request ID: 10
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0xa

Retrieving Archived Certificate Key

To find the archived certificate keys:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-find
----------------
1 key(s) matched
----------------
  Key ID: 0x1
  Algorithm: 1.2.840.113549.1.1.1
  Size: 1024
  Owner: UID=testuser
----------------------------
Number of entries returned 1
----------------------------

To retrieve the archived certificate key:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-retrieve --keyID 0x1
------------------------
Retrieve Key Information
------------------------
  Key Algorithm: 1.2.840.113549.1.1.1
  Key Size: 1024
  Nonce data: E+qokj0gBLg=

  Actual archived data: MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM+Esi959EOvBqIg
SwQL6zPFzbS8OZSGO8B/JTbMP+RIFaoS+Anq3cyi96aLjNQBLhdnMsDQOoC9LV8w
Gabm8mWA9oBrM8/+iqexoZ/RllwuqmAbrqJ8gL6htbf9UPbDHMJ2MCEffBA5JEqW
nbOhn2D1dHybH7xIK1VaNhIIdHPLAgMBAAECgYASX4rRNkiAt53sO9S4en+sGU7R
ujqU4l+m9vrqA6KCiTlV0hEg+6kApcssdT2WRbZ5fvsY5DbR0C4Ut/MFenwqhLSG
G38K8TQOTjqmffCiRwhPMfBuNzwWrLRrC6D4e1S5wsR5XqTQKv3UVHSkKm52D+AC
t95cQYNpW3PwmiQiWQJBAOcrzLIcXxbWanojhHb/Bak4NLIaakwTeFkhp0NCq0cU
FheK1mBFmqImnc2pIZ834snMe1LSn/Qc4a7ypZi4LnkCQQDlzox0z5iZ7CjSPdwm
SFsDmaVeQcbGMnfQ7H2cNWxn7bZt2zinKOxSimDHDzwg83XcgPSlzsrvPMKl2H+8
I5NjAkEAj2LhgpCKgpXYUY36Of0Qu9d7CAXObQWenlp7bwLJTjstQMkDE4/YzD77
nncLvcBiUR0eWU7/m+DWMzeac1G6sQJAbLoHrDCYE6MvQSFxak9reE2Wdv0J7bXt
CFULrP99tcI7QMiqijQLc5Xy6dtkaHanudbtaRFo5D3MHilLbhkq3wJARpzpUfaD
XgcfFKwIcuRJeKW3CWblzouVnzc4RKCTj4Zpt5yvB+b8s0pvboCwkZFIFyxoYtUS
ozyy/gEgzAOdEA==

References