1CMCSharedToken(1)    PKI CMC Shared Secret Generation Tool   CMCSharedToken(1)
2
3
4

NAME

6       CMCSharedToken  -  Used  to process a user passphrase and create shared
7       token to be stored by the CA to allow Shared Secret-based proof of ori‐
8       gin in cases such as CMC certificate issuance and revocation.
9
10

SYNOPSIS

12       CMCSharedToken [OPTIONS]
13
14

DESCRIPTION

16       The  Certificate  Management  over  Cryptographic  Message Syntax (CMC)
17       shared secret generation tool, CMCSharedToken, provides a  command-line
18       utility used to process a user passphrase to be shared with the CA.
19
20
21       It  takes  a  passphrase  provided  by  the  user,  encrypts it with an
22       issuance protection certificate, and outputs the encrypted  blob  which
23       could  be  stored  on  the  CA  for subsequent enrollment or revocation
24       activities by the user.
25
26
27       This tool can be run either by the user or by  the  administrator.   If
28       run  by  the user, the output (encrypted passphrase, i.e. shared token)
29       needs to be sent to the CA administrator to store on the CA; if run  by
30       the  CA  administrator, the passphrase itself needs to be passed to the
31       intended user.  It is outside of the scope of this  software  to  state
32       how  such  communication  takes  place.  It is up to the site policy to
33       decide which way best suits the deployment site.
34
35
36       For information on how the administrator would store the shared  tokens
37       on the CA, see Red Hat Certificate System Administrator's Guide.
38
39

OPTIONS

41       The following are supported options.
42
43
44       -d database
45           Path of directory to the NSS database. This option is required.
46
47
48       -h token
49           Security token name (default: internal)
50
51
52       -p password
53           Security token password.
54
55
56       -s passphrase
57           CMC  enrollment passphrase (shared secret) (put in "" if containing
58       spaces)
59
60
61       -b issuance-protection-cert
62           PEM issuance protection certificate. Note: only one of the -b or -n
63       options should be used.
64
65
66       -n issuance-protection-cert-nickname
67           PEM issuance protection certificate on token. Note: only one of the
68       -b or -n options should be used.
69
70
71       -v
72           Run in verbose mode.
73
74

EXAMPLE

76              $ CMCSharedToken -d . -p myNSSPassword \
77                  -s "just another good day" -o cmcSharedTok2.b64 -n "subsystemCert cert-pki-tomcat"
78
79
80

SEE ALSO

82       CMCRequest(1)
83
84

AUTHORS

86       Christina Fu <cfu@redhat.com>.
87
88
90       Copyright (c) 2018 Red Hat, Inc.  This is licensed under the  GNU  Gen‐
91       eral  Public  License,  version  2  (GPLv2).  A copy of this license is
92       available at ⟨http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt⟩.
93
94
95
96PKI                             March 14, 2018               CMCSharedToken(1)
Impressum