1CMCSharedToken(1) PKI CMC Shared Secret Generation Tool CMCSharedToken(1)
2
3
4
6 CMCSharedToken - Used to process a user passphrase and create shared
7 token to be stored by the CA to allow Shared Secret-based proof of ori‐
8 gin in cases such as CMC certificate issuance and revocation.
9
10
12 CMCSharedToken [OPTIONS]
13
14
16 The Certificate Management over Cryptographic Message Syntax (CMC)
17 shared secret generation tool, CMCSharedToken, provides a command-line
18 utility used to process a user passphrase to be shared with the CA.
19
20
21 It takes a passphrase provided by the user, encrypts it with an
22 issuance protection certificate, and outputs the encrypted blob which
23 could be stored on the CA for subsequent enrollment or revocation
24 activities by the user.
25
26
27 This tool can be run either by the user or by the administrator. If
28 run by the user, the output (encrypted passphrase, i.e. shared token)
29 needs to be sent to the CA administrator to store on the CA; if run by
30 the CA administrator, the passphrase itself needs to be passed to the
31 intended user. It is outside of the scope of this software to state
32 how such communication takes place. It is up to the site policy to
33 decide which way best suits the deployment site.
34
35
36 For information on how the administrator would store the shared tokens
37 on the CA, see Red Hat Certificate System Administrator's Guide.
38
39
41 The following are supported options.
42
43
44 -d database
45 Path of directory to the NSS database. This option is required.
46
47
48 -h token
49 Security token name (default: internal)
50
51
52 -p password
53 Security token password.
54
55
56 -s passphrase
57 CMC enrollment passphrase (shared secret) (put in "" if containing
58 spaces)
59
60
61 -b issuance-protection-cert
62 PEM issuance protection certificate. Note: only one of the -b or -n
63 options should be used.
64
65
66 -n issuance-protection-cert-nickname
67 PEM issuance protection certificate on token. Note: only one of the
68 -b or -n options should be used.
69
70
71 -v
72 Run in verbose mode.
73
74
76 $ CMCSharedToken -d . -p myNSSPassword \
77 -s "just another good day" -o cmcSharedTok2.b64 -n "subsystemCert cert-pki-tomcat"
78
79
80
82 CMCRequest(1)
83
84
86 Christina Fu <cfu@redhat.com>.
87
88
90 Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU Gen‐
91 eral Public License, version 2 (GPLv2). A copy of this license is
92 available at ⟨http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt⟩.
93
94
95
96PKI March 14, 2018 CMCSharedToken(1)