1CMCEnroll(1) PKI CMC Enrollment Tool CMCEnroll(1)
2
3
4
6 CMCEnroll - Used to sign a certificate request with an agent's certifi‐
7 cate.
8
9
10 Note: This tool has not yet been updated to work with the latest
11 improvement in the CA to conform to RFC 5272. Please use CMCRequest
12 instead.
13
14
16 CMCEnroll -d NSS-database -n certificate-nickname -r certifi‐
17 cate-request-file -p NSS-database-passwd
18
19
21 The Certificate Management over Cryptographic Message Syntax (CMC)
22 Enrollment utility, CMCEnroll, provides a command-line utility used to
23 sign a certificate request with an agent's certificate. This can be
24 used in conjunction with the CA end-entity CMC Enrollment form to sign
25 and enroll certificates for users.
26
27
28 CMCEnroll takes a standard PKCS #10 certificate request and signs it
29 with an agent certificate. The output is also a certificate request
30 which can be submitted through the appropriate profile.
31
32
34 The following parameters are mandatory:
35
36
37 Note: Surround values that include spaces with quotation marks.
38
39
40 -d NSS-database
41 The directory containing the NSS database associated with the agent
42 certificate.
43 This is usually the agent's personal directory, such as their
44 browser certificate database in the home directory.
45
46
47 -n certificate-nickname
48 The nickname of the agent certificate that is used to sign the
49 request.
50
51
52 -r certificate-request-file
53 The filename of the certificate request.
54
55
56 -p NSS-database-passwd
57 The password to the NSS certificate database which contains the
58 agent certificate,
59 given in -d NSS-database.
60
61
63 Signed requests must be submitted to the CA to be processed.
64
65
66 Note: For this example to work automatically, the CMCAuth plug-in must
67 be enabled on the CA server (which it is by default).
68
69
70 (1) Create a PKCS #10 certificate request using a tool like certutil:
71
72
73 $ cd $HOME/.mozilla/firefox/<profile>
74
75 $ certutil -L -d .
76 Certificate Nickname Trust Attributes
77 SSL,S/MIME,JAR/XPI
78
79 Google Internet Authority G2 ,,
80 COMODO RSA Domain Validation Secure Server CA ,,
81 pki.example.com ,,
82 DigiCert SHA2 Secure Server CA ,,
83 DigiCert SHA2 Extended Validation Server CA ,,
84 COMODO RSA Extended Validation Secure Server CA 2 ,,
85 Symantec Class 3 Secure Server CA - G4 ,,
86 Go Daddy Secure Certificate Authority - G2 ,,
87 Oracle SSL CA - G2 ,,
88 GeoTrust EV SSL CA - G4 ,,
89 Symantec Class 3 Secure Server SHA256 SSL CA ,,
90 GeoTrust SSL CA - G3 ,,
91 PKI Administrator for example.com u,u,u
92 DigiCert SHA2 High Assurance Server CA ,,
93 COMODO RSA Organization Validation Secure Server CA ,,
94 CA Signing Certificate - example.com Security Domain CT,C,C
95
96 $ certutil -R -d . -s "CN=CMCEnroll Test Certificate" -a
97
98 A random seed must be generated that will be used in the
99 creation of your key. One of the easiest ways to create a
100 random seed is to use the timing of keystrokes on a keyboard.
101
102 To begin, type keys on the keyboard until this progress meter
103 is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
104
105
106 Continue typing until the progress meter is full:
107
108 |************************************************************|
109
110 Finished. Press enter to continue:
111
112
113 Generating key. This may take a few moments...
114
115
116 Certificate request generated by Netscape certutil
117 Phone: (not specified)
118
119 Common Name: CMCEnroll Test Certificate
120 Email: (not specified)
121 Organization: (not specified)
122 State: (not specified)
123 Country: (not specified)
124
125 -----BEGIN CERTIFICATE REQUEST-----
126 MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
127 dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
128 IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
129 6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
130 QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
131 WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
132 rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
133 68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
134 YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
135 sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
136 FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
137 ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
138 TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
139 -----END CERTIFICATE REQUEST-----
140
141
142
143 (2) Copy the PKCS #10 ASCII output to a text file.
144
145
146 $ vi cert.req
147 -----BEGIN CERTIFICATE REQUEST-----
148 MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
149 dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
150 IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
151 6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
152 QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
153 WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
154 rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
155 68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
156 YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
157 sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
158 FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
159 ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
160 TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
161 -----END CERTIFICATE REQUEST-----
162
163
164
165 (3) Run the CMCEnroll command to sign the certificate request. If the
166 input file is "$HOME/.mozilla/firefox/lt;profilegt;/cert.req", the
167 agent's certificate is stored in the "$HOME/.mozilla/firefox/lt;profi‐
168 legt;" directory, the certificate common name for this CA is "PKI
169 Administrator for example.com", and the password for the certificate
170 database is "Secret.123", the command is as follows:
171
172
173 $ CMCEnroll -d "$HOME/.mozilla/firefox/<profile>" \
174 -n "PKI Administrator for example.com" \
175 -r "$HOME/.mozilla/firefox/<profile>/cert.req" \
176 -p "Secret.123"
177 cert/key prefix =
178 path = <home>/.mozilla/firefox/<profile>
179 -----BEGIN CERTIFICATE REQUEST-----
180 MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
181 dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
182 IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
183 6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
184 QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
185 WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
186 rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
187 68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
188 YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
189 sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
190 FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
191 ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
192 TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
193 -----END CERTIFICATE REQUEST-----
194
195
196
197 The output of this command is stored in a file with the same filename
198 as the request with a .out appended to the filename (e.g.
199 cert.req.out):
200
201
202 $ cat cert.req.out
203 -----BEGIN CERTIFICATE REQUEST-----
204 MIIMhwYJKoZIhvcNAQcCoIIMeDCCDHQCAQMxCzAJBgUrDgMCGgUAMIIC6QYIKwYB
205 BQUHDAKgggLbBIIC1zCCAtMwVDAvAgECBggrBgEFBQcHBjEgBB5Da2UvQ1V6VEZF
206 Rzgwa1Ryb1dsNjVuTUZhMEU9DQowIQIBAwYIKwYBBQUHBwUxEgIQU05oqk+q+FdR
207 go/eIzsjGTCCAnWgggJxAgEBMIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5y
208 b2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
209 AoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA
210 +Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5
211 tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1
212 A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiu
213 qv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUy
214 UkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA
215 Q9aHQvPDcDuOJOL62pQeoDJpYtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2
216 fpfdrHB5901TdehlghQVOkN6sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9w
217 Xz5ZY/QwSx6C97SodF0cuDHLFsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ
218 +FGfQvmAqc9xHu5jvnBXX+UbucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SB
219 Sa/Zxjy2iVMrQBeOiLcu8bTLTAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9D
220 RJd1FJoocw0eGhw31I5rJDAAMACggge1MIIDzDCCArSgAwIBAgIBATANBgkqhkiG
221 9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20gU2VjdXJpdHkg
222 RG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE2MDcy
223 MTIzNDAyNVoXDTM2MDcyMTIzNDAyNVowTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
224 YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
225 aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmWoikqOPpH
226 0JLW3SZ1SPojvndjdILqDuGuRmqtcLuzZtmNuY7ZVwrXt61G1SCCBoEiy/OcUCKM
227 GVpw0M15Dn3sjJmd9F2R5lrGT2eMWWfVTr15RyEwK9Pn0mxTDN+0eZ4WDY9U4Zg4
228 2qZYIhkfGSTR5jhA4rs3uNOFm0ElLqDumGw3EXjJOy+RURvNbY4Pjlz89+Q2o6M0
229 /XMmMYzxVtXusKu1bvTKIiWoWCXR5ge78GoT/8reer+zxuSXiKSeVV2myvCQhmMH
230 AD2rik/7hazuY2ztC8h9HF09PMSeK2ev6PlzSV/PEqj9u5bgOcbqeiQkzR6IOcSi
231 JCn9o7B+AUMCAwEAAaOBtDCBsTAfBgNVHSMEGDAWgBS7NphdZcuI4IcjN29b96+L
232 iuu6tTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU
233 uzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUFBzAB
234 hjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRoYXQuY29tOjgwODAvY2Ev
235 b2NzcDANBgkqhkiG9w0BAQsFAAOCAQEANUYLK65kV0na9zmtNGFje4akz4FBRAOh
236 f/RYvtH4/0z38vW/E6fZkfb6CHrC4pNPfL6c0q/8H0mIrAft4kkQlTyJB9tdF5qY
237 vCfUMmZ+zM664U/97nf7NSUu9PIFcNfh+/O9IoVUd7gEerRISJzbsmHAcCcfIiKX
238 FsM+6HbEt+lH47flb/eSA2cUS84bC+XlZmKpse1R8PL/rKzngReZmMhNx73pYlEN
239 0qOpJILEMC1FVUExp6XnnP/m1+gY3T2FrIcUU7Jm1mCnln3VcLxkRU2c9tGj4xYr
240 H8teMoQHLZTiqe/54h+3/pUEDgSATAHnex/uG33TXNDbpeNeq720eDCCA+EwggLJ
241 oAMCAQICAQYwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
242 YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
243 aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMzBaFw0xODA3MTEyMzQwMzBaMHQxKzApBgNV
244 BAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xKTAnBgkqhkiG
245 9w0BCQEWGmNhYWRtaW5AdXNlcnN5cy5yZWRoYXQuY29tMRowGAYDVQQDDBFQS0kg
246 QWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPQ
247 fOUyTIkdDnPzBrFRBknHqjYMrRpUDBR+JlarT/Sr6PqNQPMcM7JvgBNmXG32H+5w
248 QH/sfVjOmKEJOMsh71vKiTM0wb5rIo08B34i9E5Cf2Wzx2/ht4qfWvSmb5ZBxy22
249 YpasKLdv7SwSDQr0U7h+Q/96Hgq85ONxWWN6XubgZxSfbs7QVcA0jVq+2inhT67B
250 0u4DO6MTxFJNCfDcWiA/M6xzKbjEqDUEh46Rk19krGPYsbfW2BMuOi7pyfTDJVJ5
251 CAUbo4bpR3eeo5KMbUvgF3WUxA1whOF2Oc6t0hdINW6Xeq3vpnwn3RyX2TRQ0zqi
252 n3K3uPdahteQNcRb/Q8CAwEAAaOBozCBoDAfBgNVHSMEGDAWgBS7NphdZcuI4Icj
253 N29b96+Liuu6tTBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0dHA6Ly9w
254 a2ktZGVza3RvcC51c2Vyc3lzLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1Ud
255 DwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI
256 hvcNAQELBQADggEBAADJNrg4qAZ1LxSz2Nn1k1SEmbugxrh8o1jpBAaSvLlv+blL
257 +6wNq0D7c1GPzRO5TObyXgpbtHgofpKLSxw8cB3y8ugZMp7qJeCYxgzxQKEVMANW
258 6eZgAxvEe1J5Vyk/ELNiCtQmY7Mi+BtwvCF0xkCwYtOGlgeLV5t6GjBdG+jpZSIb
259 B0En0+t/JOwvqUAhzVStz/j9LgBza0P8ACd/s2Z/zjpot2JTXDofF0mbiGwMz4Em
260 /dOT3QhUr3QqFY/Q6T7c/wW7KbUXpNjwvLAV86A9Oojq32Z3ppJPnnDoLxLWvn8f
261 4rBdhhKrFhRZBYd91r3OExUIAEkFH9cmgPusjMsxggG6MIIBtgIBAzBTME4xKzAp
262 BgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xHzAdBgNV
263 BAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUCAQYwCQYFKw4DAhoFAKA+MBcGCSqG
264 SIb3DQEJAzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUeIRBuSA10uyZK8LB
265 yc5Abz4f74AwDQYJKoZIhvcNAQEBBQAEggEAC1DFoKDcAzJUdIIucV61TqQtbBJT
266 H8hhnln3+TwAO+u3X55o74xZMgawy/3Hkt3CjYxYmWIYY9MZILb2UeD0VZz63yzq
267 F9tEZu2IhlvaOgP6NLcu8SxDImQ/GuvPIvGkGg0m/X3cwCHKymH7ZXAUfxQXgqbw
268 CAMc+DH99xx0yotaAr5HE9tauNJejo4CDVYwUn/5syTcw3molt2Ely2FIFEyI3HD
269 yPmP2OHw/xqlBhFvnoecbtpTq2DiWGPWJHSnzcdInuXudHHaIsribXK8HGw2MnCD
270 8Sq7UsrvBe50v0YebYzQdXYrsnluNc+Cwm2PdDQDfPT39e7iwGSLGi4KrQ==
271 -----END CERTIFICATE REQUEST-----
272
273
274
275 (4) Submit the signed certificate request through the CA end-entities
276 page:
277
278
279 (a) Open the end-entities page.
280
281
282 (b) Select the "Signed CMC-Authenticated User Certificate Enrollment"
283 profile.
284
285
286 (c) Paste the content of the output file into the first text area of
287 this form.
288
289
290 (d) Remove the "-----BEGIN CERTIFICATE REQUEST-----" header and the
291 "-----END CERTIFICATE REQUEST-----" footer from the pasted content.
292
293
294 (e) Fill in the contact information, and submit the form.
295
296
297 (5) The certificate is immediately processed and returned since a
298 signed request was sent and the CMCAuth plug-in was enabled:
299
300
301 Congratulations, your request has been processed successfully
302
303 Your request ID is 7.
304
305 Outputs
306
307 * Certificate Pretty Print
308
309 Certificate:
310 Data:
311 Version: v3
312 Serial Number: 0x7
313 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
314 Issuer: CN=CA Signing Certificate,O=example.com Security Domain
315 Validity:
316 Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
317 Not After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
318 Subject: CN=CMCEnroll Test Certificate
319 Subject Public Key Info:
320 Algorithm: RSA - 1.2.840.113549.1.1.1
321 Public Key:
322 Exponent: 65537
323 Public Key Modulus: (2048 bits) :
324 DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
325 0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
326 D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
327 69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
328 93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
329 0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
330 B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
331 ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
332 A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
333 97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
334 B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
335 33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
336 A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
337 2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
338 31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
339 6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
340 Extensions:
341 Identifier: Authority Key Identifier - 2.5.29.35
342 Critical: no
343 Key Identifier:
344 BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
345 8A:EB:BA:B5
346 Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
347 Critical: no
348 Access Description:
349 Method #0: ocsp
350 Location #0: URIName: http://pki.example.com:8080/ca/ocsp
351 Identifier: Key Usage: - 2.5.29.15
352 Critical: yes
353 Key Usage:
354 Digital Signature
355 Non Repudiation
356 Key Encipherment
357 Identifier: Extended Key Usage: - 2.5.29.37
358 Critical: no
359 Extended Key Usage:
360 1.3.6.1.5.5.7.3.2
361 1.3.6.1.5.5.7.3.4
362 Signature:
363 Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
364 Signature:
365 6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
366 30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
367 11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
368 D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
369 69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
370 2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
371 76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
372 2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
373 E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
374 3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
375 2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
376 05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
377 BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
378 F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
379 08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
380 39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
381 FingerPrint
382 MD2:
383 C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
384 MD5:
385 5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
386 SHA-1:
387 F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
388 5C:A9:71:27
389 SHA-256:
390 66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
391 8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
392 SHA-512:
393 E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
394 9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
395 F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
396 D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49
397
398 * Certificate Base-64 Encoded
399
400 -----BEGIN CERTIFICATE-----
401 MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
402 c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
403 aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow
404 JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG
405 SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ
406 SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad
407 7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s
408 rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s
409 UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x
410 /Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw
411 gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE
412 QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo
413 YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI
414 KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug
415 pn+ADHK0MMVPy9SsV4XX0sp1kPcvVxHLZxYIDEwj0qWnLk4hOfXVx20L3K1I4pL/
416 mcX8zw6JabkJup8OhKuBMqeLmTDfdS9sYVqch3faLOpAhSDy3pV2a9cLjIglYgAt
417 BDDwJEtkKkrnNwSivK23f7qqdEEsVenlS5IYvBjc/EvqFRjOsHo6hGTiMRxkCnk+
418 gG5DEjCKKmdvVktWVcdWhocn5MMoygXSvQtdEKJOlp1bKqALm7a7jxUf06954DjT
419 8e3V8fDr+GZWPy9PSpMOLhHz9xs3YQjkSpJMYOMeCg1h8q+y40g5dKpeMlur81U7
420 axszSMsh
421 -----END CERTIFICATE-----
422
423 * Certificate Imports
424 ----------------------
425 | Import Certificate |
426 ----------------------
427
428
429
430 (6) Use the agent page to search for the new certificate:
431
432
433 Certificate 0x07
434
435 Certificate contents
436
437 Certificate:
438 Data:
439 Version: v3
440 Serial Number: 0x7
441 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
442 Issuer: CN=CA Signing Certificate,O=example.com Security Domain
443 Validity:
444 Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
445 Not After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
446 Subject: CN=CMCEnroll Test Certificate
447 Subject Public Key Info:
448 Algorithm: RSA - 1.2.840.113549.1.1.1
449 Public Key:
450 Exponent: 65537
451 Public Key Modulus: (2048 bits) :
452 DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
453 0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
454 D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
455 69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
456 93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
457 0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
458 B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
459 ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
460 A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
461 97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
462 B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
463 33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
464 A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
465 2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
466 31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
467 6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
468 Extensions:
469 Identifier: Authority Key Identifier - 2.5.29.35
470 Critical: no
471 Key Identifier:
472 BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
473 8A:EB:BA:B5
474 Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
475 Critical: no
476 Access Description:
477 Method #0: ocsp
478 Location #0: URIName: http://pki.example.com:8080/ca/ocsp
479 Identifier: Key Usage: - 2.5.29.15
480 Critical: yes
481 Key Usage:
482 Digital Signature
483 Non Repudiation
484 Key Encipherment
485 Identifier: Extended Key Usage: - 2.5.29.37
486 Critical: no
487 Extended Key Usage:
488 1.3.6.1.5.5.7.3.2
489 1.3.6.1.5.5.7.3.4
490 Signature:
491 Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
492 Signature:
493 6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
494 30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
495 11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
496 D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
497 69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
498 2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
499 76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
500 2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
501 E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
502 3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
503 2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
504 05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
505 BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
506 F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
507 08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
508 39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
509 FingerPrint
510 MD2:
511 C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
512 MD5:
513 5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
514 SHA-1:
515 F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
516 5C:A9:71:27
517 SHA-256:
518 66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
519 8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
520 SHA-512:
521 E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
522 9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
523 F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
524 D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49
525
526 Certificate request info
527
528 Request ID: 7
529
530 Installing this certificate in a server
531
532 The following format can be used to install this certificate into a server.
533
534 Base 64 encoded certificate
535
536 -----BEGIN CERTIFICATE-----
537 MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
538 c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
539 aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow
540 JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG
541 SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ
542 SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad
543 7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s
544 rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s
545 UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x
546 /Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw
547 gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE
548 QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo
549 YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI
550 KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug
551 pn+ADHK0MMVPy9SsV4XX0sp1kPcvVxHLZxYIDEwj0qWnLk4hOfXVx20L3K1I4pL/
552 mcX8zw6JabkJup8OhKuBMqeLmTDfdS9sYVqch3faLOpAhSDy3pV2a9cLjIglYgAt
553 BDDwJEtkKkrnNwSivK23f7qqdEEsVenlS5IYvBjc/EvqFRjOsHo6hGTiMRxkCnk+
554 gG5DEjCKKmdvVktWVcdWhocn5MMoygXSvQtdEKJOlp1bKqALm7a7jxUf06954DjT
555 8e3V8fDr+GZWPy9PSpMOLhHz9xs3YQjkSpJMYOMeCg1h8q+y40g5dKpeMlur81U7
556 axszSMsh
557 -----END CERTIFICATE-----
558
559 Base 64 encoded certificate with CA certificate chain in pkcs7 format
560
561 -----BEGIN PKCS7-----
562 MIIHlQYJKoZIhvcNAQcCoIIHhjCCB4ICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIH
563 ZjCCA5IwggJ6oAMCAQICAQcwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNl
564 cnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln
565 bmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA3MjIwMDI4MjBaFw0xNzAxMTgwMTI4MjBa
566 MCUxIzAhBgNVBAMTGkNNQ0Vucm9sbCBUZXN0IENlcnRpZmljYXRlMIIBIjANBgkq
567 hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2pkAOqbCu054nNwwLSMgDApOxStz7krH
568 iUq0fwu1tObT765aeb1CsaZnAPj4NwADaeYFTEDqbOq4gL6Cu+jSk5MODHtPQqMG
569 ne2svSAQWOEKqgZkZ309zJulObSVnqr6tXCJMKMcx5ZYLBgRjEHbiO1EY4UGMd6f
570 rKxkntHzO26ivgFOmiYeK9I3NQOqQr/9lzDmNSFM5oyBJzatkVjqZ7FkOFA5mta/
571 LFMyoDYZLoYz1OVOWBrfftI4rqr9eHWyou1CTdwz7ZBF2TTqxaxoKioXVKi4a3Zv
572 sfx4MP2maEgxWFzjfYxUxcjFMlJFl2aubH8IIVlAtquA7G37x+vIdQIDAQABo4Gj
573 MIGgMB8GA1UdIwQYMBaAFLs2mF1ly4jghyM3b1v3r4uK67q1ME4GCCsGAQUFBwEB
574 BEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3BraS1kZXNrdG9wLnVzZXJzeXMucmVk
575 aGF0LmNvbTo4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQG
576 CCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAbYuZ0unTTn9V
577 IKZ/gAxytDDFT8vUrFeF19LKdZD3L1cRy2cWCAxMI9Klpy5OITn11cdtC9ytSOKS
578 /5nF/M8OiWm5CbqfDoSrgTKni5kw33UvbGFanId32izqQIUg8t6VdmvXC4yIJWIA
579 LQQw8CRLZCpK5zcEorytt3+6qnRBLFXp5UuSGLwY3PxL6hUYzrB6OoRk4jEcZAp5
580 PoBuQxIwiipnb1ZLVlXHVoaHJ+TDKMoF0r0LXRCiTpadWyqgC5u2u48VH9OveeA4
581 0/Ht1fHw6/hmVj8vT0qTDi4R8/cbN2EI5EqSTGDjHgoNYfKvsuNIOXSqXjJbq/NV
582 O2sbM0jLITCCA8wwggK0oAMCAQICAQEwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UE
583 CgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwW
584 Q0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMjVaFw0zNjA3MjEy
585 MzQwMjVaME4xKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBE
586 b21haW4xHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqG
587 SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCplqIpKjj6R9CS1t0mdUj6I753Y3SC6g7h
588 rkZqrXC7s2bZjbmO2VcK17etRtUgggaBIsvznFAijBlacNDNeQ597IyZnfRdkeZa
589 xk9njFln1U69eUchMCvT59JsUwzftHmeFg2PVOGYONqmWCIZHxkk0eY4QOK7N7jT
590 hZtBJS6g7phsNxF4yTsvkVEbzW2OD45c/PfkNqOjNP1zJjGM8VbV7rCrtW70yiIl
591 qFgl0eYHu/BqE//K3nq/s8bkl4iknlVdpsrwkIZjBwA9q4pP+4Ws7mNs7QvIfRxd
592 PTzEnitnr+j5c0lfzxKo/buW4DnG6nokJM0eiDnEoiQp/aOwfgFDAgMBAAGjgbQw
593 gbEwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwDwYDVR0TAQH/BAUw
594 AwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFLs2mF1ly4jghyM3b1v3r4uK
595 67q1ME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3BraS1kZXNr
596 dG9wLnVzZXJzeXMucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQEL
597 BQADggEBADVGCyuuZFdJ2vc5rTRhY3uGpM+BQUQDoX/0WL7R+P9M9/L1vxOn2ZH2
598 +gh6wuKTT3y+nNKv/B9JiKwH7eJJEJU8iQfbXReamLwn1DJmfszOuuFP/e53+zUl
599 LvTyBXDX4fvzvSKFVHe4BHq0SEic27JhwHAnHyIilxbDPuh2xLfpR+O35W/3kgNn
600 FEvOGwvl5WZiqbHtUfDy/6ys54EXmZjITce96WJRDdKjqSSCxDAtRVVBMael55z/
601 5tfoGN09hayHFFOyZtZgp5Z91XC8ZEVNnPbRo+MWKx/LXjKEBy2U4qnv+eIft/6V
602 BA4EgEwB53sf7ht901zQ26XjXqu9tHgxAA==
603 -----END PKCS7-----
604
605
606
608 CMCRequest(1), CMCResponse(1), CMCRevoke(1), pki(1)
609
610
612 Matthew Harmsen lt;mharmsen@redhat.comgt;.
613
614
616 Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU Gen‐
617 eral Public License, version 2 (GPLv2). A copy of this license is
618 available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
619
620
621
622PKI July 20, 2016 CMCEnroll(1)