1CMCSharedToken(1)    PKI CMC Shared Secret Generation Tool   CMCSharedToken(1)
2
3
4

NAME

6       CMCSharedToken  -  Used  to process a user passphrase and create shared
7       token to be stored by the CA to allow Shared Secret-based proof of ori‐
8       gin in cases such as CMC certificate issuance and revocation.
9
10

SYNOPSIS

12       CMCSharedToken [OPTIONS]
13
14

DESCRIPTION

16       The  Certificate  Management  over  Cryptographic  Message Syntax (CMC)
17       shared secret generation tool, CMCSharedToken, provides a  command-line
18       utility used to process a user passphrase to be shared with the CA.
19
20
21       It  takes  a  passphrase  provided by the user, encrypts it with an is‐
22       suance protection certificate, and outputs  the  encrypted  blob  which
23       could  be  stored on the CA for subsequent enrollment or revocation ac‐
24       tivities by the user.
25
26
27       This tool can be run either by the user or by  the  administrator.   If
28       run  by  the user, the output (encrypted passphrase, i.e. shared token)
29       needs to be sent to the CA administrator to store on the CA; if run  by
30       the  CA  administrator, the passphrase itself needs to be passed to the
31       intended user.  It is outside of the scope of this  software  to  state
32       how such communication takes place.  It is up to the site policy to de‐
33       cide which way best suits the deployment site.
34
35
36       For information on how the administrator would store the shared  tokens
37       on the CA, see Red Hat Certificate System Administrator's Guide.
38
39

OPTIONS

41       The following are supported options.
42
43
44       -d database
45           Path of directory to the NSS database. This option is required.
46
47
48       -h token
49           Security token name (default: internal)
50
51
52       -p password
53           Security token password.
54
55
56       -s passphrase
57           CMC  enrollment passphrase (shared secret) (put in "" if containing
58       spaces)
59
60
61       -b issuance-protection-cert
62           PEM issuance protection certificate. Note: only one of the -b or -n
63       options should be used.
64
65
66       -n issuance-protection-cert-nickname
67           PEM issuance protection certificate on token. Note: only one of the
68       -b or -n options should be used.
69
70
71       -v
72           Run in verbose mode.
73
74

EXAMPLE

76              $ CMCSharedToken -d . -p myNSSPassword \
77                  -s "just another good day" -o cmcSharedTok2.b64 -n "subsystemCert cert-pki-tomcat"
78
79
80

SEE ALSO

82       CMCRequest(1)
83
84

AUTHORS

86       Christina Fu <cfu@redhat.com>.
87
88
90       Copyright (c) 2018 Red Hat, Inc.  This is licensed under the  GNU  Gen‐
91       eral  Public  License,  version  2  (GPLv2).  A copy of this license is
92       available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
93
94
95
96PKI                             March 14, 2018               CMCSharedToken(1)
Impressum