Skip to content

Generating CMC Shared Token for Certificate Enrollment

Endi S. Dewata edited this page Mar 27, 2024 · 3 revisions

Overview

This page describes the process to generate a CMC shared token for issuing a user certificate.

It assumes that:

  • Issuance protection certificate has been created.

Generating CMC Shared Token

To generate a CMC shared token:

$ CMCSharedToken \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -p Secret.123 \
    -n ca_issuance_protection \
    -s <token> \
    -o testuser.b64

The token will be encrypted with issuance protection’s public key and stored into testuser.b64 in Base64 format. To convert the value into a single line:

$ SHARED_TOKEN=$(sed -e :a -e 'N;s/\r\n//;ba' testuser.b64)

Assigning CMC Shared Token to User

To assign the CMC shared token to a user, add the extensibleObject object class and store the token in the shrTok attribute of the user record in LDAP:

$ ldapmodify \
    -H ldap://ds.example.com:3389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    << EOF
dn: uid=testuser,ou=people,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: extensibleObject
-
add: shrTok
shrTok: $SHARED_TOKEN
-
EOF

See Also

Clone this wiki locally