Skip to content

Generating CMC Shared Token for Certificate Revocation

Endi S. Dewata edited this page Mar 27, 2024 · 3 revisions

Overview

This page describe the process to generate a CMC shared token for revoking a certificate.

It assumes that:

  • Issuance protection certificate has been created.

Generating CMC Shared Token

To generate a CMC shared token:

$ CMCSharedToken \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -p Secret.123 \
    -n ca_issuance_protection \
    -s <token> \
    -o testuser.b64

The token will be encrypted with issuance protection’s public key and stored into testuser.b64 in Base64 format. To convert the value into a single line:

$ SHARED_TOKEN=$(sed -e :a -e 'N;s/\r\n//;ba' testuser.b64)

Assigning CMC Shared Token to Certificate

To assign the CMC shared token to a certificate, store the token under revShrTok property in the metaInfo attribute of the certificate record in LDAP:

$ ldapmodify \
    -H ldap://ds.example.com:3389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    << EOF
dn: cn=<decimal serial number>,ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: metaInfo
metaInfo: revShrTok:$SHARED_TOKEN
EOF

See Also

Clone this wiki locally