Skip to content

Issuing CA Signing Certificate with PKI CA

Jump to bottom
Endi S. Dewata edited this page Dec 4, 2020 · 4 revisions

PKI 10.3 or Newer

If the PKI server being installed is version 10.3 or newer, the CA certificate request can be submitted to an external PKI CA with the following command:

$ pki -U http://ca.external.com:8080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr

The external PKI CA admin can approve the request by executing the following command on the external PKI CA:

$ pki -c Secret.123 -n "PKI Administrator external.com" ca-cert-request-review 28 --action approve

The newly signed CA certificate and the external CA certificate can be downloaded to the installing server with the following commands:

$ pki -U http://ca.external.com:8080 ca-cert-show 0x1c --output /tmp/ca_signing.crt
$ pki -U http://ca.external.com:8080 ca-cert-show 0x1 --output /tmp/external.crt

PKI 10.2 or Older

If the PKI server being installed is version 10.2.x or older, download the request template from an external PKI CA with the following command:

$ pki -U http://ca.external.com:8080 ca-cert-request-profile-show caCACert --output caCACert.xml

Insert the CSR into the corresponding request template.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    ...
    <Input id="i1">
        ...
        <Attribute name="cert_request_type">
            <Value>pkcs10</Value>
            ...
        </Attribute>
        <Attribute name="cert_request">
            <Value>
-----BEGIN CERTIFICATE REQUEST-----
MIICtTCCAZ0CAQAwPjEUMBIGA1UECgwLZXhhbXBsZS5jb20xETAPBgNVBAsMCEV4dGVybmFsMRMw
EQYDVQQDDApDQSBTaWduaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6EyJKwCI
TVJKyD7HGPBHtyXksItrTzj7x3/wXk94W5nT+wyh6KsJ3m/xX3IH5fkl8OpPI+e/IErM/NO7rJam
Zc3lDBmfYefijslnyUEfo4YPcOUX3dUVwPCay9nO9A2rDSoeoQ6podwFB/Ioc1kMh6Rwx+SdVHey
scYUbVTWdfeTLPJYd1Wf6rc0oDjyWPhs7j9AkFdrdLfbULIoNW+2GFm3IIEYJvhXkqps8hblk05z
08IUIIgjaBd6y38j3N9RLhFqqKt8ALiDiRfpqzp7xL0FtjD0puR3ZFGwgrNBER3Q1P56Q2r3IuBF
MuQGeqRKdD9RQQu8zaydrj8sH/LQ7wIDAQABoDIwMAYJKoZIhvcNAQkOMSMwITAPBgNVHRMBAf8E
BTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAqlPdkR+sLaCEAhcNnzLF
8tN1ql7K5cyuyxLIblBWsBlKqXhHQBxiycUbonytw5Z426RipEFPufkPRxYPIQio5I36TNLxfS17
H2kxoyOELALcoZxKe/kUNcJI1I5afLGMQP2Q89N86znmSgGKbngf/21IGIx70NgdHPCNFcz97TtQ
nem3xEcUQc8H3o4y+wZO91WpaxD8xHQtAxzU11STss5I8iTEXdH3qpXSw428hdCuOtTBSpp3dCS1
q+V4yM+lahTZTC+f30tqzzyXMlmV1tGZn9hAcnB5a6hpkJmZqlJiTgeqBHB8Zf04rMgz2Hpj6SsE
LiIK2gBMZeMD4zSSgg==
-----END CERTIFICATE REQUEST-----
            </Value>
            ...
        </Attribute>
    </Input>
    ...
</CertEnrollmentRequest>

Submit the request to the external CA with the following command:

$ pki -U http://ca.external.com:8080 ca-cert-request-submit caCACert.xml

The external PKI CA admin can approve the request by executing the following command on the external PKI CA:

$ pki -c Secret.123 -n "PKI Administrator external.com" ca-cert-request-review 28 --action approve

The newly signed CA certificate and the external CA certificate can be downloaded to the installing server with the following commands:

$ pki -U http://ca.external.com:8080 ca-cert-show 0x1c --output /tmp/ca_signing.crt
$ pki -U http://ca.external.com:8080 ca-cert-show 0x1 --output /tmp/external.crt

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally