Skip to content

Submitting Certificate Request with Key Archival

Endi S. Dewata edited this page Feb 13, 2024 · 11 revisions

Overview

This page describes the process to generate a certificate request and submit it with key archival.

There are several ways to generate and submit the request:

  • using CRMFPopClient

  • using pki client-cert-request

The following certificate profiles support key archival:

  • caECUserCert

  • caDualCert

  • caSigningUserCert

Submitting Certificate Request with CRMFPopClient

First, obtain KRA transport certificate (see Getting KRA Transport Certificate).

Then submit the certificate request with the following command:

$ CRMFPopClient \
    -d ~/.dogtag/nssdb \
    -p "" \
    -m pki.example.com:8080 \
    -f caDualCert \
    -n UID=testuser \
    -u testuser \
    -b kra_transport.crt
Submitting CRMF request to pki.example.com:8080
Request ID: 10
Request Status: pending
Reason:

Submitting Certificate Request with PKI CLI

Submit a certificate request with the following command:

$ pki client-cert-request UID=testuser \
    --profile caDualCert \
    --type crmf
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 10
  Type: enrollment
  Request Status: pending
  Operation Result: success

By default it will download the transport certificate from the CA. To use a transport certificate stored in a local file, specify --transport <filename>. Either way, the transport certificate will be imported into the client’s NSS database.

Clone this wiki locally