-
Notifications
You must be signed in to change notification settings - Fork 137
Certificate Enrollment with Directory Authenticated Profile
This page describes the process to enroll a certificate using a directory-authenticated profile (e.g. caDirUserCert).
-
Set up users in LDAP.
-
Configure a profile to authenticate against users in LDAP.
The enrollment can be done using pki ca-cert-issue command.
First, generate a certificate request and store it into a file (e.g. testuser.csr).
Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password:
$ pki ca-cert-issue \
--profile caDirUserCert \
--csr-file testuser.csr \
--username testuser \
--password \
--output-file testuser.crt
Password: ********
The password can also be specified with a --password-file option.
The certificate will be stored into testuser.crt.
Availability: Since PKI 11.6
The pki client-cert-request command can be used to generate a key in NSS database (default: ~/.dogtag/nssdb), create a certificate request, then submit it to the CA.
To enroll a certificate for a user in LDAP, specify the username (e.g. testuser) in the following command, and it will prompt for the LDAP password:
$ pki client-cert-request \
--profile caDirUserCert \
--username testuser \
--password
Password: ********
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 16
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0x784127bb5291d998224a9426aea15c2b
The certificate can be retrieved with the following command:
$ pki ca-cert-export <cert ID> --output-file testuser.crt
The enrollment can also be done manually using XML messages.
First, generate a certificate request and store it into a file (e.g. testuser.csr).
Then retrieve the template for the XML request for the profile with the following command:
$ curl \
-k \
-s \
-H "Content-Type: application/xml" \
-H "Accept: application/xml" \
https://$HOSTNAME:8443/ca/rest/certrequests/profiles/caDirUserCert \
| xmllint --format - \
> request.xml
Insert the username of the LDAP user with the following command:
$ xmlstarlet edit --inplace \
-s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "testuser" \
-i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "uid" \
request.xml
Insert the password of the LDAP user with the following command:
$ xmlstarlet edit --inplace \
-s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "Secret.123" \
-i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "pwd" \
request.xml
Insert the request type with the following command:
$ xmlstarlet edit --inplace \
-u "/CertEnrollmentRequest/Input/Attribute[@name='cert_request_type']/Value" \
-v "pkcs10" \
request.xml
Insert the CSR with the following command:
$ xmlstarlet edit --inplace \
-u "/CertEnrollmentRequest/Input/Attribute[@name='cert_request']/Value" \
-v "$(cat testuser.csr)" \
request.xml
The final XML request should look like the following:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
<Attributes>
<Attribute name="uid">testuser</Attribute>
<Attribute name="pwd">Secret.123</Attribute>
</Attributes>
...
<Input ...>
...
<Attribute name="cert_request_type">
<Value>pkcs10</Value>
...
</Attribute>
<Attribute name="cert_request">
<Value>-----BEGIN CERTIFICATE REQUEST-----
MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALvbVD1U6nzYh61tjjKC24mBqeKjABpEpl5CqyrT
guX5PtHdrlOUbWOro8vNzXMWccm3IVEgJHTQyQdxenIkIGcwMXu9XlwI6zph1UaT
oJ1CRh8z2Tn5Ncg6LvOejDJg+XtKEXEOTq0qzztBXTEe9uuKYb9AKc6iSmtfM7ZO
nCZPAgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN
BgkqhkiG9w0BAQQFAAOBgQBeVpuaZ1Sr1tHznU/0xSQ3OvEd3poJ0mk44KRYFdwu
NbeZaGtvhYFwLfQH0mMOWrzvrh0a2eXWC8z51iuqvNJCHDX+rUGIYpZH8mtY3jMp
8mlDWClrcpAdmJTj0ztFggmBd0Zvl4EqPqp0SY5YYLxwEwcKXT/g8bDdS5UM68hq
QA==
-----END CERTIFICATE REQUEST-----</Value>
...
</Attribute>
</Input>
</CertEnrollmentRequest>
Then submit the request with the following command:
$ curl \
-k \
-s \
-X POST \
-d @request.xml \
-H "Content-Type: application/xml" \
-H "Accept: application/xml" \
https://$HOSTNAME:8443/ca/rest/certrequests \
| xmllint --format -
<CertRequestInfos>
<total>1</total>
<CertRequestInfo ...>
<requestID>0xfd5377c93db8f0ed016de1d688e27f7e</requestID>
<requestType>enrollment</requestType>
<requestStatus>complete</requestStatus>
...
<certID>0x784127bb5291d998224a9426aea15c2b</certID>
...
<certRequestType>pkcs10</certRequestType>
<operationResult>success</operationResult>
</CertRequestInfo>
</CertRequestInfos>
The certificate can be retrieved with the following commands:
$ curl \
-k \
-s \
-H "Content-Type: application/xml" \
-H "Accept: application/xml" \
https://pki.example.com:8443/ca/rest/certs/<cert ID> \
| xmllint --format - \
> cert.xml
$ xmlstarlet sel -t -v '/CertData/Encoded' cert.xml \
| sed 's/ $//' \
> testuser.crt
The enrollment can also be done manually using JSON messages.
First, generate a certificate request and store it into a file (e.g. testuser.csr).
Then retrieve the template for the JSON request for the profile with the following command:
$ curl \
-k \
-s \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
https://$HOSTNAME:8443/ca/rest/certrequests/profiles/caDirUserCert \
| python -m json.tool \
> request.json
Insert the username of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "uid", "value": "testuser" }' \
request.json | sponge request.json
Insert the password of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pwd", "value": "Secret.123" }' \
request.json | sponge request.json
Insert the request type with the following command:
$ jq '( .Input[].Attribute[] | select(.name=="cert_request_type") ).Value |= "pkcs10"' \
request.json | sponge request.json
Insert the CSR with the following command:
$ jq --rawfile cert_request testuser.csr '( .Input[].Attribute[] | select(.name=="cert_request") ).Value |= $cert_request' \
request.json | sponge request.json
The final JSON request should look like the following:
{
...,
"Input": [
{
...,
"Attribute": [
{
"name": "cert_request_type",
"Value": "pkcs10",
...
},
{
"name": "cert_request",
"Value": "-----BEGIN CERTIFICATE REQUEST-----\nMIICnjCCAYYCAQAwWTETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1w\r\nbGUxDzANBgNVBAsMBnBlb3BsZTEYMBYGCgmSJomT8ixkAQEMCHRlc3R1c2VyMIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRip472Jza92YAPnCZ6vyF32QGC+hpPnLbJv9kXRHWCVIHnM\r\nJ/Ifxa8MGitf3jqsy7pZMwW4MJwPMa4ai2jwE4u14dOVH4NMxjwM+IuEbWVbyenMS3HO1vCpo49X\r\nmwZbL3wvM83UJgd89l6qtqY5t9vmgzixDB83cxsoIQBXK2MiBl6ndn5lMP2CPdtF6vRt6CVOneN6\r\nu/nBlLv4FFJUDYep5fVLz8HvaQhcApa3/rIMxf1L919Eu+gj6WfvbW/vk+UM6UswoRQSgTr2Yl4n\r\nZyqt7H0c8wOsEqkESKrCvZYiBC8rMOgYJ2uoBGJBjvXXAFo6Br1OvVOSB/h+oJtq2wIDAQABoAAw\r\nDQYJKoZIhvcNAQELBQADggEBAIF8nUIwYPjPLDd61XO7Ai5uA5NhzHj/QIL25KdzSuDguURSsLMQ\r\nX4APwvCvmS77VL6wqrKx3yRoND3JhoU8WZ619vrpb76WXgs0Zm8zO8YigTbAJiFIak3BU6H+2wdX\r\nOhPSFZjdAdx4rY/qt2HwpkiJhuh1SkbboW8pKWwOeJmpPEc7GzzGxz/BcxfuAGg7FAwJTFFQWnZu\r\nrsN6Sls1sdkp7DFm+kA5IhVkv2IL9Pqc5IJoqvGAwrz/vBGGm5gZS/stEadHwBPdOHjK/3htWfwh\r\nQ7M9P7pkGWo/D1hTox//hpO29Lxxx6drmxVJpA4PAQLXtcd91EKkkYPEFBKv/pc=\r\n-----END CERTIFICATE REQUEST-----",
...
}
]
}
],
...,
"Attributes": {
"Attribute": [
{
"name": "uid",
"value": "testuser"
},
{
"name": "pwd",
"value": "Secret.123"
}
]
}
}
Then submit the request with the following command:
$ curl \
-k \
-s \
-X POST \
-d @request.json \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
https://$HOSTNAME:8443/ca/rest/certrequests \
| python -m json.tool
{
"total": 1,
"entries": [
{
"requestID": "0xfd5377c93db8f0ed016de1d688e27f7e",
"requestType": "enrollment",
"requestStatus": "complete",
...,
"certId": "0x784127bb5291d998224a9426aea15c2b",
...,
"certRequestType": "pkcs10",
"operationResult": "success",
...
}
]
}
The certificate can be retrieved with the following commands:
$ curl \
-k \
-s \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
https://$HOSTNAME:8443/ca/rest/certs/<cert ID> \
| python -m json.tool \
> cert.json
$ jq -j '.Encoded' cert.json | tee testuser.crt
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |