Scroll to navigation

CMCEnroll(1) PKI CMC Enrollment Tool CMCEnroll(1)

NAME

CMCEnroll - Used to sign a certificate request with an agent's certificate.

Note: This tool has not yet been updated to work with the latest improvement in the CA to conform to RFC 5272. Please use CMCRequest instead.

SYNOPSIS

CMCEnroll -d NSS-database -n certificate-nickname -r certificate-request-file -p NSS-database-passwd

DESCRIPTION

The Certificate Management over Cryptographic Message Syntax (CMC) Enrollment utility, CMCEnroll, provides a command-line utility used to sign a certificate request with an agent's certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users.

CMCEnroll takes a standard PKCS #10 certificate request and signs it with an agent certificate. The output is also a certificate request which can be submitted through the appropriate profile.

OPTIONS

The following parameters are mandatory:

Note: Surround values that include spaces with quotation marks.

-d NSS-database
The directory containing the NSS database associated with the agent certificate.
This is usually the agent's personal directory, such as their browser certificate database in the home directory.

-n certificate-nickname
The nickname of the agent certificate that is used to sign the request.

-r certificate-request-file
The filename of the certificate request.

-p NSS-database-passwd
The password to the NSS certificate database which contains the agent certificate,
given in -d NSS-database.

EXAMPLES

Signed requests must be submitted to the CA to be processed.

Note: For this example to work automatically, the CMCAuth plug-in must be enabled on the CA server (which it is by default).

(1) Create a PKCS #10 certificate request using a tool like certutil:

$ cd $HOME/.mozilla/firefox/<profile>
$ certutil -L -d .
Certificate Nickname                                         Trust Attributes

SSL,S/MIME,JAR/XPI Google Internet Authority G2 ,, COMODO RSA Domain Validation Secure Server CA ,, pki.example.com ,, DigiCert SHA2 Secure Server CA ,, DigiCert SHA2 Extended Validation Server CA ,, COMODO RSA Extended Validation Secure Server CA 2 ,, Symantec Class 3 Secure Server CA - G4 ,, Go Daddy Secure Certificate Authority - G2 ,, Oracle SSL CA - G2 ,, GeoTrust EV SSL CA - G4 ,, Symantec Class 3 Secure Server SHA256 SSL CA ,, GeoTrust SSL CA - G3 ,, PKI Administrator for example.com u,u,u DigiCert SHA2 High Assurance Server CA ,, COMODO RSA Organization Validation Secure Server CA ,, CA Signing Certificate - example.com Security Domain CT,C,C $ certutil -R -d . -s "CN=CMCEnroll Test Certificate" -a A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... Certificate request generated by Netscape certutil Phone: (not specified) Common Name: CMCEnroll Test Certificate Email: (not specified) Organization: (not specified) State: (not specified) Country: (not specified) -----BEGIN CERTIFICATE REQUEST----- MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7 6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH 68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6 sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA== -----END CERTIFICATE REQUEST-----

(2) Copy the PKCS #10 ASCII output to a text file.

$ vi cert.req
-----BEGIN CERTIFICATE REQUEST-----
MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
-----END CERTIFICATE REQUEST-----

(3) Run the CMCEnroll command to sign the certificate request. If the input file is "$HOME/.mozilla/firefox/&lt;profile&gt;/cert.req", the agent's certificate is stored in the "$HOME/.mozilla/firefox/&lt;profile&gt;" directory, the certificate common name for this CA is "PKI Administrator for example.com", and the password for the certificate database is "Secret.123", the command is as follows:

$ CMCEnroll -d "$HOME/.mozilla/firefox/<profile>" \

-n "PKI Administrator for example.com" \
-r "$HOME/.mozilla/firefox/<profile>/cert.req" \
-p "Secret.123" cert/key prefix = path = <home>/.mozilla/firefox/<profile> -----BEGIN CERTIFICATE REQUEST----- MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7 6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH 68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6 sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA== -----END CERTIFICATE REQUEST-----

The output of this command is stored in a file with the same filename as the request with a .out appended to the filename (e.g. cert.req.out):

$ cat cert.req.out
-----BEGIN CERTIFICATE REQUEST-----
MIIMhwYJKoZIhvcNAQcCoIIMeDCCDHQCAQMxCzAJBgUrDgMCGgUAMIIC6QYIKwYB
BQUHDAKgggLbBIIC1zCCAtMwVDAvAgECBggrBgEFBQcHBjEgBB5Da2UvQ1V6VEZF
Rzgwa1Ryb1dsNjVuTUZhMEU9DQowIQIBAwYIKwYBBQUHBwUxEgIQU05oqk+q+FdR
go/eIzsjGTCCAnWgggJxAgEBMIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5y
b2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA
+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5
tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1
A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiu
qv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUy
UkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA
Q9aHQvPDcDuOJOL62pQeoDJpYtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2
fpfdrHB5901TdehlghQVOkN6sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9w
Xz5ZY/QwSx6C97SodF0cuDHLFsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ
+FGfQvmAqc9xHu5jvnBXX+UbucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SB
Sa/Zxjy2iVMrQBeOiLcu8bTLTAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9D
RJd1FJoocw0eGhw31I5rJDAAMACggge1MIIDzDCCArSgAwIBAgIBATANBgkqhkiG
9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20gU2VjdXJpdHkg
RG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE2MDcy
MTIzNDAyNVoXDTM2MDcyMTIzNDAyNVowTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmWoikqOPpH
0JLW3SZ1SPojvndjdILqDuGuRmqtcLuzZtmNuY7ZVwrXt61G1SCCBoEiy/OcUCKM
GVpw0M15Dn3sjJmd9F2R5lrGT2eMWWfVTr15RyEwK9Pn0mxTDN+0eZ4WDY9U4Zg4
2qZYIhkfGSTR5jhA4rs3uNOFm0ElLqDumGw3EXjJOy+RURvNbY4Pjlz89+Q2o6M0
/XMmMYzxVtXusKu1bvTKIiWoWCXR5ge78GoT/8reer+zxuSXiKSeVV2myvCQhmMH
AD2rik/7hazuY2ztC8h9HF09PMSeK2ev6PlzSV/PEqj9u5bgOcbqeiQkzR6IOcSi
JCn9o7B+AUMCAwEAAaOBtDCBsTAfBgNVHSMEGDAWgBS7NphdZcuI4IcjN29b96+L
iuu6tTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU
uzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUFBzAB
hjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRoYXQuY29tOjgwODAvY2Ev
b2NzcDANBgkqhkiG9w0BAQsFAAOCAQEANUYLK65kV0na9zmtNGFje4akz4FBRAOh
f/RYvtH4/0z38vW/E6fZkfb6CHrC4pNPfL6c0q/8H0mIrAft4kkQlTyJB9tdF5qY
vCfUMmZ+zM664U/97nf7NSUu9PIFcNfh+/O9IoVUd7gEerRISJzbsmHAcCcfIiKX
FsM+6HbEt+lH47flb/eSA2cUS84bC+XlZmKpse1R8PL/rKzngReZmMhNx73pYlEN
0qOpJILEMC1FVUExp6XnnP/m1+gY3T2FrIcUU7Jm1mCnln3VcLxkRU2c9tGj4xYr
H8teMoQHLZTiqe/54h+3/pUEDgSATAHnex/uG33TXNDbpeNeq720eDCCA+EwggLJ
oAMCAQICAQYwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMzBaFw0xODA3MTEyMzQwMzBaMHQxKzApBgNV
BAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xKTAnBgkqhkiG
9w0BCQEWGmNhYWRtaW5AdXNlcnN5cy5yZWRoYXQuY29tMRowGAYDVQQDDBFQS0kg
QWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPQ
fOUyTIkdDnPzBrFRBknHqjYMrRpUDBR+JlarT/Sr6PqNQPMcM7JvgBNmXG32H+5w
QH/sfVjOmKEJOMsh71vKiTM0wb5rIo08B34i9E5Cf2Wzx2/ht4qfWvSmb5ZBxy22
YpasKLdv7SwSDQr0U7h+Q/96Hgq85ONxWWN6XubgZxSfbs7QVcA0jVq+2inhT67B
0u4DO6MTxFJNCfDcWiA/M6xzKbjEqDUEh46Rk19krGPYsbfW2BMuOi7pyfTDJVJ5
CAUbo4bpR3eeo5KMbUvgF3WUxA1whOF2Oc6t0hdINW6Xeq3vpnwn3RyX2TRQ0zqi
n3K3uPdahteQNcRb/Q8CAwEAAaOBozCBoDAfBgNVHSMEGDAWgBS7NphdZcuI4Icj
N29b96+Liuu6tTBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0dHA6Ly9w
a2ktZGVza3RvcC51c2Vyc3lzLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1Ud
DwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI
hvcNAQELBQADggEBAADJNrg4qAZ1LxSz2Nn1k1SEmbugxrh8o1jpBAaSvLlv+blL
+6wNq0D7c1GPzRO5TObyXgpbtHgofpKLSxw8cB3y8ugZMp7qJeCYxgzxQKEVMANW
6eZgAxvEe1J5Vyk/ELNiCtQmY7Mi+BtwvCF0xkCwYtOGlgeLV5t6GjBdG+jpZSIb
B0En0+t/JOwvqUAhzVStz/j9LgBza0P8ACd/s2Z/zjpot2JTXDofF0mbiGwMz4Em
/dOT3QhUr3QqFY/Q6T7c/wW7KbUXpNjwvLAV86A9Oojq32Z3ppJPnnDoLxLWvn8f
4rBdhhKrFhRZBYd91r3OExUIAEkFH9cmgPusjMsxggG6MIIBtgIBAzBTME4xKzAp
BgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xHzAdBgNV
BAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUCAQYwCQYFKw4DAhoFAKA+MBcGCSqG
SIb3DQEJAzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUeIRBuSA10uyZK8LB
yc5Abz4f74AwDQYJKoZIhvcNAQEBBQAEggEAC1DFoKDcAzJUdIIucV61TqQtbBJT
H8hhnln3+TwAO+u3X55o74xZMgawy/3Hkt3CjYxYmWIYY9MZILb2UeD0VZz63yzq
F9tEZu2IhlvaOgP6NLcu8SxDImQ/GuvPIvGkGg0m/X3cwCHKymH7ZXAUfxQXgqbw
CAMc+DH99xx0yotaAr5HE9tauNJejo4CDVYwUn/5syTcw3molt2Ely2FIFEyI3HD
yPmP2OHw/xqlBhFvnoecbtpTq2DiWGPWJHSnzcdInuXudHHaIsribXK8HGw2MnCD
8Sq7UsrvBe50v0YebYzQdXYrsnluNc+Cwm2PdDQDfPT39e7iwGSLGi4KrQ==
-----END CERTIFICATE REQUEST-----

(4) Submit the signed certificate request through the CA end-entities page:

(a) Open the end-entities page.

(b) Select the "Signed CMC-Authenticated User Certificate Enrollment" profile.

(c) Paste the content of the output file into the first text area of this form.

(d) Remove the "-----BEGIN CERTIFICATE REQUEST-----" header and the "-----END CERTIFICATE REQUEST-----" footer from the pasted content.

(e) Fill in the contact information, and submit the form.

(5) The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled:

Congratulations, your request has been processed successfully
Your request ID is 7.
Outputs
* Certificate Pretty Print

Certificate:
Data:
Version: v3
Serial Number: 0x7
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=CA Signing Certificate,O=example.com Security Domain
Validity:
Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
Not After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
Subject: CN=CMCEnroll Test Certificate
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
Exponent: 65537
Public Key Modulus: (2048 bits) :
DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
8A:EB:BA:B5
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName: http://pki.example.com:8080/ca/ocsp
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key Encipherment
Identifier: Extended Key Usage: - 2.5.29.37
Critical: no
Extended Key Usage:
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.4
Signature:
Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Signature:
6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
FingerPrint
MD2:
C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
MD5:
5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
SHA-1:
F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
5C:A9:71:27
SHA-256:
66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
SHA-512:
E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49 * Certificate Base-64 Encoded -----BEGIN CERTIFICATE----- MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad 7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x /Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug pn+ADHK0MMVPy9SsV4XX0sp1kPcvVxHLZxYIDEwj0qWnLk4hOfXVx20L3K1I4pL/ mcX8zw6JabkJup8OhKuBMqeLmTDfdS9sYVqch3faLOpAhSDy3pV2a9cLjIglYgAt BDDwJEtkKkrnNwSivK23f7qqdEEsVenlS5IYvBjc/EvqFRjOsHo6hGTiMRxkCnk+ gG5DEjCKKmdvVktWVcdWhocn5MMoygXSvQtdEKJOlp1bKqALm7a7jxUf06954DjT 8e3V8fDr+GZWPy9PSpMOLhHz9xs3YQjkSpJMYOMeCg1h8q+y40g5dKpeMlur81U7 axszSMsh -----END CERTIFICATE----- * Certificate Imports ---------------------- | Import Certificate | ----------------------

(6) Use the agent page to search for the new certificate:

Certificate   0x07
Certificate contents

Certificate:
Data:
Version: v3
Serial Number: 0x7
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=CA Signing Certificate,O=example.com Security Domain
Validity:
Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
Not After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
Subject: CN=CMCEnroll Test Certificate
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
Exponent: 65537
Public Key Modulus: (2048 bits) :
DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
8A:EB:BA:B5
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName: http://pki.example.com:8080/ca/ocsp
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key Encipherment
Identifier: Extended Key Usage: - 2.5.29.37
Critical: no
Extended Key Usage:
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.4
Signature:
Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Signature:
6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
FingerPrint
MD2:
C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
MD5:
5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
SHA-1:
F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
5C:A9:71:27
SHA-256:
66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
SHA-512:
E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49 Certificate request info Request ID: 7 Installing this certificate in a server The following format can be used to install this certificate into a server. Base 64 encoded certificate -----BEGIN CERTIFICATE----- MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad 7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x /Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug pn+ADHK0MMVPy9SsV4XX0sp1kPcvVxHLZxYIDEwj0qWnLk4hOfXVx20L3K1I4pL/ mcX8zw6JabkJup8OhKuBMqeLmTDfdS9sYVqch3faLOpAhSDy3pV2a9cLjIglYgAt BDDwJEtkKkrnNwSivK23f7qqdEEsVenlS5IYvBjc/EvqFRjOsHo6hGTiMRxkCnk+ gG5DEjCKKmdvVktWVcdWhocn5MMoygXSvQtdEKJOlp1bKqALm7a7jxUf06954DjT 8e3V8fDr+GZWPy9PSpMOLhHz9xs3YQjkSpJMYOMeCg1h8q+y40g5dKpeMlur81U7 axszSMsh -----END CERTIFICATE----- Base 64 encoded certificate with CA certificate chain in pkcs7 format -----BEGIN PKCS7----- MIIHlQYJKoZIhvcNAQcCoIIHhjCCB4ICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIH ZjCCA5IwggJ6oAMCAQICAQcwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNl cnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln bmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA3MjIwMDI4MjBaFw0xNzAxMTgwMTI4MjBa MCUxIzAhBgNVBAMTGkNNQ0Vucm9sbCBUZXN0IENlcnRpZmljYXRlMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2pkAOqbCu054nNwwLSMgDApOxStz7krH iUq0fwu1tObT765aeb1CsaZnAPj4NwADaeYFTEDqbOq4gL6Cu+jSk5MODHtPQqMG ne2svSAQWOEKqgZkZ309zJulObSVnqr6tXCJMKMcx5ZYLBgRjEHbiO1EY4UGMd6f rKxkntHzO26ivgFOmiYeK9I3NQOqQr/9lzDmNSFM5oyBJzatkVjqZ7FkOFA5mta/ LFMyoDYZLoYz1OVOWBrfftI4rqr9eHWyou1CTdwz7ZBF2TTqxaxoKioXVKi4a3Zv sfx4MP2maEgxWFzjfYxUxcjFMlJFl2aubH8IIVlAtquA7G37x+vIdQIDAQABo4Gj MIGgMB8GA1UdIwQYMBaAFLs2mF1ly4jghyM3b1v3r4uK67q1ME4GCCsGAQUFBwEB BEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3BraS1kZXNrdG9wLnVzZXJzeXMucmVk aGF0LmNvbTo4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAbYuZ0unTTn9V IKZ/gAxytDDFT8vUrFeF19LKdZD3L1cRy2cWCAxMI9Klpy5OITn11cdtC9ytSOKS /5nF/M8OiWm5CbqfDoSrgTKni5kw33UvbGFanId32izqQIUg8t6VdmvXC4yIJWIA LQQw8CRLZCpK5zcEorytt3+6qnRBLFXp5UuSGLwY3PxL6hUYzrB6OoRk4jEcZAp5 PoBuQxIwiipnb1ZLVlXHVoaHJ+TDKMoF0r0LXRCiTpadWyqgC5u2u48VH9OveeA4 0/Ht1fHw6/hmVj8vT0qTDi4R8/cbN2EI5EqSTGDjHgoNYfKvsuNIOXSqXjJbq/NV O2sbM0jLITCCA8wwggK0oAMCAQICAQEwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UE CgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwW Q0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMjVaFw0zNjA3MjEy MzQwMjVaME4xKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBE b21haW4xHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCplqIpKjj6R9CS1t0mdUj6I753Y3SC6g7h rkZqrXC7s2bZjbmO2VcK17etRtUgggaBIsvznFAijBlacNDNeQ597IyZnfRdkeZa xk9njFln1U69eUchMCvT59JsUwzftHmeFg2PVOGYONqmWCIZHxkk0eY4QOK7N7jT hZtBJS6g7phsNxF4yTsvkVEbzW2OD45c/PfkNqOjNP1zJjGM8VbV7rCrtW70yiIl qFgl0eYHu/BqE//K3nq/s8bkl4iknlVdpsrwkIZjBwA9q4pP+4Ws7mNs7QvIfRxd PTzEnitnr+j5c0lfzxKo/buW4DnG6nokJM0eiDnEoiQp/aOwfgFDAgMBAAGjgbQw gbEwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwDwYDVR0TAQH/BAUw AwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFLs2mF1ly4jghyM3b1v3r4uK 67q1ME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3BraS1kZXNr dG9wLnVzZXJzeXMucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQEL BQADggEBADVGCyuuZFdJ2vc5rTRhY3uGpM+BQUQDoX/0WL7R+P9M9/L1vxOn2ZH2 +gh6wuKTT3y+nNKv/B9JiKwH7eJJEJU8iQfbXReamLwn1DJmfszOuuFP/e53+zUl LvTyBXDX4fvzvSKFVHe4BHq0SEic27JhwHAnHyIilxbDPuh2xLfpR+O35W/3kgNn FEvOGwvl5WZiqbHtUfDy/6ys54EXmZjITce96WJRDdKjqSSCxDAtRVVBMael55z/ 5tfoGN09hayHFFOyZtZgp5Z91XC8ZEVNnPbRo+MWKx/LXjKEBy2U4qnv+eIft/6V BA4EgEwB53sf7ht901zQ26XjXqu9tHgxAA== -----END PKCS7-----

SEE ALSO

CMCRequest(1), CMCResponse(1), CMCRevoke(1), pki(1)

AUTHORS

Matthew Harmsen &lt;mharmsen@redhat.com&gt;.

COPYRIGHT

Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.

July 20, 2016 PKI