13.2. Usage

13.2. Usage

Signed requests must be submitted to the CA, either by sending them directly to the Certificate Authority or by using the CA agent page. Certificate System provides a Certificate Authority Certificate Enrollment form called CMCEnrollment.html. The default configuration of this form does not include the necessary field to paste an enrollment request. To use this form to submit requests, change the configuration so that this field is available.

To enable the CMC Enrollment form for the CA end-entity interface, do the following:

  1. Open the CA's web directory in /var/lib/rhpki-ca/web-apps/ca/ee/ca.

  2. Open the CMCEnrollment.html file.

  3. Find the following line: 

    form method="post" action="/enrollment" onSubmit="return validate(document.forms[0])"

  4. Add the following line below that line: 

    input type="hidden" name="authenticator" value="CMCAuth"

  5. After configuring the HTML form, test CMCEnroll and the form by doing the following:

    1. Create a certificate request using certutil.

    2. Copy the PKCS #10 ASCII output to a text file.

    3. Run the CMCEnroll command to sign the certificate request. If the input file is request34.txt, the agent's certificate is stored in the /export/certs directory, the certificate common name for this CA is CertificateManagerAgentsCert, and the password for the certificate database is 1234pass, the command is as follows: 

      CMCEnroll -d "/export/certs" -n "CertificateManagerAgentsCert" -r "/export/requests/request34.txt" -p "1234pass"

      The output of this command is stored in a file with the same filename and .out appended to the filename.

    4. Submit the signed certificate through the CA end-entities page.

      1. Open the end-entities page.

      2. Select the CMC Enrollment profile form.

      3. Paste the content of the output file into the first text area of this form.

      4. Remove -----BEGIN NEW CERTIFICATE REQUEST----- and ----END NEW CERTIFICATE REQUEST----- from the pasted content.

      5. Select Certificate Type User Certificate, fill in the contact information, and submit the form.

    5. The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled.

    6. Use the agent page to search for the new certificates.