Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

5.6. Performing Bulk Issuance


There can be instances when an administrator needs to submit and generate a large number of certificates simultaneously. A combination of tools supplied with Certificate System can be used to post a file containing certificate requests to the CA. This example procedure uses the PKCS10Client command to generate the requests and the sslget command to send the requests to the CA.
  1. Since this process is scripted, multiple variables need to be set to identify the CA (host, port) and the items used for authentication (the agent certificate and certificate database and password). For example, set these variables for the session by exporting them in the terminal:
    export d=/var/tmp/testDir
    export p=password
    export f=/var/tmp/server.csr.txt
    export nick="CA agent cert"
    export cahost=1.2.3.4
    export caport=8443

    Note

    The local system must have a valid security database with an agent's certificate in it. To set up the databases:
    1. Export or download the agent user certificate and keys from the browser and save to a file, such as agent.p12.
    2. If necessary, create a new directory for the security databases.
      mkdir ${d}
    3. If necessary, create new security databases.
      certutil -N -d ${d}
    4. Stop the Certificate System instance.
      pki-server stop instance_name
    5. Use pk12util to import the certificates.
      # pk12util -i /tmp/agent.p12 -d ${d} -W p12filepassword
      If the procedure is successful, the command prints the following output:
      pk12util: PKCS12 IMPORT SUCCESSFUL
    6. Start the Certificate System instance.
      pki-server start instance_name
  2. Two additional variables must be set. A variable that identify the CA profile to be used to process the requests, and a variable that is used to send a post statement to supply the information for the profile form.
    export post="cert_request_type=pkcs10&xmlOutput=true&profileId=caAgentServerCert&cert_request="
    export url="/ca/ee/ca/profileSubmitSSLClient"

    Note

    This example submits the certificate requests to the caAgentServerCert profile (identified in the profileId element of the post statement. Any certificate profile can be used, including custom profiles.
  3. Test the variable configuration.
    echo ${d} ${p} ${f} ${nick} ${cahost} ${caport} ${post} ${url}
  4. Generate the certificate requests using (for this example) PKCS10Client:
    time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o ${f}.${i} -s "cn=testms${i}.example.com"; cat ${f}.${i} >> ${f}; done
    
    perl -pi -e 's/\r\n//;s/\+/%2B/g;s/\//%2F/g' ${f}
    
    wc -l ${f}
  5. Submit the bulk certificate request file created in step 4 to the CA profile interface using sslget. For example:
    cat ${f} | while read thisreq; do /usr/bin/sslget -n "${nick}" -p ${p} -d ${d} -e ${post}${thisreq} -v -r ${url} ${cahost}:${caport}; done
Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.