Red Hat Summit5.7. Performing Bulk Issuance
There can be instances when an administrator needs to submit and generate a large number of certificates simultaneously. A combination of tools supplied with Certificate System can be used to post a file containing certificate requests to the CA. This example procedure uses the
PKCS10Client command to generate the requests and the sslget command to send the requests to the CA.
- Since this process is scripted, multiple variables need to be set to identify the CA (host, port) and the items used for authentication (the agent certificate and certificate database and password). For example, set these variables for the session by exporting them in the terminal:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow export d=/var/tmp/testDir export p=password export f=/var/tmp/server.csr.txt export nick="CA agent cert" export cahost=1.2.3.4 export caport=8443
export d=/var/tmp/testDir export p=password export f=/var/tmp/server.csr.txt export nick="CA agent cert" export cahost=1.2.3.4 export caport=8443Note
The local system must have a valid security database with an agent's certificate in it. To set up the databases:- Export or download the agent user certificate and keys from the browser and save to a file, such as
agent.p12. - If necessary, create a new directory for the security databases.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow mkdir ${d}mkdir ${d} - If necessary, create new security databases.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow certutil -N -d ${d}certutil -N -d ${d} - Stop the Certificate System instance.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl stop pki-tomcatd@instance_name.service
systemctl stop pki-tomcatd@instance_name.service - Use
pk12utilto import the certificates.Copy to Clipboard Copied! Toggle word wrap Toggle overflow pk12util -i /tmp/agent.p12 -d ${d} -W p12filepassword# pk12util -i /tmp/agent.p12 -d ${d} -W p12filepasswordIf the procedure is successful, the command prints the following output:Copy to Clipboard Copied! Toggle word wrap Toggle overflow pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL - Start the Certificate System instance.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl start pki-tomcatd@instance_name.service
systemctl start pki-tomcatd@instance_name.service
- Two additional variables must be set. A variable that identify the CA profile to be used to process the requests, and a variable that is used to send a post statement to supply the information for the profile form.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow export post="cert_request_type=pkcs10&xmlOutput=true&profileId=caAgentServerCert&cert_request=" export url="/ca/ee/ca/profileSubmitSSLClient"
export post="cert_request_type=pkcs10&xmlOutput=true&profileId=caAgentServerCert&cert_request=" export url="/ca/ee/ca/profileSubmitSSLClient"Note
This example submits the certificate requests to thecaAgentServerCertprofile (identified in theprofileIdelement of thepoststatement. Any certificate profile can be used, including custom profiles. - Test the variable configuration.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow echo ${d} ${p} ${f} ${nick} ${cahost} ${caport} ${post} ${url}echo ${d} ${p} ${f} ${nick} ${cahost} ${caport} ${post} ${url} - Generate the certificate requests using (for this example)
PKCS10Client:Copy to Clipboard Copied! Toggle word wrap Toggle overflow time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o ${f}.${i} -s "cn=testms${i}.example.com"; cat ${f}.${i} >> ${f}; done perl -pi -e 's/\r\n//;s/\+/%2B/g;s/\//%2F/g' ${f} wc -l ${f}time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o ${f}.${i} -s "cn=testms${i}.example.com"; cat ${f}.${i} >> ${f}; done perl -pi -e 's/\r\n//;s/\+/%2B/g;s/\//%2F/g' ${f} wc -l ${f} - Check the status and the transaction logs for the CA.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow /etc/init.d/pki-ca status tail -f /var/log/pki-ca/transactions&
/etc/init.d/pki-ca status tail -f /var/log/pki-ca/transactions& - Submit the bulk certificate request file created in step 4 to the CA profile interface using
sslget. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow cat ${f} | while read thisreq; do /usr/bin/sslget -n "${nick}" -p ${p} -d ${d} -e ${post}${thisreq} -v -r ${url} ${cahost}:${caport}; donecat ${f} | while read thisreq; do /usr/bin/sslget -n "${nick}" -p ${p} -d ${d} -e ${post}${thisreq} -v -r ${url} ${cahost}:${caport}; done
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}