Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
12.3. Requesting a CA-signed Certificate Through SCEP
The Simple Certificate Enrollment Protocol (SCEP) automates and simplifies the process of certificate management with the CA. It lets a client request and retrieve a certificate over HTTP directly from the CA's SCEP service. This process is secured by a one-time PIN that is usually valid only for a limited time.
The following example adds a SCEP CA configuration to
certmonger, requests a new certificate, and adds it to the local NSS database.
- Add the CA configuration to
certmonger:getcert add-scep-ca -c CA_Name -u SCEP_URL
[root@server ~]# getcert add-scep-ca -c CA_Name -u SCEP_URLCopy to Clipboard Copied! Toggle word wrap Toggle overflow -c: Mandatory nickname for the CA configuration. The same value can later be passed to othergetcertcommands.-u: URL to the server's SCEP interface.- Mandatory parameter when using an HTTPS URL:
-R CA_Filename: Location of the PEM-formatted copy of the SCEP server's CA certificate, used for the HTTPS encryption.
- Verify that the CA configuration has been successfully added:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow The CA configuration was successfully added, when the CA certificate thumbprints were retrieved over SCEP and shown in the command's output. When accessing the server over unencrypted HTTP, manually compare the thumbprints with the ones displayed at the SCEP server to prevent a Man-in-the-middle attack. - Request a certificate from the CA:
getcert request -I Task_Name -c CA_Name -d /etc/pki/nssdb -n Certificate_Name -N cn="Subject Name" -L one-time_PIN
[root@server ~]# getcert request -I Task_Name -c CA_Name -d /etc/pki/nssdb -n Certificate_Name -N cn="Subject Name" -L one-time_PINCopy to Clipboard Copied! Toggle word wrap Toggle overflow -I: Name of the task. The same value can later be passed to thegetcert listcommand.-c: CA configuration to submit the request to.-d: Directory with the NSS database to store the certificate and key.-n: Nickname of the certificate, used in the NSS database.-N: Subject name in the CSR.-L: Time-limited one-time PIN issued by the CA.
- Right after submitting the request, you can verify that a certificate was issued and correctly stored in the local database:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow The status MONITORING signifies a successful retrieval of the issued certificate. Thegetcert-list(1)man page lists other possible states and their meanings.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}