Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

5.2. Creating Certificate Signing Requests

As explained in the Enrolling with CMC section in the Red Hat Certificate System Planning, Installation, and Deployment Guide (Common Criteria Edition), the CMCRequest utility accepts Certificate Signing Requests (CSR) in PKCS #10 and CRMF format.
Red Hat Certificate System supports using the following utilities to create CSRs:
  • certutil: Supports creating PKCS #10 requests.
  • PKCS10Client: Supports creating PKCS #10 requests.
  • CRMFPopClient: Supports creating CRMF requests.
The following sections provide some examples on how to use these utilities with the feature-rich enrollment profile framework.

5.2.1. Creating a CSR Using certutil
Copia collegamento

This section describes examples on how to use the certutil utility to create a CSR.
For further details about using certutil, see:
  • The certutil(1) man page
  • The output of the certutil --help command

5.2.1.1. Using certutil to Create a CSR with EC Keys
Copia collegamento

The following procedure demonstrates how to use the certutil utility to create an Elliptic Curve (EC) key pair and CSR:
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
    Copy to Clipboard Toggle word wrap
  2. Create the binary CSR and store it in the /user_or_entity_database_directory/request.csr file: 
    $ certutil -d . -R -k ec -q nistp256 -s "CN=subject_name" -o /user_or_entity_database_directory/request-bin.csr
    Copy to Clipboard Toggle word wrap
    Enter the required NSS database password when prompted.
    For further details about the parameters, see the certutil(1) man page.
  3. Convert the created binary format CSR to PEM format: 
    $ BtoA /user_or_entity_database_directory/request-bin.csr /user_or_entity_database_directory/request.csr
    Copy to Clipboard Toggle word wrap
  4. Optionally, verify that the CSR file is correct: 
    $ cat /user_or_entity_database_directory/request.csr

MIICbTCCAVUCAQAwKDEQMA4GA1UEChMHRXhhbXBsZTEUMBIGA1UEAxMLZXhhbXBs
...
    Copy to Clipboard Toggle word wrap
    This is a PKCS#10 PEM certificate request.
  5. For the next steps, see Section 5.3.1, “The CMC Enrollment Process”, but skip the step about creating the certificate request.

5.2.1.2. Using certutil to Create a CSR With User-defined Extensions
Copia collegamento

The following procedure demonstrates how to create a CSR with user-defined extensions using the certutil utility.
Note that the enrollment requests are constrained by the enrollment profiles defined by the CA. See Example B.3, “Multiple User Supplied Extensions in CSR”.
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
    Copy to Clipboard Toggle word wrap
  2. Create the CSR with user-defined Key Usage extension as well as user-defined Extended Key Usage extension and store it in the /user_or_entity_database_directory/request.csr file: 
    $ certutil -d . -R -k rsa -g 1024 -s "CN=subject_name" --keyUsage keyEncipherment,dataEncipherment,critical --extKeyUsage timeStamp,msTrustListSign,critical -a -o /user_or_entity_database_directory/request.csr
    Copy to Clipboard Toggle word wrap
    Enter the required NSS database password when prompted.
    For further details about the parameters, see the certutil(1) man page.
  3. Optionally, verify that the CSR file is correct: 
    $ cat /user_or_entity_database_directory/request.csr
Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: user 4-2-1-2
Email: (not specified)
Organization: (not specified)
State: (not specified)
Country: (not specified)
    Copy to Clipboard Toggle word wrap
    This is a PKCS#10 PEM certificate request.
  4. For the next steps, see Section 5.3.1, “The CMC Enrollment Process”, but skip the step about creating the certificate request.

    Note

    Remove the header information from the CSR.

5.2.2. Creating a CSR Using PKCS10Client
Copia collegamento

This section describes examples how to use the PKCS10Client utility to create a CSR.
For further details about using PKCS10Client, see:
  • The PKCS10Client(1) man page
  • The output of the PKCS10Client --help command

5.2.2.1. Using PKCS10Client to Create a CSR
Copia collegamento

The following procedure explains how to use the PKCS10Client utility to create an Elliptic Curve (EC) key pair and CSR:
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
    Copy to Clipboard Toggle word wrap
  2. Create the CSR and store it in the /user_or_entity_database_directory/example.csr file: 
    $ PKCS10Client -d . -p NSS_password -a ec -c nistp256 -o /user_or_entity_database_directory/example.csr -n "CN=subject_name"
    Copy to Clipboard Toggle word wrap
    For further details about the parameters, see the PKCS10Client(1) man page.
  3. Optionally, verify that the CSR is correct: 
    $ cat /user_or_entity_database_directory/example.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICzzCCAbcCAQAwgYkx
...
-----END CERTIFICATE REQUEST-----
    Copy to Clipboard Toggle word wrap

5.2.2.2. Using PKCS10Client to Create a CSR for SharedSecret-based CMC
Copia collegamento

The following procedure explains how to use the PKCS10Client utility to create an RSA key pair and CSR for SharedSecret-based CMC. Use it only with the CMC Shared Secret authentication method which is, by default, handled by the caFullCMCSharedTokenCert and caECFullCMCSharedTokenCert profiles.
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
    Copy to Clipboard Toggle word wrap
  2. Create the CSR and store it in the /user_or_entity_database_directory/example.csr file: 
    $ PKCS10Client -d . -p NSS_password -o /user_or_entity_database_directory/example.csr -y true -n "CN=subject_name"
    Copy to Clipboard Toggle word wrap
    For further details about the parameters, see the PKCS10Client(1) man page.
  3. Optionally, verify that the CSR is correct: 
    $ cat /user_or_entity_database_directory/example.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICzzCCAbcCAQAwgYkx
...
-----END CERTIFICATE REQUEST-----
    Copy to Clipboard Toggle word wrap

5.2.3. Creating a CSR Using CRMFPopClient
Copia collegamento

Certificate Request Message Format (CRMF) is a CSR format accepted in CMC that allows key archival information to be securely embedded in the request.
This section describes examples how to use the CRMFPopClient utility to create a CSR.
For further details about using CRMFPopClient, see the CRMFPopClient(1) man page.

5.2.3.1. Using CRMFPopClient to Create a CSR with Key Archival
Copia collegamento

The following procedure explains how to use the CRMFPopClient utility to create an RSA key pair and a CSR with the key archival option:
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
    Copy to Clipboard Toggle word wrap
  2. Retrieve the KRA transport certificate: 
    $ pki ca-cert-find --name "DRM Transport Certificate"
    ---------------
    1 entries found
    ---------------
      Serial Number: 0x7
      Subject DN: CN=DRM Transport Certificate,O=EXAMPLE
      Status: VALID
      Type: X.509 version 3
      Key A    lgorithm: PKCS #1 RSA with 2048-bit key
      Not Valid Before: Thu Oct 22 18:26:11 CEST 2015
      Not Valid After: Wed Oct 11 18:26:11 CEST 2017
      Issued On: Thu Oct 22 18:26:11 CEST 2015
      Issued By: caadmin
    ----------------------------
    Number of entries returned 1
    Copy to Clipboard Toggle word wrap
  3. Export the KRA transport certificate: 
    $ pki ca-cert-show 0x7 --output kra.transport
    Copy to Clipboard Toggle word wrap
  4. Create the CSR and store it in the /user_or_entity_database_directory/example.csr file: 
    $ CRMFPopClient -d . -p password -n "cn=subject_name" -q POP_SUCCESS -b kra.transport -w "AES/CBC/PKCS5Padding" -v -o /user_or_entity_database_directory/example.csr
    Copy to Clipboard Toggle word wrap
    To create an Elliptic Curve (EC) key pair and CSR, pass the -a ec -t false options to the command.
    For further details about the parameters, see the CRMFPopClient(1) man page.
  5. Optionally, verify that the CSR is correct: 
    $ cat /user_or_entity_database_directory/example.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICzzCCAbcCAQAwgYkx
...
-----END CERTIFICATE REQUEST-----
    Copy to Clipboard Toggle word wrap

5.2.3.2. Using CRMFPopClient to Create a CSR for SharedSecret-based CMC
Copia collegamento

The following procedure explains how to use the CRMFPopClient utility to create an RSA key pair and CSR for SharedSecret-based CMC. Use it only with the CMC Shared Secret authentication method which is, by default, handled by the caFullCMCSharedTokenCert and caECFullCMCSharedTokenCert profiles.
  1. Change to the certificate database directory of the user or entity for which the certificate is being requested, for example: 
    $ cd /user_or_entity_database_directory/
    Copy to Clipboard Toggle word wrap
  2. Retrieve the KRA transport certificate: 
    $ pki ca-cert-find --name "DRM Transport Certificate"
    ---------------
    1 entries found
    ---------------
      Serial Number: 0x7
      Subject DN: CN=DRM Transport Certificate,O=EXAMPLE
      Status: VALID
      Type: X.509 version 3
      Key A    lgorithm: PKCS #1 RSA with 2048-bit key
      Not Valid Before: Thu Oct 22 18:26:11 CEST 2015
      Not Valid After: Wed Oct 11 18:26:11 CEST 2017
      Issued On: Thu Oct 22 18:26:11 CEST 2015
      Issued By: caadmin
    ----------------------------
    Number of entries returned 1
    Copy to Clipboard Toggle word wrap
  3. Export the KRA transport certificate: 
    $ pki ca-cert-show 0x7 --output kra.transport
    Copy to Clipboard Toggle word wrap
  4. Create the CSR and store it in the /user_or_entity_database_directory/example.csr file: 
    $ CRMFPopClient -d . -p password -n "cn=subject_name" -q POP_SUCCESS -b kra.transport -w "AES/CBC/PKCS5Padding" -y -v -o /user_or_entity_database_directory/example.csr
    Copy to Clipboard Toggle word wrap
    To create an EC key pair and CSR, pass the -a ec -t false options to the command.
    For further details about the parameters, see the output of the CRMFPopClient --help command.
  5. Optionally, verify that the CSR is correct: 
    $ cat /user_or_entity_database_directory/example.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICzzCCAbcCAQAwgYkx
...
-----END CERTIFICATE REQUEST-----
    Copy to Clipboard Toggle word wrap
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat