Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 16. CRMFPopClient (Sending an Encoded CRMF Request)
The
CRMFPopClient utility is a tool to send a Certificate Request Message Format (CRMF) request to a Certificate System CA with the request encoded with proof of possession (POP) data that can be verified by the CA server. If a client provides POP information with a request, the server can verify that the requester possesses the private key for the new certificate.
The tool does all of the following:
- Has the CA enforce or verify POP information encoded within a CRMF request.
- Makes simple certificate requests without using the standard Certificate System agent page or interface.
- Makes a simple certificate request that includes a transport certificate for key archival from the KRA.
Note
A
transport.txt file containing the KRA's transport certificate must be present in the directory from which the command is run. If the file is missing, the archival process will still be attempted, but it will fail with the following error message:
ERROR: File 'transport.txt' does not exist Try 'CRMFPopClient --help' for more information.
ERROR: File 'transport.txt' does not exist
Try 'CRMFPopClient --help' for more information.
The
transport.txt must have the entire base 64-encoded transport certificate on a single line with the header and footer removed.
16.1. Syntax
링크 복사링크가 클립보드에 복사되었습니다!
There are two syntax styles for the
CRMFPopClient utility, depending on the intended use.
This is for sending a simple certificate request to a CA:
CRMFPopClient
token_password
profile_name
host
port
username
requester_name
pop_option
subject_dn
[
OUTPUT_CERT_REQ
]
This is for printing the certificate request to stdout, without sending it to a CA:
CRMFPopClient
token_password
pop_option
OUTPUT_CERT_REQ
subject_dn
| Option | Description |
|---|---|
| token_password |
The password for the cryptographic token.
|
| profile_name |
The CA profile to which to submit the request.
|
| host |
The hostname of the CA instance. Depending on how DNS and the network is configured, this can be a machine name, fully-qualified domain name, or IPv4 or IPv6 address.
|
| port |
The non-SSL port of the Certificate System CA.
|
| username |
The Certificate System user for whom the certificate request is issued.
|
| requester_name |
The name of the person or entity who is requesting the certificate.
|
| pop_option |
Sets the type of POP request to generate; since this can generate invalid requests, this option can be used for testing. There are three values:
|
| subject_dn |
The distinguished name of the requested certificate.
|
OUTPUT_CERT_REQ |
Prints the generated certificate request to the screen. This is optional when the CRMF POP request is sent to a CA, but it is required when the command is used simply to return the request.
|
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}