5.6.2. CMC 注册过程

使用以下格式创建证书签名请求(CSR)：

PKCS #10 格式
证书请求消息格式(CRMF)格式

有关使用以下格式创建 CSR 的详情，请参考第 5.2 节 “创建证书签名请求”。

将 admin 证书导入到客户端 NSS 数据库。例如：

执行以下命令，从 .p12 文件中提取 admin 客户端证书：

openssl pkcs12 -in /root/.dogtag/instance/ca_admin_cert.p12 -clcerts -nodes -nokeys -out /root/.dogtag/instance/ca_admin_cert.crt

$ openssl pkcs12 -in /root/.dogtag/instance/ca_admin_cert.p12 -clcerts -nodes -nokeys -out /root/.dogtag/instance/ca_admin_cert.crt

Copy to Clipboard

Toggle word wrap

根据 红帽认证系统规划、安装和部署指南中的管理证书/密钥加密令牌一节中的指导，验证和导入管理客户端证书：
```
PKICertImport -d . -n "CA Admin - Client Certificate" -t ",," -a -i /root/.dogtag/instance/ca_admin_cert.crt -u C
```
```
$ PKICertImport -d . -n "CA Admin - Client Certificate" -t ",," -a -i /root/.dogtag/instance/ca_admin_cert.crt -u C
```
Copy to Clipboard Toggle word wrap
重要
在导入 CA Admin 客户端证书前，请确保已导入所有中间证书和 root CA 证书。

导入与证书关联的私钥。

pki -c password pkcs12-import --pkcs12-file /root/.dogtag/instance/ca_admin_cert.p12 --pkcs12-password-file /root/.dogtag/instance/ca/pkcs12_password.conf

$ pki -c password pkcs12-import --pkcs12-file /root/.dogtag/instance/ca_admin_cert.p12 --pkcs12-password-file /root/.dogtag/instance/ca/pkcs12_password.conf

Copy to Clipboard

Toggle word wrap

为 CMC 请求创建配置文件，如 /home/user_name/cmc-request.cfg，其中包含以下内容：

NSS database directory where CA agent certificate is stored
NSS database password
Token name (default is internal)
Nickname for signing certificate
Request format: pkcs10 or crmf
Total number of PKCS10/CRMF requests
Path to the PKCS10/CRMF request
The content must be in Base-64 encoded format.
Multiple files are supported. They must be separated by space.
Path for the CMC request

# NSS database directory where CA agent certificate is stored
dbdir=/home/user_name/.dogtag/nssdb/

# NSS database password
password=password

# Token name (default is internal)
tokenname=internal

# Nickname for signing certificate
nickname=subsystem_admin

# Request format: pkcs10 or crmf
format=pkcs10

# Total number of PKCS10/CRMF requests
numRequests=1

# Path to the PKCS10/CRMF request
# The content must be in Base-64 encoded format.
# Multiple files are supported. They must be separated by space.
input=/home/user_name/file.csr

# Path for the CMC request
output=/home/user_name/cmc-request.bin

Copy to Clipboard

Toggle word wrap

详情请查看 CMCRequest(1) man page。

创建 CMC 请求：

CMCRequest /home/user_name/cmc-request.cfg

$ CMCRequest /home/user_name/cmc-request.cfg

Copy to Clipboard

Toggle word wrap

如果命令成功，则 CMCRequest 程序会在请求配置文件的 output 参数中指定的文件中存储 CMC 请求。

为 HttpClient 创建配置文件，如 /home/user_name/cmc-submit.cfg，您要在以后的步骤中使用该文件来向 CA 提交 CMC 请求。在创建的文件中添加以下内容：

PKI server host name
PKI server port number
Use secure connection
Use client authentication
NSS database directory where the CA agent certificate is stored.
NSS database password
Token name (default: internal)
Nickname of signing certificate
Path for the CMC request
Path for the CMC response

# PKI server host name
host=server.example.com

# PKI server port number
port=8443

# Use secure connection
secure=true

# Use client authentication
clientmode=true

# NSS database directory where the CA agent certificate is stored.
dbdir=/home/user_name/.dogtag/nssdb/

# NSS database password
password=password

# Token name (default: internal)
tokenname=internal

# Nickname of signing certificate
nickname=subsystem_admin

# Path for the CMC request
input=/home/user_name/cmc-request.bin

# Path for the CMC response
output=/home/user_name/cmc-response.bin

Copy to Clipboard

Toggle word wrap

重要

在 nickname 参数中指定的 证书的别名 必须与之前用于 CMC 请求的证书匹配。

根据您请求的证书类型，将以下参数添加到上一步中创建的配置文件中：

servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=profile_name

servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=profile_name

Copy to Clipboard

Toggle word wrap

例如，对于 CA 签名证书：

servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCcaCert

servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCcaCert

Copy to Clipboard

Toggle word wrap

重要

当代理在下一步中提交 CMC 请求时，这个参数中指定的配置集必须使用 CMCAuth 身份验证插件。在用户初始化的注册中，配置集必须使用 CMCUserSignedAuth 插件。详情请查看第 9.3 节 “CMC 身份验证插件”。

将 CMC 请求提交到 CA：

HttpClient /home/user_name/cmc-submit.cfg

$ HttpClient /home/user_name/cmc-submit.cfg

Copy to Clipboard

Toggle word wrap

要将 CMC 响应转换为 PKCS #7 证书链，将 CMC 响应文件传递给 CMCResponse 工具的 -i 参数。例如：

CMCResponse -i /home/user_name/cmc-response.bin -o /home/user_name/cert_chain.crt

$ CMCResponse -i /home/user_name/cmc-response.bin -o /home/user_name/cert_chain.crt

Copy to Clipboard

Toggle word wrap

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links