法律通告
证书系统包含两个命令行工具来创建和删除子系统:
pkispawn 和 pkidestroy。
在以前的证书系统版本中,安装和配置被分成两个独立的任务,由
pkicreate 和 pkisilent 工具管理。在证书系统版本 9 及更高版本中,单个 pkispawn 工具现在管理所有这些操作。
pkiremove 工具用于删除之前证书系统版本中子系统。该工具现在使用 pkidestroy 替代。
pkispawn 实用程序创建一个证书系统子系统并配置它。它支持两种安装模式:
-
交互模式,其中
pkispawn会自动提示用户输入安装所需的基本信息
另外,这两种安装模式都可合并,允许您将一些配置直接传递给
pkispawn,并让实用程序以交互方式提示您输入其他设置。例如,如果您在 pkispawn 中添加 -s 选项,但不是 -f 选项来提供配置文件,安装将使用 /etc/pki/default.cfg 文件中的默认配置设置,并以交互方式提示您输入任何其他自定义信息,如密码。
本节概述了如何使用
pkispawn 安装证书系统子系统。有关 pkispawn 的详情,请参考 man page。man page 包括各种 pkispawn 用法示例。
要使用
pkispawn 创建并配置子系统,请使用以下选项运行实用程序:
-s选项-f选项
例如,以下命令基于
myconfig.txt 文件创建一个 CA 子系统:
# pkispawn -s CA -f myconfig.txt
pkispawn的配置文件
证书系统在
/etc/pki/default.cfg 文件中存储一些默认配置设置。要创建可提供给 pkispawn 工具的自定义配置文件,请将 default.cfg 复制到不同的位置。然后修改复制的文件,以定义您希望 pkispawn 应用到新子系统的配置设置。
自定义配置文件优先于默认的
default.cfg 文件。常见做法是将与默认配置不同的参数存储在用户提供的自定义配置文件中。
default.cfg 文件被分为几个部分:
-
[DEFAULT] pki_admin_password= pki_backup_password= pki_client_database_password= pki_client_pkcs12_password= pki_ds_password= pki_replication_password= pki_security_domain_password= pki_token_password= [Tomcat] pki_clone_pkcs12_password= -
[CA] pki_admin_name=caadmin pki_admin_email=caadmin@example.com
在后续部分中定义的配置优先于前面部分中的配置。例如,特定于子系统的部分的配置优先于
Tomcat 部分,这优先于 DEFAULT 部分中的配置。此行为允许您在 DEFAULT 或 Tomcat 部分中指定所有子系统共享的参数,以及在该子系统的部分中特定于特定子系统的选项。
在运行
pkispawn 后,default.cfg 文件的副本保存在创建的子系统中。然后,在使用 pkidestroy 删除子系统时使用副本。
有关可以为
pkispawn 提供的各种自定义配置文件示例,请查看 man page。有关 default.cfg 的详情,请参考 man page。
如果您没有为
pkispawn 提供任何配置选项,该工具进入交互式安装模式,并自动提示您输入基本所需的安装选项。交互式 pkispawn 安装模式适合熟悉证书系统的用户。有关用于互动模式的基本选项列表,请查看 man page。
交互式安装不提供其他配置选项。如果要使用高级设置,请使用
-f 选项向 pkispawn 提供配置文件,如 第 1.1.1 节 “非互动 pkispawn 模式” 所述。
在互动安装模式中指定的参数保存在
/etc/sysconfig/pki/tomcat/instance_name/subsystem/deployment.cfg 文件中。
要创建具有多个子系统的实例,请多次运行
pkispawn,并每次指定不同的子系统。例如,若要创建带有 CA 和 KRA 的实例,请运行 命令,然后运行 命令。
pkidestroy 工具从指定的证书服务器实例中删除子系统。实用程序可以以非交互方式运行,也可以以交互方式运行。
要使用
pkidestroy 删除子系统,请使用以下选项执行该工具:
-s选项-i选项
# pkidestroy -s KRA -i instance_name
有关
pkidestroy 的详情,请参考 man page。
如果您在没有任何选项的情况下执行
pkidestroy,该工具会自动提示您输入所需信息。例如,如果没有指定 -s 选项,pkispawn 会以交互方式提示要删除的子系统。
pki 工具允许客户端访问证书系统服务器上的 PKI 服务。该工具提供了很多命令和子命令,旨在执行各种操作,如用户或组管理、证书管理、配置文件管理等。
要显示所有可用的
pki 命令和选项,请在没有参数的情况下运行 pki :
$ pki
usage: pki [OPTIONS..] <command> [ARGS..]
-c <password> Security database password
-d <database> Security database location (default:
~/.dogtag/nssdb)
...
Subsystems:
ca CA management commands
kra KRA management commands
ocsp OCSP management commands
...
Commands:
client Client management commands
cert Certificate management commands
group Group management commands
...
有些
pki 命令有子命令。要显示特定 pki 命令可用的子命令,请在没有任何选项的情况下运行命令。例如,显示 pki client 命令可用的子命令:
$ pki client
Commands:
client-init Initialize client security database
client-cert-find Find certificates in client security database
client-cert-import Import certificate into client security database
...
pki 工具默认使用以下参数连接到 PKI 服务器:
-
协议:
http -
主机名:
localhost -
端口:
8080
您可以通过在任何
pki 命令中添加以下选项来手动指定自定义参数:
-
-p指定协议 -
-h指定主机名 -
-p指定端口
pki -P https -h server.example.com -p 8443 cert-find
您还可以将连接参数指定为 URL。为此,请使用
-U 选项以 格式提供 URL。子系统根据正在执行的命令来确定。例如,以下命令列出了 CA 中的证书:
pki -U https://server.example.com:8443 cert-find
基于
pki 工具的一些命令需要用户进行身份验证。实用程序支持使用用户名和密码凭证或使用客户端证书进行身份验证。
使用用户名和密码进行身份验证
要提供用户名,请在特定的
pki 命令中添加 -u 选项。要提供密码,请使用 -W 或 -w 选项;或者,如果您不直接使用 -W 或 -w 将密码直接添加到命令中,如果需要,pki 会以交互方式提示输入密码。
对于 ,建议使用
-W 提供密码,因为此选项可让您采取某些安全措施来保护密码,如设置系统权限、系统 ACL 或 SELinux 策略。使用 -w,以纯文本形式提供密码。
对于 ,建议不要直接通过 命令提供密码,而是以交互方式提供密码。例如,通过执行以下命令,用户只提供用户名,并允许
pki 密码:
pki -u user_name user-find使用客户端证书进行身份验证
要提供所需的证书信息,请使用
-C 或 -c 选项指定安全数据库文件,并使用 -n 选项指定证书 nickname。
对于 ,建议使用
-C 传递文件,因为此选项可让您采取某些安全措施来保护该文件,如设置系统权限、系统 ACL 或 SELinux 策略。使用 -c 时,该文件以纯文本形式提供。
pki -C security_database_password_file -n certificate_nickname user-findpki 工具支持分页:您可以将命令输出分成多个页面,然后只显示指定的页面。分页对于可能会显示许多结果的命令(如 命令)特别有用。
要将
pki 命令输出分成页面,在输入以下命令时使用以下选项:
-
--start定义了要显示的页面中的第一个条目的索引;如果您想要从命令输出的第一个条目开始,请将此选项设置为0 -
--size定义页面中的条目数
$ pki user-find --start 0 --size 10$ pki user-find --start 10 -- size 10
本节列出了一些
pki 命令及其子命令,以及它们的功能。有关如何使用特定的 pki 子命令的更多详细信息,请使用 --help 选项执行它。例如:
$ pki cert-find --help
usage: cert-find [OPTIONS...]
--certTypeSecureEmail <on|off> Certifiate Type: Secure Email
--certTypeSSLClient <on|off> Certifiate Type: SSL Client
--certTypeSSLServer <on|off> Certifiate Type: SSL Server
...
客户端初始化
-
初始化新客户端环境;命令会在默认证书数据库目录
~/.dogtag/nssdb/中创建一个安全数据库。新安全数据库的密码必须使用-c或-C选项指定。例如:$ pki -c Secret123 client-init ------------------ Client initialized ------------------
列出本地证书
导入证书和私钥
-
$ pki -c Secret123 -n "CA Signing Certificate - EXAMPLE" client-cert-import --ca-server ------------------------------------------------------- Imported certificate "CA Signing Certificate - EXAMPLE" -------------------------------------------------------$ pki -c Secret123 -n "CA Signing Certificate - EXAMPLE" client-cert-import --ca-cert ca.pem ------------------------------------------------------- Imported certificate "CA Signing Certificate - EXAMPLE" -------------------------------------------------------$ pki -c Secret123 client-cert-import --pkcs12 ca_admin_cert.p12 --pkcs12-password Secret123 ---------------------------------------- Imported certificates from PKCS #12 file ----------------------------------------
删除本地证书
列出证书
-
$ pki cert-find --status VALID-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <CertSearchRequest> <serialNumberRangeInUse>true</serialNumberRangeInUse> <serialFrom></serialFrom> <serialTo></serialTo> <subjectInUse>false</subjectInUse> <eMail></eMail> <commonName></commonName> <userID></userID> <orgUnit></orgUnit> <org></org> <locality></locality> <state></state> <country></country> <matchExactly>false</matchExactly> <status></status> <revokedByInUse>false</revokedByInUse> <revokedBy></revokedBy> <revokedOnFrom>false</revokedOnFrom> <revokedOnTo></revokedOnTo> <revocationReasonInUse>false</revocationReasonInUse> <revocationReason></revocationReason> <issuedByInUse>false</issuedByInUse> <issuedBy></issuedBy> <issuedOnInUse>false</issuedOnInUse> <issuedOnFrom></issuedOnFrom> <issuedOnTo></issuedOnTo> <validNotBeforeInUse>false</validNotBeforeInUse> <validNotBeforeFrom></validNotBeforeFrom> <validNotBeforeTo></validNotBeforeTo> <validNotAfterInUse>false</validNotAfterInUse> <validNotAfterFrom></validNotAfterFrom> <validNotAfterTo></validNotAfterTo> <validityLengthInUse>false</validityLengthInUse> <validityOperation></validityOperation> <validityCount></validityCount> <validityUnit></validityUnit> <certTypeInUse>false</certTypeInUse> <certTypeSubEmailCA></certTypeSubEmailCA> <certTypeSubSSLCA></certTypeSubSSLCA> <certTypeSecureEmail></certTypeSecureEmail> </CertSearchRequest> -
$ pki cert-find --input filename
-
显示证书
-
$ pki cert-show certificate ID --encoded --output filename
创建证书请求
-
-
$ certutil -R -d security database directory -s subject DN -a -
$ pki cert-request-profile-show profile --output file -
编辑输出文件,并将 CSR 插入到
cert_request属性中。例如:<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <CertEnrollmentRequest> ... <Input id="i1"> ... <Attribute name="cert_request_type"> <Value>pkcs10</Value> ... </Attribute> <Attribute name="cert_request"> <Value> MIIBZTCBzwIBADAmMRAwDgYDVQQKEwdFWEFNUExFMRIwEAYDVQQDEwlUZXN0IFVz ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL7hYQp/g4FblKRd3Cjyfh8e MFGZLbTDZcY+YBxOk43JeqIDLkGZRHpr/84hK4lgISuyXpvz8owKel2jw6q7bP9Z 0D8AGrrJfEvAuMQrAJiMd/O3U6CKF9+U/z8RjzHPXjzAKl/cIVpqnPuAQOMWQGmx HkxmLYZww0hKcc9nl5KPAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQCtpV2ts1Hp w+s7ev90d2gRpmPBtNGfOz4OsOpNYbDX3fGabkLFIJAWQ8arjQqToGawIh0nZpND UJ9hSa1gIfI+4uxYKjk6cFQAPnZeVgLg1KgELVIzYZ0Qem5NXHmRsR/Vwxh5abzX XeuHTCnFT0Elpva9mnR+tqe1agZwHghDwQ== </Value> ... </Attribute> </Input> ... </CertEnrollmentRequest> -
$ pki cert-request-submit filename
-
检查证书请求状态
管理证书请求
查看或处理证书请求必须使用代理凭证执行。有关如何使用
pki 命令时如何验证的详情,请参考 。
-
$ pki agent authentication cert-request-review request_ID --output filename
您可以使用
--action 将所需的 review 操作直接传给命令,从而在单个步骤中执行批准过程。例如:
$ pki agent authentication cert-request-review request_ID --action approve吊销证书
吊销、保存或释放证书必须使用代理凭证执行。有关如何使用
pki 命令时如何验证的详情,请参考 。
所有这些命令必须使用管理员凭据来执行。有关如何使用
pki 命令时如何验证的详情,请参考 。
模板
-
$ pki key-template-show retrieveKey --output retrieveKey.xml
密钥请求
所有密钥请求都必须使用 KRA 代理凭证执行。有关如何使用
pki 命令时如何验证的详情,请参考 。
Keys
所有密钥操作都必须使用 KRA 代理凭证执行。有关如何使用
pki 命令时如何验证的详情,请参考 。
-
$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret123 -n caadmin key-archive --input archiveKey.xml -
$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret123 -n caadmin key-retrieve --keyID 0x1 Retrieve Key Information ------------------------ Key Algorithm: RSA Key Size: 1024 Nonce data: rYkeh4Rb+MI= Actual archived data: MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALTyleypbSGRnb8+ P/BItA74mTdLX4eFY+fKE4hraeOV4ts+4M9qfry/FJkbMq3dpIpsxuMmGclbHEUQ J/MfLAHgaxwVLGK8qCGb0IeY0Z7qIbGucSCLcDVpODlsTvqftK/SJZm56ODu7xXh ...$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret123 -n caadmin key-retrieve --input retrieveKey.xml -
$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret123 -n caadmin key-show 0x1 Key ID: 0x1 Client Key ID: test Status: active Algorithm: RSA Size: 1024 Owner: kraadmin Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3 S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4 ydfTGLzZvtTVrYbgdQIDAQAB$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret123 -n caadmin key-show --clientKeyID test Key ID: 0x1 Client Key ID: test Status: active Algorithm: RSA Size: 1024 Owner: kraadmin Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3 S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4 ydfTGLzZvtTVrYbgdQIDAQAB -
激活密钥。将
--status选项设置为不活动可停用密钥。
需要所有 都定向到 CA,并以管理员身份执行。有关如何使用
pki 命令时如何验证的详情,请参考 。
TokenInfo /directory/alias/var/lib/pki-ca/alias。sslget [
-e
]
-n
[[
-p
] | [
-w
]] [
-d
] [
-v
] [
-V
]
-r
[
:
]
-w 选项,则不会使用。-p 选项,则不会使用。sslget -e "profileId=caInternalAuthServerCert&cert_request_type=pkcs10
&requestor_name=TPS-server.example.com-7889
&cert_request=MIIBGTCBxAIBADBfMSgwJgYDVQQKEx8yMDA2MTEwNngxMi
BTZmJheSBSZWRoYXQgRG9tYWluMRIwEAYDVQQLEwlyaHBraS10cHMxHzAdBgNVBA
MTFndhdGVyLnNmYmF5LnJlZGhhdC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAk
EAsMcYjKD2cDJOeKjhuAiyaC0YVh8hUzfcrf7ZJlVyROQx1pQrHiHmBQbcCdQxNz
YK7rxWiR62BPDR4dHtQzj8RwIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQAKpuTYGP
%2BI1k50tjn6enPV6j%2B2lFFjrYNwlYWBe4qYhm3WoA0tIuplNLpzP0vw6ttIMZ
kpE8rcfAeMG10doUpp
&xmlOutput=true&sessionID=-4771521138734965265
&auth_hostname=server.example.com&auth_port=9444"
-d "/var/lib/pki-tps/alias" -p "password123" -v -n "Server-Cert cert-pki-tps" -r "/ca/ee/ca/profileSubmit" server.example.com:9444
子系统保留的
signedAudit 目录没有被任何用户写入,包括审核员。
-
pkiaudit组,这是/etc/pki/default.cfg文件的[DEFAULT]部分下pki_audit_group变量的默认值 -
当
pkispawn工具运行时,任何系统组都被覆盖pki_audit_group变量来标识为审计组
-
mkdir ~jsmith/auditVerifyDir -
certutil -d ~jsmith/auditVerifyDir -N -
https://server.example.com:ca_https_port/ca/ee/ca/ -
certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t "CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txt certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate"-t ",,P" -a -i /var/lib/instance_ID/alias/logsigncert.txt
AuditVerify -d dbdir -n signing_certificate_nickname -a logListFile [-P cert/key_db_prefix] [-v]/var/log/pki-ca/signedAudit/ca_cert-ca_audit, /var/log/pki-ca/signedAudit/ca_cert-ca_audit.20030227102711, /var/log/pki-ca/signedAudit/ca_cert-ca_audit.20030226094015
此文件应创建在由审核员写入的目录中,如
~jsmith/auditDir。
~jsmith/auditVerifyDir/。-
例如,此文件可以是
/etc/audit目录中的logListFile。内容是要验证的审计日志的逗号分隔列表,如 “auditlog.1213,auditlog.1214,auditlog.1215.” -
如果审计数据库不包含前缀,且位于用户主目录中,如
/home/smith/.mozilla,且签名证书 nickname 为 ,则 命令如下:AuditVerify -d ~jsmith/auitVerifyDir -n auditsigningcert -a /etc/audit/logListFile -P "" -v
输入文件
audit_list 是一个简单的文本文件,它提供了要验证的传入审计日志的完整路径。
cat ~jsmith/auditVerifyDir/audit_list
/var/lib/pki-ca/logs/signedAudit/ca_audit.20110211145833AuditVerify -d ~jsmith/auditVerifyDir -n "Log Signing Certificate" -a ~jsmith/auditVerifyDir/audit_list
Verification process complete.
Valid signatures: 20
Invalid signatures: 0AuditVerify -d ~jsmith/auditVerifyDir -n "Log Signing Certificate" -a ~jsmith/auditVerifyDir/audit_list
======
File:
/var/lib/pki-ca/logs/signedAudit/ca_audit.20110211145833
======
Line 52: VERIFICATION FAILED: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit.20101213141439:48 to /var/lib/pki-ca/logs/signedAudit/ca_audit.20101213141439:51
Verification process complete.
Valid signatures: 19
Invalid signatures: 1
setpin 工具可以使用配置文件
setpin.conf 来存储其一些所需选项。在运行 setpin 前,修改此文件以反映目录信息,并通过执行以下操作将 setpin 工具设置为使用该文件:
-
打开
setpin.conf文件。cd /usr/lib/pki/native-tools vi setpin.conf -
#------- Enter the hostname of the LDAP server host=localhost #------- Enter the port number of the LDAP server port=389 #------- Enter the DN of the Directory Manager user binddn=CN=Directory Manager #------- Enter the password for the Directory manager user bindpw= # Enter the DN and password for the new pin manager user pinmanager=cn=pinmanager,dc=example,dc=com pinmanagerpwd= # Enter the base over which this user has the power # to remove pins basedn=ou=people,dc=example,dc=com ## This line switches setpin into setup mode. ## Please do not change it. setup=yes -
运行 setpin,并将选项文件设置为
setpin.conf。setpin optfile=/usr/lib/pki/native-tools/setpin.conf
setpin
host=
[
port=
]
binddn=
[
bindpw=
]
filter=””
[
basedn=
] [[
length=
] | [
minlength=
] | [
maxlength=
]] [
gen=
] [
case=upperonly
] [
hash=
] [
saltattribute=
] [
input=
] [
output=
] [
write
] [
clobber
] [
testpingen=
] [
debug
] [
optfile=
] [
setup
[
pinmanager=
]
[
pinmanagerpwd=
]
]
dn。如果设置了属性,该工具会将属性值与每个 PIN 集成,并将生成的字符串与哈希例程哈希处理。详情请查看 。
如果
hash 值设置为 ,则忽略此属性,这是推荐的设置。
setpin.conf 位于 /usr/lib/pki/native-tools 目录中。
首先,使用指向
setpin.conf 文件的 选项运行 setpin 命令。
setpin optfile=/usr/lib/pki/native-tools/setpin.confvim /usr/lib/pki/native-tools/setpin.conf
setup=nosetpin host=csldap port=389 binddn="CN=directory manager" bindpw=password filter="(cn=*)" basedn="dc=example,dc=com" clobber write hash=nonesetpin host=csldap port=19000 binddn="CN=Directory Manager" bindpw=secret filter="(ou=employees)" basedn="dc=example,dc=com"Processing: cn=QA Managers,ou=employees,dc=example,dc=com
Adding new pin/password
dn:cn=QA Managers,ou=employees,dc=example,dc=com
pin:lDWynV
status:notwritten
Processing: cn=PD Managers,ou=employees,dc=example,dc=com
Adding new pin/password
dn:cn=PD Managers,ou=employees,dc=example,dc=com
pin:G69uV7
status:notwrittendn:cn=user1, dc=example,dc=com
dn:cn=user2, dc=example,dc=com
...
dn:cn=user3, dc=example,dc=comdn:cn=user1, dc=example,dc=com
pin:pl229Ab
dn:cn=user2, dc=example,dc=com
pin:9j65dSf
...
dn:cn=user3, dc=example,dc=com
pin:3knAg60dn: user_dn1
pin: generated_pin1
status: status1
dn: user_dn2
pin: generated_pin2
status: status2
...
dn: user_dn#
pin: generated_pin#
status: status#byte[0] = XAtoB input_file output_file
示例命令使用
ascii_data.in 文件中的 base-64 ASCII 数据,并将与数据等效的二进制文件写入 binary_data.out 文件。
AtoB /usr/home/smith/test/ascii_data.in /usr/home/smith/test/binary_data.outBtoA input_file output_file
以下 工具示例在
binary_data.in 文件中采用 base-64 编码二进制数据,并将与数据对应的 ASCII 写入 ascii_data.out 文件中。
BtoA /usr/home/smith/test/binary_data.in /usr/home/smith/test/ascii_data.outPrettyPrintCert [-simpleinfo] input_file [output_file]
以下示例将
ascii_cert.in 文件中的 ASCII base-64 编码证书转换为 pretty-print 表单中的证书,格式为cii _cert.out。
PrettyPrintCert /usr/home/smith/test/ascii_cert.in /usr/home/smith/test/ascii_cert.outascii_cert.in 中的 base-64 编码证书数据类似如下:
-----BEGIN CERTIFICATE-----
MIIC2DCCAkGgAwIBAgICEAwwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMxIzA
hBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRXaWRnZX
QgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVzdCBUZXN0I
FRlc3QgQ0EwHhcNOTkwMjE4MDMMzM5WhcNMDAwMjE4MDM0MzM5WjCBrjELMAkGA1UEB
hMCVVMxJjAkBgNVBAoTHU5ldHNjYXBlIENvbW11bmljYXRpb25zIENvcnAuMRUwEwYD
VQQLEwOZXRzY2FwZSBDTVMxGDAWBEBEwhtaGFybXNlbjEfMB0GA1UEAxWaW50ZGV2Y2
EgQWRtaW5pcwp0frfJOObeiSsia3BuifRHBNw95ZZQR9NIXr1x5bE
-----END CERTIFICATE-----ascii_cert.out 文件中的用户以 pretty-print 格式的证书类似如下:
Certificate:
Data:
Version: v3
Serial Number: 0x100C
Signature Algorithm: OID.1.2.840.113549.1.1.5 -1.2.840.113549.1.1.5
Issuer: CN=Test CA,OU=Widget Makers 'R'Us,O=Example Corporation, Widgets,Inc.,C=US
Validity:
Not Before: Wednesday, February 17, 1999 7:43:39 PM
Not After: Thursday, February 17, 2000 7:43:39 PM
Subject: MAIL=admin@example.com,CN=testCA Administrator, UID=admin, OU=IS,
O=Example Corporation,C=US
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
30:81:89:02:81:81:00:DE:26:B3:C2:9D:3F:7F:FA:DF:
24:E3:9B:7A:24:AC:89:AD:C1:BA:27:D1:1C:13:70:F7:
96:59:41:1F:4D:21:7A:F5:C7:96:C4:75:83:35:9F:49:
E4:B0:A7:5F:95:C4:09:EA:67:00:EF:BD:7C:39:92:11:
31:F2:CA:C9:16:87:B9:AD:B8:39:69:18:CE:29:81:5F:
F3:4D:97:B9:DF:B7:60:B3:00:03:16:8E:C1:F8:17:6E:
7A:D2:00:0F:7D:9B:A2:69:35:18:70:1C:7C:AE:12:2F:
0B:0F:EC:69:CD:57:6F:85:F3:3E:9D:43:64:EF:0D:5F:
EF:40:FF:A6:68:FD:DD:02:03:01:00:01:
Extensions:
Identifier: 2.16.840.1.113730.1.1
Critical: no
Value: 03:02:00:A0:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
EB:B5:11:8F:00:9A:1A:A6:6E:52:94:A9:74:BC:65:CF:
07:89:2A:23:
Signature:
Algorithm: OID.1.2.840.113549.1.1.5 - 1.2.840.113549.1.1.5
Signature:
3E:8A:A9:9B:D1:71:EE:37:0D:1F:A0:C1:00:17:53:26:
6F:EE:28:15:20:74:F6:C5:4F:B4:E7:95:3C:A2:6A:74:
92:3C:07:A8:39:12:1B:7E:C4:C7:AE:79:C8:D8:FF:1F:
D5:48:D8:2E:DD:87:88:69:D5:3A:06:CA:CA:9C:9A:55:
DA:A9:E8:BF:36:BC:68:6D:1F:2B:1C:26:62:7C:75:27:
E2:8D:24:4A:14:9C:92:C6:F0:7A:05:A1:52:D7:CC:7D:
E0:9D:6C:D8:97:3A:9C:12:8C:25:48:7F:51:59:BE:3C:
2B:30:BF:EB:0A:45:7D:A6:49:FB:E7:BE:04:05:D6:8F:
以下示例命令使用
ascii_cert.in 文件中的 ASCII base-64 编码证书,并将证书中包含的信息写入简单格式输出文件 cert.simple。
PrettyPrintCert -simpleinfo /usr/home/smith/test/ascii_cert.in /usr/home/smith/test/cert.simpleascii_cert.in 文件中的 base-64 编码证书数据类似如下:
-----BEGIN CERTIFICATE-----
MIIC2DCCAkGgAwIBAgICEAwwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMxIzA
hBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRXaWRnZX
QgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVzdCBUZXN0I
FRlc3QgQ0EwHhcNOTkwMjE4MDMMzM5WhcNMDAwMjE4MDM0MzM5WjCBrjELMAkGA1UEB
hMCVVMxJjAkBgNVBAoTHU5ldHNjYXBlIENvbW11bmljYXRpb25zIENvcnAuMRUwEwYD
VQQLEwOZXRzY2FwZSBDTVMxGDAWBEBEwhtaGFybXNlbjEfMB0GA1UEAxWaW50ZGV2Y2
EgQWRtaW5pcwp0frfJOObeiSsia3BuifRHBNw95ZZQR9NIXr1x5bE
-----END CERTIFICATE-----cert.simple 输出中的简单证书信息类似如下:
MAIL=admin@example.com
CN=testCA Administrator
UID=admin
OU=IS
O=Example Corporation
C=US
PrettyPrintCrl input_file [output-file]
以下示例 命令在
ascii_crl.in 文件中使用 ASCII base-64 编码 CRL,并将 pretty-print 表单中的 CRL 写入为cii _crl.out 的输出文件。
PrettyPrintCrl /usr/home/smith/test/ascii_crl.in /usr/home/smith/test/ascii_crl.out
ascii_crl.in 文件中的 base-64 编码 CRL 类似如下:
-----BEGIN CRL-----
MIIBkjCBAIBATANBgkqhkiG9w0BAQQFADAsMREwDwYDVQQKEwhOZXRzY2FwZTEXMBUG
A1UEAxMOQ2VydDQwIFRlc3QgQ0EXDTk4MTIxNzIyMzcyNFowgaowIAIBExcNOTgxMjE
1MTMxODMyWjAMMAoGA1UdFQQDCgEBMCACARIXDTk4MTINTEzMjA0MlowDDAKBgNVHRU
EAwoBAjAgAgERFw05ODEyMTYxMjUxNTRaMAwwCgYDVR0VBAMKAQEwIAIBEBcNOTgxMj
E3MTAzNzI0WjAMMAoGA1UdFQQDCgEDMCACAQoXDTk4MTEyNTEzMTExOFowDDAKBgNVH
RUEAwoBATANBgkqhkiG9w0BQQFAAOBgQBCN85O0GPTnHfImYPROvoorx7HyFz2ZsuKs
VblTcemsX0NL7DtOa+MyY0pPrkXgm157JrkxEJ7GBOeogbAS6iFbmeSqPHj8+
-----END CRL-----
ascii_crl.out 输出中的 CRL 以 pretty-print 格式类似如下:
Certificate Revocation List:
Data:
Version: v2
Signature Algorithm: MD5withRSA - 1.2.840.113549.1.1.4
Issuer: CN=Test CA,O=Example Corporation
This Update: Thu Dec 17 14:37:24 PST 1998
Revoked Certificates:
Serial Number: 0x13
Revocation Date: Tuesday, December 15, 1998 5:18:32 AM
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Key_Compromise
Serial Number: 0x12
Revocation Date: Tuesday, December 15, 1998 5:20:42 AM
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: CA_Compromise
Serial Number: 0x11
Revocation Date: Wednesday, December 16, 1998 4:51:54 AM
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Key_Compromise
Serial Number: 0x10
Revocation Date: Thursday, December 17, 1998 2:37:24 AM
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Affiliation_Changed
Serial Number: 0xA
Revocation Date: Wednesday, November 25, 1998 5:11:18 AM
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Key_Compromise
Signature:
Algorithm: MD5withRSA - 1.2.840.113549.1.1.4
Signature:
42:37:CE:4E:D0:63:D3:9C:77:C8:99:83:D1:3A:FA:28:
AF:1E:C7:C8:5C:F6:66:CB:8A:B1:56:E5:4D:C7:A6:B1:
7D:0D:2F:B0:ED:39:AF:8C:C9:8D:29:3E:B9:17:82:6D:
79:EC:9A:E4:C4:42:7B:18:13:9E:A2:06:C0:4B:A8:85:
6E:67:92:A8:F1:E3:F3:E2:41:1F:9B:2D:24:D9:DF:4C:
2B:A1:68:CE:96:C7:AF:F7:5B:F7:3D:2F:06:57:39:74:
CF:B2:FA:46:C6:AD:18:60:8D:3E:0C:F7:C1:66:52:37:
CF:89:42:B0:D7:33:C4:95:7E:F4:D9:1E:32:B8:5E:12:
-
tkstool -D -n keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] -
tkstool -I -n keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] -
tkstool -K -n keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] -
tkstool -L -n keyname -d dbdir [-h all | -h token_name] [-p dbprefix] [-f pwfile] [-x] -
tkstool -M -n keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] -
tkstool -N -d dbdir [-p dbprefix] [-f pwfile] -
tkstool -P -d dbdir [-p dbprefix] [-f pwfile] -
tkstool -R -n keyname -r new_keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] -
tkstool -S -d dbdir [-p dbprefix] [-x] -
tkstool -T -n keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] [-z noiseFile] -
tkstool -U -n keyname -d dbdir -t transport_keyname -i inputFile [-h token_name] [-p dbprefix] [-f pwfile] -
tkstool -W -n keyname -d dbdir -t transport_keyname -o outputFile [-h token_name] [-p dbprefix] [-f pwfile]
-
tkstool -Vtkstool: Version 1.0 -
tkstool -N -d . Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password:如果 工具首次用于将 HSM 插槽和令牌插入到secmod.db数据库中,则可以使用硬件 HSM 而不是软件数据库。 -
tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": tkstool: the specified token is empty -
tkstool -T -d . -n transport -
tkstool -I -d . -n verify_transportGenerating first symmetric key . . . Generating second symmetric key . . . Generating third symmetric key . . . Extracting transport key from operational token . . . transport key KCV: A428 53BA Storing transport key on final specified token . . . Naming transport key "transport" . . . Successfully generated, stored, and named the transport key! -
tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 transport -
tkstool -W -d . -n wrapped_master -t transport -o file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key (for wrapping) from the specified token . . . Generating and storing the master key on the specified token . . . Naming the master key "wrapped_master" . . . Successfully generated, stored, and named the master key! Using the transport key to wrap and store the master key . . . Writing the wrapped data (and resident master key KCV) into the file called "file" . . . wrapped data: 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data) -
tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 wrapped_master 1 transport -
tkstool -U -d . -n unwrapped_master -t transport -i file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key from the specified token (for unwrapping) . . . Reading in the wrapped data (and resident master key KCV) from the file called "file" . . . wrapped data: 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV: CED9 4A7B (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to temporarily unwrap the master key to recompute its KCV value to check against its pre-computed KCV value . . . master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data) master key KCV: CED9 4A7B (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to unwrap and store the master key on the specified token . . . Naming the master key "unwrapped_master" . . . Successfully unwrapped, stored, and named the master key! -
tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 unwrapped_master 1 wrapped_master 2 transport -
tkstool -D -d . -n wrapped_master Enter Password or Pin for "NSS Certificate DB": tkstool: 1 key(s) called "wrapped_master" were deleted -
tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 unwrapped_master 1 transport
CMCRequest /path/to/file.cfg
到
cert8.db、key3.db 和 secmod.db 数据库所在的目录的完整路径。这通常是代理的个人目录,如其浏览器证书数据库在主目录中。
例如,
~jsmith/.mozilla/firefox。
存储代理证书的
cert8.db 的令牌密码。
-
https://server.example.com:9444/ca/ee/ca/
-
可以发送 CMC 请求的几个配置文件,包括
/ca/ee/ca/profileSubmitCMCFull和/ca/ee/ca/profileSubmitCMCSimple。该配置集必须在 配置中指定。
命令根据
.cfg 文件中的参数生成证书请求。 中的参数用于在 中创建请求。
#Usage: CMCRequest <configuration file>
#For example, CMCRequest CMCRequest.cfg
#The configuration file should look like as follows:
#numRequests: Total number of PKCS10 requests or CRMF requests.
numRequests=1
#input: full path for the PKCS10 request or CRMF request,
#the content must be in Base-64 encoded format
#Multiple files are supported. They must be separated by space.
#input=pkcs10.i
#input=govReq2.txt
input=myCMC.txt
#output: full path for the CMC request in binary format
output=/tmp/cfu/cmcReq.myCMC
#nickname: nickname for agent certificate which will be used
#to sign the CMC full request.
#nickname=CMS Agent Certificate
#nickname=cfuAgent-ca2's SjcRedhat Domain jaw ca2 ID
nickname=CA Administrator of Instance pki-ca-0124's SjcRedhat Domain 0124 ID
#dbdir: directory for cert8.db, key3.db and secmod.db
dbdir=/tmp/cfu/
#password: password for cert8.db which stores the agent
#certificate
password=netscape
#format: request format, either pkcs10 or crmf
format=crmf
#confirmCertAcceptance.enable: if true, then the request will
#contain this control. Otherwise, false.
confirmCertAcceptance.enable=false
#confirmCertAcceptance.serial: The serial number for
#confirmCertAcceptance control
confirmCertAcceptance.serial=3
#confirmCertAcceptance.issuer: The issuer name for
#confirmCertAcceptance control
confirmCertAcceptance.issuer=cn=Certificate Manager,c=us
#getCert.enable: if true, then the request will contain this
#control. Otherwise, false.
getCert.enable=false
#getCert.serial: The serial number for getCert control
getCert.serial=3
#getCert.issuer: The issuer name for getCert control
getCert.issuer=cn=Certificate Manager,c=us
#dataReturn.enable: if true, then the request will contain
#this control. Otherwise, false.
dataReturn.enable=false
#dataReturn.data: data contained in the control.
dataReturn.data=test
#transactionMgt.enable: if true, then the request will contain
#this control. Otherwise, false.
transactionMgt.enable=false
#transactionMgt.id: transaction identifier. Verisign recommend
#transactionId to be MD5 hash of publicKey.
transactionMgt.id=
#senderNonce.enable: if true, then the request will contain this
#control. Otherwise, false.
senderNonce.enable=false
#senderNonce.id: sender nonce
senderNonce.id=
#revRequest.enable: if true, then the request will contain this
#control. Otherwise, false.
revRequest.enable=false
#revRequest.nickname: The nickname for the revoke certificate
revRequest.nickname=newuser's 102504a ID
#revRequest.issuer: The issuer name for the certificate being
#revoked.
revRequest.issuer=cn=Certificate Manager,c=us
#revRequest.serial: The serial number for the certificate being
#revoked.
revRequest.serial=61
#revRequest.reason: The reason for revoking this certificate:
# unspecified, keyCompromise, caCompromise,
# affiliationChanged, superseded, cessationOfOperation,
# certificateHold, removeFromCRL
revRequest.reason=unspecified
#revRequest.sharedSecret: The sharedSecret
revRequest.sharedSecret=
#revRequest.comment: The human readable comment
revRequest.comment=
#revRequest.invalidityDatePresent: if true, the current time will be the
# invalidityDate. If false, no invalidityDate
# is present.
revRequest.invalidityDatePresent=false
#identityProof.enable: if true, then the request will contain
#this control. Otherwise, false.
identityProof.enable=false
#identityProof.sharedSecret: Shared Secret
identityProof.sharedSecret=testing
#popLinkWitness.enable: if true, then the request will contain
#this control. Otherwise, false.
#If you want to test this control, make sure to use CRMFPopClient
# to generate the CRMF request which will include the
#idPOPLinkWitness attribute in the controls section of the
#CertRequest structure.
popLinkWitness.enable=false
#LraPopWitness.enable: if true, then the request will contain this
#control. Otherwise, false.
LraPopWitness.enable=false
#LraPopWitness.bodyPartIDs: List of body part IDs
#Each id is separated by space.
LraPopWitness.bodyPartIDs=1CMCRequest CMCrequest.myCMC.cfg
cert/key prefix =
path = /tmp/cfu/
The CMC enrollment request in base-64 encoded format:
MIIKZwYJKoZIhvcNAQcCoIIKWDCCClQCAQMxCzAJBgUrDgMCGgUAMIIBxAYIKwYB
BQUHDAKgggG2BIIBsjCCAa4wADCCAaShggGgMIIBBgIFAPgzSl8wgceAAQKlDjAM
MQowCAYDVQQDEwF4poGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhZcSEFI3v
YqNWHsHIH/BDrcVHLuHNuifuSE0fgyirNAwI7IwVReB/I2b1NWSyqh2+9PYIFeSc
VjXvh7p9GU7GmLL4p+Tdpx3YD1JVrumbn6W2uGvMf8UgNx8OxFgkuKy3Z9ohd30x
oTi/hEKoDKxUXN6BY93UPwKLQ7Fpo9RDvQIDAQABqRAwDgYDVR0PAQH/BAQDAgXg
MDMwFQYJKwYBBQUHBQEBDAhyZWdUb2tlbjAaBgkrBgEFBQcFAQIMDWF1dGhlbnRp
Y2F0b3KhgZMwDQYJKoZIhvcNAQEFBQADgYEAtewF4jFndWjpduAzxsxYmBGsPtrE
drCtsm7lvf1ytUPRX0dIEhKgIEQBNsr/UZaCGWrCNpqdKjlSIbsZAw/0Jd8oiRYP
pd6sjYJmBoP5uCf/xft2tJAFDGBAeb3T4VwZb//SasrrRvl6Aa5PBqbh1FrjSCeo
Cc/VeX2nHgwKjj8wADAAoIIHODCCA2owggJSoAMCAQICAQYwDQYJKoZIhvcNAQEL
BQAwUTEeMBwGA1UEChMVU2pjUmVkaGF0IERvbWFpbiAwMTI0MQ8wDQYDVQQLEwZw
a2ktY2ExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTAxMjQy
MzU3MTVaFw0xMzAxMTMyMzU3MTVaMIGJMR4wHAYDVQQKExVTamNSZWRoYXQgRG9t
YWluIDAxMjQxHTAbBgkqhkiG9w0BCQEWDmNmdUByZWRoYXQuY29tMRUwEwYKCZIm
iZPyLGQBARMFYWRtaW4xMTAvBgNVBAMTKENBIEFkbWluaXN0cmF0b3Igb2YgSW5z
dGFuY2UgcGtpLWNhLTAxMjQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANGu
Qk6xUMkuY8j1/NxXBBEz0N1zZgziqGDMLmQorYxVklDsCMx9tajq3/r9u2CDLaI0
QTvbUwPd1V+CDPfopHG1eTOL62bzLdF1874Q8OW0+UD9m6IFYgnY0toqJJLU/1eO
JUPkbYnGJwmfG3MTWbpr2MrEr+wwalPgmytlaOzxAgMBAAGjgZcwgZQwHwYDVR0j
BBgwFoAU10BlukYi0n1jHqDIvwut/A0qdHswQgYIKwYBBQUHAQEENjA0MDIGCCsG
AQUFBzABhiZodHRwOi8vcGF3LnNqYy5yZWRoYXQuY29tOjkxODAvY2Evb2NzcDAO
BgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0G
CSqGSIb3DQEBCwUAA4IBAQCwQEmjjVmmgEdAO/EYaTQXmfRhEsMYuDium6EoKCpC
Qb4JReUXekxrJnTpTwkUbJq6xiuDozrLHryWAnk1Y6WHxILUkJppCvCiXcVkicvV
eGU2S6p8hKPbC5LLThotN1OIU74N8fdE+zunFV+xnP/4GkJQKuNJiRTZOFmvh/jY
QIqDBcNPhVfcu200H1UaHqLxG22gEByxqs/ma13MEQtaMZBAvicc4i5vhT01YwT2
suYcJDmYpaWVKTjXtm572lNgMYMpNjxnRowicq5Ez8oj5CZc39fB3l3u8fBCRzqo
PlDVQZFzNP+xyvzyJRhUc5oegIaealOdh28X9OXe+eE8MIIDxjCCAq6gAwIBAgIB
ATANBgkqhkiG9w0BAQsFADBRMR4wHAYDVQQKExVTamNSZWRoYXQgRG9tYWluIDAx
MjQxDzANBgNVBAsTBnBraS1jYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MB4XDTExMDEyNDIzNTYxMloXDTE5MDEyNDIzNTYxMlowUTEeMBwGA1UEChMV
U2pjUmVkaGF0IERvbWFpbiAwMTI0MQ8wDQYDVQQLEwZwa2ktY2ExHjAcBgNVBAMT
FUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANlRZ/b8FFn/8FgVXXg4scSuzTgZ61/upie2zt0n/hY2eMRYh12tlocX
k64WYEREvKAFLF8pYMfoZzldylp9vEWChEWd8OqOM6pcKRpxnphNSOsTlAFh+QbD
rnvusCg63idr4WLiEP92dXZEpIs1m0bCXnKOF2Vio0CX7VM8X2iHQVKOoIQzovsl
Kc+xt/5p/Hy9vFDF+Lyf5dBnT3Rsct/T+Z1pNnHeS5bnv28oxXRdSnnrPPEEVDq2
jj+k1hje4b1aIVuEyGgcKWrlnyZXSei4nY0WDmEv/Lgox6o+QyVEmLMydWj8G5d0
XreQZYke9+XS6OFNah8fFVLW+GCeqtkCAwEAAaOBqDCBpTAfBgNVHSMEGDAWgBTX
QGW6RiLSfWMeoMi/C638DSp0ezAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBxjAdBgNVHQ4EFgQU10BlukYi0n1jHqDIvwut/A0qdHswQgYIKwYBBQUHAQEE
NjA0MDIGCCsGAQUFBzABhiZodHRwOi8vcGF3LnNqYy5yZWRoYXQuY29tOjkxODAv
Y2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEAEfEaydNIzEO6cUEnw9Q3aLf5UcRQ
/K+wggfvtBN33moQD6Z6MmOGiQh/s2bgwDtYgoCnwhkLlpQggZZ2R/Q4b7LV5tzH
B1+v40LZsC4bQ6BPkUIX5gzoCZNJiNlM4Bc+tg92MWIYKj5zHr6yghiJATr87vBY
UxeUOTH7d5i9X6TICsf8AEb50WMFPaoW9GctTwelVYlgg56dFC3wY81bdEBr0SID
l1lW97WuoPU+Jh1OA0AANcYlOh5j9fyOlsqcdUXhPQUsTq2Ou20jpOrh0Aw6CHpQ
3S4rYJSg7MEbI3lQFOapAfOqrl1e3kfgogoIIEQmhOOrjpUnQc+9C7l/gDGCATww
ggE4AgEDMFYwUTEeMBwGA1UEChMVU2pjUmVkaGF0IERvbWFpbiAwMTI0MQ8wDQYD
VQQLEwZwa2ktY2ExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eQIBBjAJ
BgUrDgMCGgUAoD4wFwYJKoZIhvcNAQkDMQoGCCsGAQUFBwwCMCMGCSqGSIb3DQEJ
BDEWBBTJWrAxeErsabiWVokJhrYe8O2AXDANBgkqhkiG9w0BAQEFAASBgJSrhYMo
smKomXTGaczIjvhYj7IsCUgbpPMqzfhQh5l1X2b5hL3hkWaMDDl9eo2HGZYoE9Lr
6RoIMNs8FCN8F6F8eBzRKlkZTEA+3nXB7gnYVbxrwJrIm2htyTgphu6/yck0wCH9
Og2BekSHQsJ7V7abP04U0VBIUAocJmHwlLnQ
The CMC enrollment request in binary format is stored in /tmp/cfu/cmcReq.myCMC.CMCEnroll -d directory_containing_agent_cert -n certificate_nickname -r certificate_request_file -p certificate_DB_passwd [-c comment]cert8.db、key3.db 和 secmod.db 文件的目录。这通常是代理的个人目录,如其浏览器证书数据库在主目录中。-d 中指定。-
运行 命令以签署证书请求。如果输入文件是
request34.txt,则代理的证书存储在~jsmith/.mozilla/firefox目录中,这个 CA 的证书通用名称为 ,证书数据库的密码为 ,命令如下:CMCEnroll -d "~jsmith/.mozilla/firefox" -n "Certificate Manager Agents Cert" -r "/export/requests/request34.txt" -p "1234pass"此命令的输出存储在一个文件中,其文件名和.out附加到文件名中。
# CMCEnroll -d ~jsmith/.mozilla/firefox -n "CA Administrator of Instance pki-ca Example Domain ID" -r pkcs10.i -p secret
cert/key prefix =
path = .
-----BEGIN NEW CERTIFICATE REQUEST-----
MIILsQYJKoZIhvcNAQcCoIILojCCC54CAQMxCzAJBgUrDgMCGgUAMIIDDgYIKwYB
BQUHDAKgggMABIIC/DCCAvgwUzAtAgECBggrBgEFBQcHBjEeBBxlWXlObThoN1dk
eDNHcEE1MllxcERTNXVRVlE9MCICAQMGCCsGAQUFBwcFMRMCEQD6Yglp1fV/P0VA
CzSQPuO9MIICm6CCApcCAQEwggKQMIIBeAIBADBLMSUwIwYDVQQKExxTZmJheSBS
ZWRoYXQgRG9tYWluIHBhdyAxMjEyMSIwIAYDVQQDExlEUk0gU3Vic3lzdGVtIENl
cnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqZvFwMGg
f2W0/OAlPBLcCq5dlHkrrQIsKx4P2c1Q+8eFJAxOPLaA5xVs+AGHMUGeBTsRuk0Q
26NRWq9JOtrRbIaUFy4ilTI7vpM2NThObMidE8EUs8p4wef5C0kTgkKA1/B+F6IF
JU8LVMtF2hHOTUEPheRMyb4fTJPjUec+zNduKe2xdlrJmmUgCC8ibC4KavyKDe99
T89CcXNZe/NgyejILhZ95wPzaW7xmN36fXUrxsMDKLJSn4X2i5DlKyuybw4+rosv
jI2J9o2Kfj1EDHHkzC57iYjNF4wmgUyZobnSYNyNLZWzbXiGEHq8/yWaxZxML4fP
SYspU2EIWh0L/QIDAQABoAAwDQYJKoZIhvcNAQEEBQADggEBAEJWi4aUqFJ4uEi3
xwf9bAdPhRpifdfWZN1BfVQn5DoaI3Bhm4EDsVuugm7E4IIls1SysmsQhk2F5A3p
ltpGCnoMXnFg9ToCpCu6wKi9xRwT5+2Iwbjnj1JtMkQx90xebBQ9v3+VVClRXjJs
edp3OSDIB/LA5/ieg+be/VbWaTb1yrvGaZruZT+iu2GPGQ8R40uPM3n22K/Vu3LI
dhO5uNIP8zAaEpda16detBXievCZgZsuC8iRkKfrRir97L2zJk46/xMgno6CqQFL
4p9gH5/G/vddH2pbNI8kqoIEthmSw6mD/yQjaSAsAC8DM8wWAo4SIz6MXTcMPGgO
moDuVVowADAAoIIHODCCA2owggJSoAMCAQICAQYwDQYJKoZIhvcNAQELBQAwUTEe
MBwGA1UEChMVU2pjUmVkaGF0IERvbWFpbiAwMTI0MQ8wDQYDVQQLEwZwa2ktY2Ex
HjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTAxMjQyMzU3MTVa
Fw0xMzAxMTMyMzU3MTVaMIGJMR4wHAYDVQQKExVTamNSZWRoYXQgRG9tYWluIDAx
MjQxHTAbBgkqhkiG9w0BCQEWDmNmdUByZWRoYXQuY29tMRUwEwYKCZImiZPyLGQB
ARMFYWRtaW4xMTAvBgNVBAMTKENBIEFkbWluaXN0cmF0b3Igb2YgSW5zdGFuY2Ug
cGtpLWNhLTAxMjQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANGuQk6xUMku
Y8j1/NxXBBEz0N1zZgziqGDMLmQorYxVklDsCMx9tajq3/r9u2CDLaI0QTvbUwPd
1V+CDPfopHG1eTOL62bzLdF1874Q8OW0+UD9m6IFYgnY0toqJJLU/1eOJUPkbYnG
JwmfG3MTWbpr2MrEr+wwalPgmytlaOzxAgMBAAGjgZcwgZQwHwYDVR0jBBgwFoAU
10BlukYi0n1jHqDIvwut/A0qdHswQgYIKwYBBQUHAQEENjA0MDIGCCsGAQUFBzAB
hiZodHRwOi8vcGF3LnNqYy5yZWRoYXQuY29tOjkxODAvY2Evb2NzcDAOBgNVHQ8B
Af8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3
DQEBCwUAA4IBAQCwQEmjjVmmgEdAO/EYaTQXmfRhEsMYuDium6EoKCpCQb4JReUX
ekxrJnTpTwkUbJq6xiuDozrLHryWAnk1Y6WHxILUkJppCvCiXcVkicvVeGU2S6p8
hKPbC5LLThotN1OIU74N8fdE+zunFV+xnP/4GkJQKuNJiRTZOFmvh/jYQIqDBcNP
hVfcu200H1UaHqLxG22gEByxqs/ma13MEQtaMZBAvicc4i5vhT01YwT2suYcJDmY
paWVKTjXtm572lNgMYMpNjxnRowicq5Ez8oj5CZc39fB3l3u8fBCRzqoPlDVQZFz
NP+xyvzyJRhUc5oegIaealOdh28X9OXe+eE8MIIDxjCCAq6gAwIBAgIBATANBgkq
hkiG9w0BAQsFADBRMR4wHAYDVQQKExVTamNSZWRoYXQgRG9tYWluIDAxMjQxDzAN
BgNVBAsTBnBraS1jYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
DTExMDEyNDIzNTYxMloXDTE5MDEyNDIzNTYxMlowUTEeMBwGA1UEChMVU2pjUmVk
aGF0IERvbWFpbiAwMTI0MQ8wDQYDVQQLEwZwa2ktY2ExHjAcBgNVBAMTFUNlcnRp
ZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANlRZ/b8FFn/8FgVXXg4scSuzTgZ61/upie2zt0n/hY2eMRYh12tlocXk64WYERE
vKAFLF8pYMfoZzldylp9vEWChEWd8OqOM6pcKRpxnphNSOsTlAFh+QbDrnvusCg6
3idr4WLiEP92dXZEpIs1m0bCXnKOF2Vio0CX7VM8X2iHQVKOoIQzovslKc+xt/5p
/Hy9vFDF+Lyf5dBnT3Rsct/T+Z1pNnHeS5bnv28oxXRdSnnrPPEEVDq2jj+k1hje
4b1aIVuEyGgcKWrlnyZXSei4nY0WDmEv/Lgox6o+QyVEmLMydWj8G5d0XreQZYke
9+XS6OFNah8fFVLW+GCeqtkCAwEAAaOBqDCBpTAfBgNVHSMEGDAWgBTXQGW6RiLS
fWMeoMi/C638DSp0ezAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAd
BgNVHQ4EFgQU10BlukYi0n1jHqDIvwut/A0qdHswQgYIKwYBBQUHAQEENjA0MDIG
CCsGAQUFBzABhiZodHRwOi8vcGF3LnNqYy5yZWRoYXQuY29tOjkxODAvY2Evb2Nz
cDANBgkqhkiG9w0BAQsFAAOCAQEAEfEaydNIzEO6cUEnw9Q3aLf5UcRQ/K+wggfv
tBN33moQD6Z6MmOGiQh/s2bgwDtYgoCnwhkLlpQggZZ2R/Q4b7LV5tzHB1+v40LZ
sC4bQ6BPkUIX5gzoCZNJiNlM4Bc+tg92MWIYKj5zHr6yghiJATr87vBYUxeUOTH7
d5i9X6TICsf8AEb50WMFPaoW9GctTwelVYlgg56dFC3wY81bdEBr0SIDl1lW97Wu
oPU+Jh1OA0AANcYlOh5j9fyOlsqcdUXhPQUsTq2Ou20jpOrh0Aw6CHpQ3S4rYJSg
7MEbI3lQFOapAfOqrl1e3kfgogoIIEQmhOOrjpUnQc+9C7l/gDGCATwwggE4AgED
MFYwUTEeMBwGA1UEChMVU2pjUmVkaGF0IERvbWFpbiAwMTI0MQ8wDQYDVQQLEwZw
a2ktY2ExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eQIBBjAJBgUrDgMC
GgUAoD4wFwYJKoZIhvcNAQkDMQoGCCsGAQUFBwwCMCMGCSqGSIb3DQEJBDEWBBQa
be8HVhF1o9FP9E2tjfOMkdmuQDANBgkqhkiG9w0BAQEFAASBgDAXIZgfFWv9GcLd
+yRET7HOgi1uTAiWwRoV2KZ0hbDowuNsaMHu5k4oic8wcOCOyAvWS/9o64RPG96f
QKLHrAa8CJ3hqzDl3xaOuNF/iJWM4R47136DRhW9cCA1qFH3FyiUcwBdGd5R8DrE
r+ce2ZSTtI2Jpif83w7Ro5VqSMMN
-----END NEW CERTIFICATE REQUEST-----CMCResponse -d directoryName -i /path/to/CMCResponse.file
第一步是创建
.cfg 文件,该文件将被 用于提交请求。
#host: host name for the http server
host=server.example.com
#port: port number
port=9444
#secure: true for secure connection, false for nonsecure connection
secure=true
#input: full path for the enrollment request, the content must be in binary format
input=/tmp/cfu/cmcReq.myCMC
#output: full path for the response in binary format
output=/tmp/cfu/cmcResponse.myCMC
#dbdir: directory for cert8.db, key3.db and secmod.db
#This parameter will be ignored if secure=false
dbdir=/tmp/cfu
#clientmode: true for client authentication, false for no client authentication
#This parameter will be ignored if secure=false
clientmode=false
#password: password for cert8.db
#This parameter will be ignored if secure=false and clientauth=false
password=netscape
#nickname: nickname for client certificate
#This parameter will be ignored if clientmode=false
nickname=
#servlet: servlet name
servlet=/ca/ee/ca/profileSubmitCMCFull
# HttpClient HttpClient.cfg
Total number of bytes read = 2667
handshake happened
Total number of bytes read = 2287
MIII6wYJKoZIhvcNAQcCoIII3DCCCNgCAQMxDjAMBghghkgBZQMEAQUAMDUGCCsG
AQUFBwwDoCkEJzAlMB8wHQIBAQYIKwYBBQUHBwExDjAMAgEAMAcCBQD4M0pfMAAw
AKCCBrowggLsMIIB1KADAgECAgEaMA0GCSqGSIb3DQEBCwUAMFExHjAcBgNVBAoT
FVNqY1JlZGhhdCBEb21haW4gMDEyNDEPMA0GA1UECxMGcGtpLWNhMR4wHAYDVQQD
ExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTEwMzA4MTY0MTMwWhcNMTEwOTA0
MTY0MTMwWjAMMQowCAYDVQQDEwF4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDhZcSEFI3vYqNWHsHIH/BDrcVHLuHNuifuSE0fgyirNAwI7IwVReB/I2b1NWSy
qh2+9PYIFeScVjXvh7p9GU7GmLL4p+Tdpx3YD1JVrumbn6W2uGvMf8UgNx8OxFgk
uKy3Z9ohd30xoTi/hEKoDKxUXN6BY93UPwKLQ7Fpo9RDvQIDAQABo4GXMIGUMB8G
A1UdIwQYMBaAFNdAZbpGItJ9Yx6gyL8LrfwNKnR7MEIGCCsGAQUFBwEBBDYwNDAy
BggrBgEFBQcwAYYmaHR0cDovL3Bhdy5zamMucmVkaGF0LmNvbTo5MTgwL2NhL29j
c3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
BDANBgkqhkiG9w0BAQsFAAOCAQEAQxdBWvoc5/0SKUGdWvhs4NPqU1cX4fjjUW8t
famLXyk37K7PZM/f4wIso37OuQUQO/tuGR0+8EoBD8NfFJwGcMLb1XIfR/2n/Ndq
TmT6qRnuCST4ucQBEtE8rYkFYZQ5Z22N8QPBjiNvoO5qs8X9xMzmbJrjSyNwGJHl
UBDLhyqgVLzdl80UycoFQPPp8vi4/+2/e1+FFRUjtGgNE1Yc5DdrTeST3h5nA/uS
htQRHj8fzSjE/07zEyMFc/IAmCV3xWkiQK2uHJBrYBKFYVEZ7YJQ6sO/q/lUdv3H
5x6YqEWMqqEJhxru6PRhHKU8WeECu+Z5O+wfIa7BOCjz+AVvLDCCA8YwggKuoAMC
AQICAQEwDQYJKoZIhvcNAQELBQAwUTEeMBwGA1UEChMVU2pjUmVkaGF0IERvbWFp
biAwMTI0MQ8wDQYDVQQLEwZwa2ktY2ExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1
dGhvcml0eTAeFw0xMTAxMjQyMzU2MTJaFw0xOTAxMjQyMzU2MTJaMFExHjAcBgNV
BAoTFVNqY1JlZGhhdCBEb21haW4gMDEyNDEPMA0GA1UECxMGcGtpLWNhMR4wHAYD
VQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDZUWf2/BRZ//BYFV14OLHErs04Getf7qYnts7dJ/4WNnjEWIdd
rZaHF5OuFmBERLygBSxfKWDH6Gc5XcpafbxFgoRFnfDqjjOqXCkacZ6YTUjrE5QB
YfkGw6577rAoOt4na+Fi4hD/dnV2RKSLNZtGwl5yjhdlYqNAl+1TPF9oh0FSjqCE
M6L7JSnPsbf+afx8vbxQxfi8n+XQZ090bHLf0/mdaTZx3kuW579vKMV0XUp56zzx
BFQ6to4/pNYY3uG9WiFbhMhoHClq5Z8mV0nouJ2NFg5hL/y4KMeqPkMlRJizMnVo
/BuXdF63kGWJHvfl0ujhTWofHxVS1vhgnqrZAgMBAAGjgagwgaUwHwYDVR0jBBgw
FoAU10BlukYi0n1jHqDIvwut/A0qdHswDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
Af8EBAMCAcYwHQYDVR0OBBYEFNdAZbpGItJ9Yx6gyL8LrfwNKnR7MEIGCCsGAQUF
BwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL3Bhdy5zamMucmVkaGF0LmNvbTo5
MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBABHxGsnTSMxDunFBJ8PUN2i3
+VHEUPyvsIIH77QTd95qEA+mejJjhokIf7Nm4MA7WIKAp8IZC5aUIIGWdkf0OG+y
1ebcxwdfr+NC2bAuG0OgT5FCF+YM6AmTSYjZTOAXPrYPdjFiGCo+cx6+soIYiQE6
/O7wWFMXlDkx+3eYvV+kyArH/ABG+dFjBT2qFvRnLU8HpVWJYIOenRQt8GPNW3RA
a9EiA5dZVve1rqD1PiYdTgNAADXGJToeY/X8jpbKnHVF4T0FLE6tjrttI6Tq4dAM
Ogh6UN0uK2CUoOzBGyN5UBTmqQHzqq5dXt5H4KIKCCBEJoTjq46VJ0HPvQu5f4Ax
ggHMMIIByAIBAzBWMFExHjAcBgNVBAoTFVNqY1JlZGhhdCBEb21haW4gMDEyNDEP
MA0GA1UECxMGcGtpLWNhMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkC
AQEwDAYIYIZIAWUDBAEFAKBKMBcGCSqGSIb3DQEJAzEKBggrBgEFBQcMAzAvBgkq
hkiG9w0BCQQxIgQgXUsQ5rl+G2aiKpAp68LLdF7uOcPDOYbWlacKxpwKfZIwDQYJ
KoZIhvcNAQEBBQAEggEAa4fQfye0ogzxpFYZd98JNZlTuWeluDBv+HwZeIaRWYn4
/YlbZyn98gBaX5V1NNXsmRO1D8iKa7O+4XORweFnEdzqLDQCzN/TFsnKqT8dYHQT
iY4kd2msBOqYa+x3ZKZoEGvRlPMCRXBMTKfSmq963NT7hCZyLA2jmATs4eYrNyQp
xHPzxrUy0Ftj/NJKNb6g3JtSinUp9RkNMArAyg0ORFCcRbCRQNmxYIFkTyE7/yVY
uaRyE7XIPoBqdo5BWgsQlD7GxK0PeSzTBoqmygLu7gZZfx7pghV4YrXIiYtgMafA
GQwiK2Jj1zs/eRR3MN3TvhSYTzavNxq7MXGQVavLQQ==
The response in binary format is stored in /tmp/jsmith/cmcResponse.myCMC# CMCResponse -d . -i cmcResponse.myCMC
Certificates:
Certificate:
Data:
Version: v3
Serial Number: 0x1A
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=Certificate Authority,OU=pki-ca,O=SjcRedhat Domain 0124
Validity:
Not Before: Tuesday, March 8, 2011 8:41:30 AM PST America/Los_Angeles
Not After: Sunday, September 4, 2011 9:41:30 AM PDT America/Los_Angeles
Subject: CN=x
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
Exponent: 65537
Public Key Modulus: (1024 bits) :
E1:65:C4:84:14:8D:EF:62:A3:56:1E:C1:C8:1F:F0:43:
AD:C5:47:2E:E1:CD:BA:27:EE:48:4D:1F:83:28:AB:34:
0C:08:EC:8C:15:45:E0:7F:23:66:F5:35:64:B2:AA:1D:
BE:F4:F6:08:15:E4:9C:56:35:EF:87:BA:7D:19:4E:C6:
98:B2:F8:A7:E4:DD:A7:1D:D8:0F:52:55:AE:E9:9B:9F:
A5:B6:B8:6B:CC:7F:C5:20:37:1F:0E:C4:58:24:B8:AC:
B7:67:DA:21:77:7D:31:A1:38:BF:84:42:A8:0C:AC:54:
5C:DE:81:63:DD:D4:3F:02:8B:43:B1:69:A3:D4:43:BD
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
D7:40:65:BA:46:22:D2:7D:63:1E:A0:C8:BF:0B:AD:FC:
0D:2A:74:7B
Identifier: 1.3.6.1.5.5.7.1.1
Critical: no
Value:
30:34:30:32:06:08:2B:06:01:05:05:07:30:01:86:26:
68:74:74:70:3A:2F:2F:70:61:77:2E:73:6A:63:2E:72:
65:64:68:61:74:2E:63:6F:6D:3A:39:31:38:30:2F:63:
61:2F:6F:63:73:70
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key Encipherment
Identifier: Extended Key Usage: - 2.5.29.37
Critical: no
Extended Key Usage:
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.4
Signature:
Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Signature:
43:17:41:5A:FA:1C:E7:FD:12:29:41:9D:5A:F8:6C:E0:
D3:EA:53:57:17:E1:F8:E3:51:6F:2D:7D:A9:8B:5F:29:
37:EC:AE:CF:64:CF:DF:E3:02:2C:A3:7E:CE:B9:05:10:
3B:FB:6E:19:1D:3E:F0:4A:01:0F:C3:5F:14:9C:06:70:
C2:DB:D5:72:1F:47:FD:A7:FC:D7:6A:4E:64:FA:A9:19:
EE:09:24:F8:B9:C4:01:12:D1:3C:AD:89:05:61:94:39:
67:6D:8D:F1:03:C1:8E:23:6F:A0:EE:6A:B3:C5:FD:C4:
CC:E6:6C:9A:E3:4B:23:70:18:91:E5:50:10:CB:87:2A:
A0:54:BC:DD:97:CD:14:C9:CA:05:40:F3:E9:F2:F8:B8:
FF:ED:BF:7B:5F:85:15:15:23:B4:68:0D:13:56:1C:E4:
37:6B:4D:E4:93:DE:1E:67:03:FB:92:86:D4:11:1E:3F:
1F:CD:28:C4:FF:4E:F3:13:23:05:73:F2:00:98:25:77:
C5:69:22:40:AD:AE:1C:90:6B:60:12:85:61:51:19:ED:
82:50:EA:C3:BF:AB:F9:54:76:FD:C7:E7:1E:98:A8:45:
8C:AA:A1:09:87:1A:EE:E8:F4:61:1C:A5:3C:59:E1:02:
BB:E6:79:3B:EC:1F:21:AE:C1:38:28:F3:F8:05:6F:2C
FingerPrint
Certificate:
Data:
Version: v3
Serial Number: 0x1
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=Certificate Authority,OU=pki-ca,O=SjcRedhat Domain 0124
Validity:
Not Before: Monday, January 24, 2011 3:56:12 PM PST America/Los_Angeles
Not After: Thursday, January 24, 2019 3:56:12 PM PST America/Los_Angeles
Subject: CN=Certificate Authority,OU=pki-ca,O=SjcRedhat Domain 0124
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
Exponent: 65537
Public Key Modulus: (2048 bits) :
D9:51:67:F6:FC:14:59:FF:F0:58:15:5D:78:38:B1:C4:
AE:CD:38:19:EB:5F:EE:A6:27:B6:CE:DD:27:FE:16:36:
78:C4:58:87:5D:AD:96:87:17:93:AE:16:60:44:44:BC:
A0:05:2C:5F:29:60:C7:E8:67:39:5D:CA:5A:7D:BC:45:
82:84:45:9D:F0:EA:8E:33:AA:5C:29:1A:71:9E:98:4D:
48:EB:13:94:01:61:F9:06:C3:AE:7B:EE:B0:28:3A:DE:
27:6B:E1:62:E2:10:FF:76:75:76:44:A4:8B:35:9B:46:
C2:5E:72:8E:17:65:62:A3:40:97:ED:53:3C:5F:68:87:
41:52:8E:A0:84:33:A2:FB:25:29:CF:B1:B7:FE:69:FC:
7C:BD:BC:50:C5:F8:BC:9F:E5:D0:67:4F:74:6C:72:DF:
D3:F9:9D:69:36:71:DE:4B:96:E7:BF:6F:28:C5:74:5D:
4A:79:EB:3C:F1:04:54:3A:B6:8E:3F:A4:D6:18:DE:E1:
BD:5A:21:5B:84:C8:68:1C:29:6A:E5:9F:26:57:49:E8:
B8:9D:8D:16:0E:61:2F:FC:B8:28:C7:AA:3E:43:25:44:
98:B3:32:75:68:FC:1B:97:74:5E:B7:90:65:89:1E:F7:
E5:D2:E8:E1:4D:6A:1F:1F:15:52:D6:F8:60:9E:AA:D9
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
D7:40:65:BA:46:22:D2:7D:63:1E:A0:C8:BF:0B:AD:FC:
0D:2A:74:7B
Identifier: Basic Constraints - 2.5.29.19
Critical: yes
Is CA: yes
Path Length Constraint: UNLIMITED
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key CertSign
Crl Sign
Identifier: Subject Key Identifier - 2.5.29.14
Critical: no
Key Identifier:
D7:40:65:BA:46:22:D2:7D:63:1E:A0:C8:BF:0B:AD:FC:
0D:2A:74:7B
Identifier: 1.3.6.1.5.5.7.1.1
Critical: no
Value:
30:34:30:32:06:08:2B:06:01:05:05:07:30:01:86:26:
68:74:74:70:3A:2F:2F:70:61:77:2E:73:6A:63:2E:72:
65:64:68:61:74:2E:63:6F:6D:3A:39:31:38:30:2F:63:
61:2F:6F:63:73:70
Signature:
Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Signature:
11:F1:1A:C9:D3:48:CC:43:BA:71:41:27:C3:D4:37:68:
B7:F9:51:C4:50:FC:AF:B0:82:07:EF:B4:13:77:DE:6A:
10:0F:A6:7A:32:63:86:89:08:7F:B3:66:E0:C0:3B:58:
82:80:A7:C2:19:0B:96:94:20:81:96:76:47:F4:38:6F:
B2:D5:E6:DC:C7:07:5F:AF:E3:42:D9:B0:2E:1B:43:A0:
4F:91:42:17:E6:0C:E8:09:93:49:88:D9:4C:E0:17:3E:
B6:0F:76:31:62:18:2A:3E:73:1E:BE:B2:82:18:89:01:
3A:FC:EE:F0:58:53:17:94:39:31:FB:77:98:BD:5F:A4:
C8:0A:C7:FC:00:46:F9:D1:63:05:3D:AA:16:F4:67:2D:
4F:07:A5:55:89:60:83:9E:9D:14:2D:F0:63:CD:5B:74:
40:6B:D1:22:03:97:59:56:F7:B5:AE:A0:F5:3E:26:1D:
4E:03:40:00:35:C6:25:3A:1E:63:F5:FC:8E:96:CA:9C:
75:45:E1:3D:05:2C:4E:AD:8E:BB:6D:23:A4:EA:E1:D0:
0C:3A:08:7A:50:DD:2E:2B:60:94:A0:EC:C1:1B:23:79:
50:14:E6:A9:01:F3:AA:AE:5D:5E:DE:47:E0:A2:0A:08:
20:44:26:84:E3:AB:8E:95:27:41:CF:BD:0B:B9:7F:80
FingerPrint
Number of controls is 1
Control #0: CMCStatusInfo
OID: {1 3 6 1 5 5 7 7 1}
BodyList: 4164110943
Status: SUCCESSCMCRevoke -ddirectoryName -hpassword -nnickname -iissuerName -sserialNumber -mreasonToRevoke -ccomment
在参数及其值之间没有空格。例如,提供序列号 26 是
-s26,而不是 -s 26。
cert8.db、key3.db 和 secmod.db 数据库的目录的路径。这通常是代理的个人目录,如其浏览器证书数据库在主目录中。-
为现有证书创建 CMC 撤销请求。例如,如果包含代理证书的目录为
~jsmith/.mozilla/firefox/,则证书的 nickname 是 ,并且证书的序列号为 ,命令如下:CMCRevoke -d"~jsmith/.mozilla/firefox/" -n"Certificate Manager Agent Cert" -i"cn=agentAuthMgr" -s22 -m0 -c"test comment"
# CMCRevoke -d"~jsmith/.mozilla/firefox" -n"CA Administrator of Instance pki-ca Example Domain ID" -i"CN=Certificate Authority,OU=pki-ca,O=Example Domain" -s22 -m6 -hsecret -c"test comment"
cert/key prefix =
path = .
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIJcgYJKoZIhvcNAQcCoIIJYzCCCV8CAQMxCzAJBgUrDgMCGgUAMIHQBggrBgEF
BQcMAqCBwwSBwDCBvTCBtDAtAgEBBggrBgEFBQcHBjEeBBxNZ3l1eFFzc0VWRDJW
SlE4U0VuVFVXYzEvSjg9MIGCAgECBggrBgEFBQcHETFzMHEwUTEeMBwGA1UEChMV
U2pjUmVkaGF0IERvbWFpbiAwMTI0MQ8wDQYDVQQLEwZwa2ktY2ExHjAcBgNVBAMT
FUNlcnRpZmljYXRlIEF1dGhvcml0eQIBFgoBBgQIbmV0c2NhcGUMDHRlc3QgY29t
bWVudDAAMAAwAKCCBzgwggNqMIICUqADAgECAgEGMA0GCSqGSIb3DQEBCwUAMFEx
HjAcBgNVBAoTFVNqY1JlZGhhdCBEb21haW4gMDEyNDEPMA0GA1UECxMGcGtpLWNh
MR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTEwMTI0MjM1NzE1
WhcNMTMwMTEzMjM1NzE1WjCBiTEeMBwGA1UEChMVU2pjUmVkaGF0IERvbWFpbiAw
MTI0MR0wGwYJKoZIhvcNAQkBFg5jZnVAcmVkaGF0LmNvbTEVMBMGCgmSJomT8ixk
AQETBWFkbWluMTEwLwYDVQQDEyhDQSBBZG1pbmlzdHJhdG9yIG9mIEluc3RhbmNl
IHBraS1jYS0wMTI0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRrkJOsVDJ
LmPI9fzcVwQRM9Ddc2YM4qhgzC5kKK2MVZJQ7AjMfbWo6t/6/btggy2iNEE721MD
3dVfggz36KRxtXkzi+tm8y3RdfO+EPDltPlA/ZuiBWIJ2NLaKiSS1P9XjiVD5G2J
xicJnxtzE1m6a9jKxK/sMGpT4JsrZWjs8QIDAQABo4GXMIGUMB8GA1UdIwQYMBaA
FNdAZbpGItJ9Yx6gyL8LrfwNKnR7MEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcw
AYYmaHR0cDovL3Bhdy5zamMucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDgYDVR0P
AQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG
9w0BAQsFAAOCAQEAsEBJo41ZpoBHQDvxGGk0F5n0YRLDGLg4rpuhKCgqQkG+CUXl
F3pMayZ06U8JFGyausYrg6M6yx68lgJ5NWOlh8SC1JCaaQrwol3FZInL1XhlNkuq
fISj2wuSy04aLTdTiFO+DfH3RPs7pxVfsZz/+BpCUCrjSYkU2ThZr4f42ECKgwXD
T4VX3LttNB9VGh6i8RttoBAcsarP5mtdzBELWjGQQL4nHOIub4U9NWME9rLmHCQ5
mKWllSk417Zue9pTYDGDKTY8Z0aMInKuRM/KI+QmXN/Xwd5d7vHwQkc6qD5Q1UGR
czT/scr88iUYVHOaHoCGnmpTnYdvF/Tl3vnhPDCCA8YwggKuoAMCAQICAQEwDQYJ
KoZIhvcNAQELBQAwUTEeMBwGA1UEChMVU2pjUmVkaGF0IERvbWFpbiAwMTI0MQ8w
DQYDVQQLEwZwa2ktY2ExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAe
Fw0xMTAxMjQyMzU2MTJaFw0xOTAxMjQyMzU2MTJaMFExHjAcBgNVBAoTFVNqY1Jl
ZGhhdCBEb21haW4gMDEyNDEPMA0GA1UECxMGcGtpLWNhMR4wHAYDVQQDExVDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDZUWf2/BRZ//BYFV14OLHErs04Getf7qYnts7dJ/4WNnjEWIddrZaHF5OuFmBE
RLygBSxfKWDH6Gc5XcpafbxFgoRFnfDqjjOqXCkacZ6YTUjrE5QBYfkGw6577rAo
Ot4na+Fi4hD/dnV2RKSLNZtGwl5yjhdlYqNAl+1TPF9oh0FSjqCEM6L7JSnPsbf+
afx8vbxQxfi8n+XQZ090bHLf0/mdaTZx3kuW579vKMV0XUp56zzxBFQ6to4/pNYY
3uG9WiFbhMhoHClq5Z8mV0nouJ2NFg5hL/y4KMeqPkMlRJizMnVo/BuXdF63kGWJ
Hvfl0ujhTWofHxVS1vhgnqrZAgMBAAGjgagwgaUwHwYDVR0jBBgwFoAU10BlukYi
0n1jHqDIvwut/A0qdHswDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYw
HQYDVR0OBBYEFNdAZbpGItJ9Yx6gyL8LrfwNKnR7MEIGCCsGAQUFBwEBBDYwNDAy
BggrBgEFBQcwAYYmaHR0cDovL3Bhdy5zamMucmVkaGF0LmNvbTo5MTgwL2NhL29j
c3AwDQYJKoZIhvcNAQELBQADggEBABHxGsnTSMxDunFBJ8PUN2i3+VHEUPyvsIIH
77QTd95qEA+mejJjhokIf7Nm4MA7WIKAp8IZC5aUIIGWdkf0OG+y1ebcxwdfr+NC
2bAuG0OgT5FCF+YM6AmTSYjZTOAXPrYPdjFiGCo+cx6+soIYiQE6/O7wWFMXlDkx
+3eYvV+kyArH/ABG+dFjBT2qFvRnLU8HpVWJYIOenRQt8GPNW3RAa9EiA5dZVve1
rqD1PiYdTgNAADXGJToeY/X8jpbKnHVF4T0FLE6tjrttI6Tq4dAMOgh6UN0uK2CU
oOzBGyN5UBTmqQHzqq5dXt5H4KIKCCBEJoTjq46VJ0HPvQu5f4AxggE8MIIBOAIB
AzBWMFExHjAcBgNVBAoTFVNqY1JlZGhhdCBEb21haW4gMDEyNDEPMA0GA1UECxMG
cGtpLWNhMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCAQYwCQYFKw4D
AhoFAKA+MBcGCSqGSIb3DQEJAzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQU
OuuE/YrvX8NcpqmrylTJBibBpAAwDQYJKoZIhvcNAQEBBQAEgYBfBvFP7b/LlUZd
FJpqPguPaSgruIo7wLR0rnFki/HacTMg9Eh+b1KnHopeCYTvOIrC10li1F8EEw9J
yBMt+JHfM6P6hOuIo3PF9ciYdEmPBdLHv2itMnU3jeTHfU8qmV1rKkt1VXL47M1Y
HPWxykQ+R28Eet/qPC6dNVqc8AWuqQ==
-----END NEW CERTIFICATE REQUEST-----
运行该命令的目录中必须存在包含 KRA 传输证书的
transport.txt 文件。如果缺少该文件,则归档过程仍会被尝试,但会失败并显示以下错误消息:
ERROR: File 'transport.txt' does not exist
Try 'CRMFPopClient --help' for more information.transport.txt 必须在单个行中具有整个基本 64 编码的传输证书,并删除标头和页脚。
CRMFPopClient
[
OUTPUT_CERT_REQ
]
CRMFPopClient
OUTPUT_CERT_REQ
启动实用程序的目录中创建名为
transport.txt 的文件,其中包含 base-64 格式的传输证书。此文件必须可用于归档到 KRA。如果存在该文件,则工具会自动选择此文件并执行密钥存档。
transport.txt 必须在单个行中具有整个基本 64 编码的传输证书,并删除标头和页脚。
CRMFPopClient secret caUserCert host.example.com 1026 CaUser jsmith POP_SUCCESS CN=MyTest,C=US,UID=CaUser-
CRMFPopClient secret POP_SUCCESS OUTPUT_CERT_REQ CN=MyTest,C=US,UID=CaUser -
MIIFczCCBW8wggTVAgEBMIHygAECpUswSTEaMBgGCgmSJomT8ixkAQETCmptYWdu ZUNSTUYxCzAJBgNVBAYTAlVTMR4wHAYDVQQDExVqbWFnbmVDUk1GYXJjaGl2ZVRl c3SmgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJiLbrQaChfzBQLnEnehA3uj 01dA0+pBIJH5PHngjeRpXc6XyYnRpQuFriZUKW7QXewUYQbYsB13F8OwGADfS8wZ zxfBvLqvQb7h9JtLdsHMVXbQ69/cEs/jCU5Cmr1LmFs4EAAO9Yr/CJjp2hscY82e KdyGEB6pWuXuBprc8IRJAgMBAAEwggPZMIIDswYJKwYBBQUHBQEEoIIDpDCCA6Ch FAYIKoZIhvcNAwcECAEBAQEBAQEBgoIBAQBwc6w+H6qZKqQSzQZAOlBc97Uowcjf YH/vqGsSiN7bkFzx9kEWBZ6hlxP8gY/2JxJQsD0lxsykXcdlC6pW3GwGnBI7obM7 eKeNwL0Mi22ANXdkP7I6KFPFlMNg5v0bynCKOYr2n+ZRQEXnGdLHWnG+vh2GGpDH 1ocXV46dFqeCnSpVEXS/PCcS4I65hByRFMU8lB5vPPBnNJxJt4jY6FU209Y+mrEd 8J2dmtqYLo7y4BhzbBfPn08O1QFJXWGi6ZUbIirZInv4Fg+us1gdIM1wVJSr4rNu oZx6+JT40ZJ7i0k63T/jMvW77oQesFG21MCOvxrYZJTgTXZ9+sqlKZ/zA4ICgQB6 Dm/JGjAOKdPdpKW1zYs6hpJsjQsLTM5Mz1ONFn7DLe9RDuXdpWOpyjBcqyNqC47Y CQkRPMW4kj/7XgR4ImycEZZD8OtJF3MqTP7JQGmEXHdsiLRRQy0w/tm0IyI7rJ5p F34hualY0xtbO+GfaKuUB2GH59Zy11oRug1Okm1UQb/HYuCTL0gh6wH4TXk/g6sx WVv4cegqsdaZpqAG9+BqvLw9t5R+8dsCCpUTVRg7llEL9HxSAUF2lon9QEEvQJAD IvofSSXBBf2w+/Qp1x60ZJl7+0vb9P3gEyR3c+BIbIkkdAbfM5knGe2LTnCPcrDb dY1OV8sgFGxGxcqW2+edJd/yRmsWp/6Dh3HHkd234bUvu+6r5GY7ebueOQIr1HsN Zwc9XSGLmaShrBTgLyHwq2G3qx7riCCZz6KpSui8YDuQQZE93BoNcuBzvgI/4rIb uBJfqGYb2t8mSb8Ss+jumbHbZByaVPYp4D9l0Jg3UVbccb19QRIz3G75QotKmDqY YT7UVbVduLddWN8YvXtoEYcOEfesrdnkEqiHmsALWM0/4U0vWk1Uw7t59O6QMomJ I8lPc0lZzl1cYaAuuF5SJv/bb/+9S1GqItuult5+bi5t5vN4OE02BfHrpZQHkCbn ezsIwhDnITwYZSxjMzAeZkBzghTRcNrPwXnvx3crNW2tyZo68FoqOlXAYf/uNBdY lEBdsvgNPzlRwR63u7pqWA9sJc15X/IwPZ8xj49UwB/cCoSt8PGFADPaAWkSMaT2 rv5+LRkcR56Ol3aMjE9OQEN3kRH75oEGyL5jMkkMa58QGtQgs9WnIhwin0TgWYA2 99wD38RcHVogyQ6Nl4y/MCAGCCsGAQUFBwcXBBTmaclfLv+kkK5z5kTMP54dlnec UKGBkzANBgkqhkiG9w0BAQQFAAOBgQAqY9mrSqcjPSP9M8p8/TVWdlXn982styAT DEdau50jksjO/LHPheeFUIaf4+SamE5SUMcEJH9R2p9dqZN8JpvgCYn+h8rjKnIM 5mKstkjtOj42mwizvphkaxIMZdrTSbfC0QjCmkjP2yI3F5QbOoowZ9REH4BMLqRU sLTu2xgVrw== -
https://server.example.com:9444/ca/ee/ca/
CRMFPopClient password caUserCert test.example.com 9180 joeCRMF joeCRMF POP_SUCCESS "CN=joeCRMFarchiveTest,C=US, UID=joeCRMF" OUTPUT_CERT_REQ
Proof Of Possession Utility....
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Generating Legal POP Data.....
.
Signature completed...
Generated Cert Request: ......
MIIFczCCBW8wggTVAgEBMIHygAECpUswSTEaMBgGCgmSJomT8ixkAQETCmptYWdu
ZUNSTUYxCzAJBgNVBAYTAlVTMR4wHAYDVQQDExVqbWFnbmVDUk1GYXJjaGl2ZVRl
c3SmgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJiLbrQaChfzBQLnEnehA3uj
01dA0+pBIJH5PHngjeRpXc6XyYnRpQuFriZUKW7QXewUYQbYsB13F8OwGADfS8wZ
zxfBvLqvQb7h9JtLdsHMVXbQ69/cEs/jCU5Cmr1LmFs4EAAO9Yr/CJjp2hscY82e
KdyGEB6pWuXuBprc8IRJAgMBAAEwggPZMIIDswYJKwYBBQUHBQEEoIIDpDCCA6Ch
FAYIKoZIhvcNAwcECAEBAQEBAQEBgoIBAQBwc6w+H6qZKqQSzQZAOlBc97Uowcjf
YH/vqGsSiN7bkFzx9kEWBZ6hlxP8gY/2JxJQsD0lxsykXcdlC6pW3GwGnBI7obM7
eKeNwL0Mi22ANXdkP7I6KFPFlMNg5v0bynCKOYr2n+ZRQEXnGdLHWnG+vh2GGpDH
1ocXV46dFqeCnSpVEXS/PCcS4I65hByRFMU8lB5vPPBnNJxJt4jY6FU209Y+mrEd
8J2dmtqYLo7y4BhzbBfPn08O1QFJXWGi6ZUbIirZInv4Fg+us1gdIM1wVJSr4rNu
oZx6+JT40ZJ7i0k63T/jMvW77oQesFG21MCOvxrYZJTgTXZ9+sqlKZ/zA4ICgQB6
Dm/JGjAOKdPdpKW1zYs6hpJsjQsLTM5Mz1ONFn7DLe9RDuXdpWOpyjBcqyNqC47Y
CQkRPMW4kj/7XgR4ImycEZZD8OtJF3MqTP7JQGmEXHdsiLRRQy0w/tm0IyI7rJ5p
F34hualY0xtbO+GfaKuUB2GH59Zy11oRug1Okm1UQb/HYuCTL0gh6wH4TXk/g6sx
WVv4cegqsdaZpqAG9+BqvLw9t5R+8dsCCpUTVRg7llEL9HxSAUF2lon9QEEvQJAD
IvofSSXBBf2w+/Qp1x60ZJl7+0vb9P3gEyR3c+BIbIkkdAbfM5knGe2LTnCPcrDb
dY1OV8sgFGxGxcqW2+edJd/yRmsWp/6Dh3HHkd234bUvu+6r5GY7ebueOQIr1HsN
Zwc9XSGLmaShrBTgLyHwq2G3qx7riCCZz6KpSui8YDuQQZE93BoNcuBzvgI/4rIb
uBJfqGYb2t8mSb8Ss+jumbHbZByaVPYp4D9l0Jg3UVbccb19QRIz3G75QotKmDqY
YT7UVbVduLddWN8YvXtoEYcOEfesrdnkEqiHmsALWM0/4U0vWk1Uw7t59O6QMomJ
I8lPc0lZzl1cYaAuuF5SJv/bb/+9S1GqItuult5+bi5t5vN4OE02BfHrpZQHkCbn
ezsIwhDnITwYZSxjMzAeZkBzghTRcNrPwXnvx3crNW2tyZo68FoqOlXAYf/uNBdY
lEBdsvgNPzlRwR63u7pqWA9sJc15X/IwPZ8xj49UwB/cCoSt8PGFADPaAWkSMaT2
rv5+LRkcR56Ol3aMjE9OQEN3kRH75oEGyL5jMkkMa58QGtQgs9WnIhwin0TgWYA2
99wD38RcHVogyQ6Nl4y/MCAGCCsGAQUFBwcXBBTmaclfLv+kkK5z5kTMP54dlnec
UKGBkzANBgkqhkiG9w0BAQQFAAOBgQAqY9mrSqcjPSP9M8p8/TVWdlXn982styAT
DEdau50jksjO/LHPheeFUIaf4+SamE5SUMcEJH9R2p9dqZN8JpvgCYn+h8rjKnIM
5mKstkjtOj42mwizvphkaxIMZdrTSbfC0QjCmkjP2yI3F5QbOoowZ9REH4BMLqRU
sLTu2xgVrw==
End Request:
Server Response.....
--------------------
<!-- --- BEGIN COPYRIGHT BLOCK ---
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2007 Red Hat, Inc.
All rights reserved.
--- END COPYRIGHT BLOCK --- -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<script type="text/javascript">
errorReason="Request Deferred - defer request";
requestListSet = new Array;
requestList = new Object;
requestList.requestId="284";
requestListSet[0] = requestList;
errorCode="2";
</script>
<font size="+1" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">
Certificate Profile
</font><br>
<Font size="-1" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">
<p>
</font>
<table border="0" cellspacing="0" cellpadding="0"
background="/ca/ee/graphics/hr.gif"
width="100%">
<tr>
<td> </td>
</tr>
</table>
<font size="-1" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">
<script language=javascript>
var autoImport = 'false';
if (errorCode == 0) { // processed
document.write('Congratulations, your request has been processed successfully
');
document.writeln('<P>');
for (var i = 0; i < requestListSet.length; i++) {
document.write('Your request ID is ');
document.write('<B>'+requestListSet[i].requestId+'</B>.');
document.writeln('<P>');
}
document.writeln('<b>');
document.writeln('Outputs');
document.writeln('</b>');
document.writeln('<P>');
document.writeln('<table width=100%>');
for (var i = 0; i < outputListSet.length; i++) else if (outputListSet[i].outputSyntax == 'pretty_print') {
document.writeln('<pre>');
document.writeln(outputListSet[i].outputVal);
document.writeln('</pre>');
}
document.writeln('</td>');
document.writeln('</tr>');
}
document.writeln('</table>');
document.writeln('<p>');
document.writeln('<table width=100%>');
document.writeln('<tr valign=top>');
document.writeln('<td>');
document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana,
sans-serif">'
);
document.writeln('<li>');
document.writeln('Certificate Imports');
document.writeln('</FONT>');
document.writeln('</td>');
for (var i = 0; i < requestListSet.length; i++) else else {
document.writeln('<input type=hidden name=importCert value=false>');
}
document.writeln('<input type=hidden name=requestId value=' +
requestListSet[i].requestId + '>');
document.writeln('<input type=submit name="Import Certificate"
value="Import Certificate">');
document.writeln('</form>');
}
document.writeln('</td>');
document.writeln('</tr>');
}
document.writeln('</table>');
} else if (errorCode == 1) { // not submitted
document.write('Sorry, your request is not submitted. The reason is "' +
errorReason + '".');
} else if (errorCode == 2)
document.write('Your can check on the status of your request with ');
document.write('an authorized agent or local administrator ');
document.writeln('by referring to this request ID.');
} else if (errorCode == 3) { // rejected
document.write('Sorry, your request has been rejected. The reason is "' +
errorReason + '"');
document.writeln('<P>');
for (var i = 0; i < requestListSet.length; i++) {
document.write('Your request ID is ');
document.write('<B>'+requestListSet[i].requestId+'</B>.');
document.writeln('<P>');
}
} else { // unknown state
document.write('Sorry, your request is not submitted. The error code is "' +
errorReason + '".');
}
</script>
</font>
</html>
ExtJoiner ext_file0 ext_file1 ... ext_fileN-
运行 ,指定扩展文件。例如,如果在名为
/etc/extensions的目录中有两个扩展文件 和 ,则命令如下:ExtJoiner /etc/extensions/myExt1 /etc/extensions/myExt2MEwwLgYDVR0lAQHBCQwIgYFKoNFBAMGClGC5EKDM5PeXzUGBi2CVyLNCQYFU iBakowGgYDVR0SBBMwEaQPMA0xCzAJBgNVBAYTAlVT -
-
AtoB input_file output_file -
dumpasn1output_file
0 30 76: SEQUENCE { 2 30 46: SEQUENCE { 4 06 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37) 9 01 1: BOOLEAN TRUE 12 04 36: OCTET STRING : 30 22 06 05 2A 83 45 04 03 06 0A 51 82 E4 42 83 : 33 93 DE 5F 35 06 06 2D 82 57 22 CD 09 06 05 51 : 38 81 6A 4A : } 50 30 26: SEQUENCE { 52 06 3: OBJECT IDENTIFIER issuerAltName (2 5 29 18) 57 04 19: OCTET STRING : 30 11 A4 0F 30 0D 31 0B 30 09 06 03 55 04 06 13 : 02 55 53 : } : } 0 warnings, 0 errors. -
GenExtKeyUsage [true|false] OID ...GenIssuerAltNameExt
…
…
GenIssuerAltNameExt RFC822Name TomTom@example.com X500Name cn=TomTomGenSubjectAltNameExt
…
…
GenSubjectAltNameExt RFC822Name TomTom@example.com X500Name cn=TomTom
这个工具使用单个
.cfg 配置文件作为参数。语法如下:
HttpClient
cert8.db、key3.db 和 secmod.db 数据库所在的目录的完整路径。如果 ,则忽略此参数。例如,。true 用于客户端身份验证,false 用于没有客户端身份验证。如果 secure=false,则忽略此参数。例如,。cert8.db 数据库的密码。如果 secure=false 和 clientauth=false,则忽略此参数。例如,。/ca/profileSubmitCMCFull。例如,。OCSPClient
or
cert8.db、key3.db 和 secmod.db),其中包含签署正在检查证书的 CA 证书。PKCS10Client -p certDBPassword -d certDBDirectory -o outputFile -s subjectDN
只是将 NSS 安全数据库中的所有证书和密钥转储到指定的
.p12 输出文件中。
PKCS12Export
-d
-p
-w
-o
[
-debug
]
命令将数据库中的每个证书导出到
.p12 输出文件中。使用 -debug 选项时,每个证书的证书别名都会输出到 stdout,因为操作继续进行。(否则,命令中没有输出结果。)
# PKCS12Export -debug -d /var/lib/pki-ca/alias -p dbpwd.txt -w p12pwd.txt -o master.p12
PKCS12Export debug: The directory for certdb/keydb is .
PKCS12Export debug: The password file for keydb is dbpwd.txt
PKCS12Export debug: Number of user certificates = 5
PKCS12Export debug: Certificate nickname = ocspSigningCert cert-ca
PKCS12Export debug: Private key is not null
PKCS12Export debug: Certificate nickname = subsystemCert cert-ca
PKCS12Export debug: Private key is not null
PKCS12Export debug: Certificate nickname = caSigningCert cert-ca
PKCS12Export debug: Private key is not null
PKCS12Export debug: Certificate nickname = Server-Cert cert-ca
PKCS12Export debug: Private key is not null
PKCS12Export debug: Certificate nickname = auditSigningCert cert-ca
PKCS12Export debug: Private key is not nullrevoker
-s
-n
[[
-p
] | [
-w
]] [
-d
] [
-v
] [
-V
] [
-u
] [
-r
] [
-i
]
hostname
[
:port
]
-w 选项,则不会使用。-p 选项,则不会使用。
如果不使用详细选项(
-v), 程序会返回退出代码 0,而无需输出标准 I/O。
使用
-v 选项时,命令会显示发送到 CA 代理接口的 GET 请求,然后显示返回的结果(在 HTML 页面中)。
# revoker -d . -s 0x17 -n "CA Administrator of Instance pki-ca Example Domain" -p secret -v -r 6 -i 1 server.example.com:9443
GET /ca/doRevoke?op=doRevoke&revocationReason=6&invalidityDate=1299187797000&revokeAll=(|(certRecordId%3D0x17))&totalRecordCount=1 HTTP/1.0
port: 9443
addr='server.example.com'
family='2'
Subject: CN=server.example.com,OU=pki-ca,O=Example Domain
Issuer : CN=Certificate Authority,OU=pki-ca,O=Example Domain
-- SSL3: Server Certificate Validated.
Called mygetclientauthdata - nickname = CA Administrator of Instance pki-ca Example Domain ID
mygetclientauthdata - cert = 8da87b8
mygetclientauthdata - privkey = 8de65a8
PR_Write wrote 143 bytes from bigBuf
bytes: [GET /ca/doRevoke?op=doRevoke&revocationReason=6&invalidityDate=1299187797000&revokeAll=(|(certRecordId%3D0x17))&totalRecordCount=1 HTTP/1.0
]
do_writes shutting down send socket
do_writes exiting with (failure = 0)
bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
connection 1 read 9000 bytes (9000 total).
these bytes read:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Date: Thu, 03 Mar 2011 22:29:58 GMT
Connection: close
<!-- --- BEGIN COPYRIGHT BLOCK ---
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2007 Red Hat, Inc.
All rights reserved.
--- END COPYRIGHT BLOCK --- -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<TITLE>Revocation Result</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript">
var header = new Object();
var fixed = new Object();
var recordSet = new Array;
var result = new Object();
var httpParamsCount = 0;
var httpHeadersCount = 0;
var authTokenCount = 0;
var serverAttrsCount = 0;
header.HTTP_PARAMS = new Array;
header.HTTP_HEADERS = new Array;
header.AUTH_TOKEN = new Array;
header.SERVER_ATTRS = new Array;
header.dirEnabled = "no";
header.error = null;
header.revoked = "yes";
header.totalRecordCount = 1;
var recordCount = 0;
var record;
record = new Object;
record.HTTP_PARAMS = new Array;
record.HTTP_HEADERS = new Array;
record.AUTH_TOKEN = new Array;
record.SERVER_ATTRS = new Array;
record.error=null;
record.serialNumber="17";
recordSet[recordCount++] = record;
record.recordSet = recordSet;
result.header = header;
result.fixed = fixed;
result.recordSet = recordSet;
</SCRIPT>
<BODY bgcolor="white">
<SCRIPT type="text/javascript">
//<!--
function toHex1(number)
for(; number >= 16 ; number = Math.floor(number/16)) {
absValue = digits.charAt(number % 16) + absValue;
}
absValue = digits.charAt(number % 16) + absValue;
return sign + '0x' + absValue;
}
function toHex(number)
{
return '0x' + number;
}
if (result.header.revoked == 'yes') else if (result.recordSet.length == 1) else
} else
document.writeln('</font><br>');
/*
if (result.header.dirEnabled != null && result.header.dirEnabled == 'yes') else {
document.write('Directory has not been updated. See log files for more details.');
}
document.writeln('</font><br>');
}
*/
} else
} else if (result.recordSet.length > 1) else
}
document.writeln('</font>');
document.write('</blockquote>');
if (revokedCerts > 0 && result.header.dirEnabled != null && result.header.dirEnabled == 'yes') else
} else
document.writeln('<br>');
/*
if (result.header.certsUpdated > 0) else {
document.write('Directory has been partially updated. See log files for more details.');
}
} else {
document.write('Directory has not been updated. See log files for more details.');
}
*/
document.writeln('</font><br>');
}
}
} else if (result.header.revoked == 'pending') else if (result.header.revoked == 'rejected')
} else
}
//-->
</SCRIPT>
</BODY>
</HTML>
connection 1 read 10249 bytes total. -----------------------------tpsclient
Registration Authority Client
'op=help' for Help
Command>
Command>token_status
token_status
Output> life_cycle_state : '0'
Output> pin : 'password'
Output> app_ver : '00010203' (4 bytes)
Output> major_ver : '0'
Output> minor_ver : '0'
Output> cuid : '00010203040506070809' (10 bytes)
Output> msn : '00000000' (4 bytes)
Output> key_info : '0101' (2 bytes)
Output> auth_key : '404142434445464748494a4b4c4d4e4f' (16 bytes)
Output> mac_key : '404142434445464748494a4b4c4d4e4f' (16 bytes)
Output> kek_key : '404142434445464748494a4b4c4d4e4f' (16 bytes)
Result> Success - Operation 'token_status' Success (8 msec)
Command>
-
获取要输入到 的新密钥集数据。默认密钥集必须存储在 TKS 中,且必须添加主密钥。通过编辑 TKS
CS.cfg文件中的 TKS 映射参数来实现此目的:tks.mk_mappings.#02#01=nethsm1:masterkey -
通过编辑 TPS
CS.cfg文件中的 update symmetric key 参数在 TPS 中启用密钥升级:op.format.tokenKey.update.symmetricKeys.enable=true op.format.tokenKey.update.symmetricKeys.requiredVersion=2 -
tpsclient Command>op=token_set cuid=a00192030405060708c9 app_ver=6FBBC105 key_info=0101 Command>op=token_set auth_key=404142434445464748494a4b4c4d4e4f Command>op=token_set mac_key=404142434445464748494a4b4c4d4e4f Command>op=token_set kek_key=404142434445464748494a4b4c4d4e4f Command>op=ra_format uid=jsmith pwd=password num_threads=1 new_pin=passwordtpsclient < /tmp/input.txt
op=var_set name=ra_host value=server.example.com
op=var_set name=ra_port value=7888
op=var_set name=ra_uri value=/nk_service
op=token_set cuid=00000000000000000001
msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0
op=token_set auth_key=404142434445464748494a4b4c4d4e4f
op=token_set mac_key=404142434445464748494a4b4c4d4e4f
op=token_set kek_key=404142434445464748494a4b4c4d4e4f
op=ra_enroll uid=jdoe pwd=password new_pin=password num_threads=1 op=var_set name=ra_host value=server.example.com
op=var_set name=ra_port value=7888
op=var_set name=ra_uri value=/nk_service
op=token_set cuid=00000000000000000001
msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0
op=token_set auth_key=404142434445464748494a4b4c4d4e4f
op=token_set mac_key=404142434445464748494a4b4c4d4e4f
op=token_set kek_key=404142434445464748494a4b4c4d4e4f
op=ra_format uid=jsmith pwd=secret new_pin=newsecret num_threads=1tpsclient op=operation optionsKRATool -kratool_config_file /path/to/tool_config_file
-source_ldif_file /path/to/original_ldif_file
-target_ldif_file /path/to/newinstance_ldif_file
-log_file /path/to/tool_log_file
[-source_pki_security_database_path /path/to/nss_databases
-source_storage_token_name /path/to/token
-source_storage_certificate_nickname storage_certificate_nickname
-target_storage_certificate_file /path/to/new_ASCII_storage_cert
[-source_pki_security_database_pwdfile /path/to/password_file]]
[-source_kra_naming_context name -target_kra_naming_context name]
[-process_requests_and_key_records_only]
KRATool -kratool_config_file /path/to/tool_config_file
-source_ldif_file /path/to/original_ldif_file
-target_ldif_file /path/to/newinstance_ldif_file
-log_file /path/to/tool_log_file
[-append_id_offset prefix_to_add | -remove_id_offset prefix_to_remove]
[-source_kra_naming_context name -target_kra_naming_context name]
[-process_requests_and_key_records_only]
如果使用此参数,则必须使用
-target_kra_naming_context 参数。
如果使用此参数,则必须使用
-source_kra_naming_context 参数。
-source_storage_token_name 选项中给出的存储令牌的密码。
如果使用
-append_id_offset, -remove_id_offset 选项。
如果使用
-remove_id_offset, -append_id_offset 选项。
dn: cn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra
objectClass: top
objectClass: request
objectClass: extensibleObject
requestId: 011
requestState: complete
dateOfCreate: 20110121181006Z
dateOfModify: 20110524094652Z
extdata-kra--005ftrans--005fdeskey: 3#C7#82#0F#5D#97GqY#0Aib#966#E5B#F56#F24n#
F#9E#98#B3
extdata-public--005fkey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDu6E3uG+Ep27bF1
yTWvwIDAQAB
extdata-archive: true
extdata-requesttype: netkeyKeygen
extdata-iv--005fs: %F2%67%45%96%41%D7%FF%10
extdata-requestversion: 8.1.0
extdata-requestortype: NETKEY_RA
extdata-keyrecord: 1
extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6
F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79
extdata-userid: jmagne
extdata-keysize: 1024
extdata-updatedby: TPS-alpha.example.com-7889
extdata-dbstatus: UPDATED
extdata-cuid: 40906145C76224192D2B
extdata-requeststatus: complete
extdata-requestid: 1
extdata-result: 1
requestType: netkeyKeygen
cn: 1
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20110122021010Z
modifyTimestamp: 20110122021010Z
nsUniqueId: b2891805-1dd111b2-a6d7e85f-2c2f0000
kratool.ldif.caEnrollmentRequest.cn=true
kratool.ldif.caEnrollmentRequest.dateOfModify=true
kratool.ldif.caEnrollmentRequest.dn=true
kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
kratool.ldif.caEnrollmentRequest.requestId=truekratool.ldif.caEnrollmentRequest.dateOfModify=falseextdata-requestnotes: [20110701150056Z]: REWRAPPED the 'existing DES3 symmetri
c session key' with the '2048-bit RSA public key' obtained from the target s
torage certificate + APPENDED ID offset '100000000000' + RENAMED source KRA
naming context 'alpha.example.com-pki-kra' to target KRA naming context 'ome
ga.example.com-pki-kra' + PROCESSED requests and key records ONLY!
此信息对审计和维护 KRA 非常有用,因此
所有关键 记录类型都设为 来说非常有用。
默认
kratool.cfg 中的每个参数行 出现在工具被调用时使用的 .cfg 文件中。不能省略行,每行都必须具有有效的值(true 或 false)。如果文件没有正确格式化, 将失败。
.cfg 文件的格式化与实例 CS.cfg 文件中使用的格式相同。
脚本中包含了一个默认的
.cfg 文件。此文件(在 中显示)可复制并编辑到自定义文件中,或者直接编辑,并使用该工具。
kratool.ldif.caEnrollmentRequest._000=########################################
kratool.ldif.caEnrollmentRequest._001=## KRA CA Enrollment Request ##
kratool.ldif.caEnrollmentRequest._002=########################################
kratool.ldif.caEnrollmentRequest._003=## ##
kratool.ldif.caEnrollmentRequest._004=## NEVER allow 'KRATOOL' the ability ##
kratool.ldif.caEnrollmentRequest._005=## to change the CA 'naming context' ##
kratool.ldif.caEnrollmentRequest._006=## data in the following fields: ##
kratool.ldif.caEnrollmentRequest._007=## ##
kratool.ldif.caEnrollmentRequest._008=## extdata-auth--005ftoken;uid ##
kratool.ldif.caEnrollmentRequest._009=## extdata-auth--005ftoken;userid ##
kratool.ldif.caEnrollmentRequest._010=## extdata-updatedby ##
kratool.ldif.caEnrollmentRequest._011=## ##
kratool.ldif.caEnrollmentRequest._012=## NEVER allow 'KRATOOL' the ability ##
kratool.ldif.caEnrollmentRequest._013=## to change CA 'numeric' data in ##
kratool.ldif.caEnrollmentRequest._014=## the following fields: ##
kratool.ldif.caEnrollmentRequest._015=## ##
kratool.ldif.caEnrollmentRequest._016=## extdata-requestId ##
kratool.ldif.caEnrollmentRequest._017=## ##
kratool.ldif.caEnrollmentRequest._018=########################################
kratool.ldif.caEnrollmentRequest.cn=true
kratool.ldif.caEnrollmentRequest.dateOfModify=true
kratool.ldif.caEnrollmentRequest.dn=true
kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
kratool.ldif.caEnrollmentRequest.requestId=true
kratool.ldif.caKeyRecord._000=#########################################
kratool.ldif.caKeyRecord._001=## KRA CA Key Record ##
kratool.ldif.caKeyRecord._002=#########################################
kratool.ldif.caKeyRecord._003=## ##
kratool.ldif.caKeyRecord._004=## NEVER allow 'KRATOOL' the ability ##
kratool.ldif.caKeyRecord._005=## to change the CA 'naming context' ##
kratool.ldif.caKeyRecord._006=## data in the following fields: ##
kratool.ldif.caKeyRecord._007=## ##
kratool.ldif.caKeyRecord._008=## archivedBy ##
kratool.ldif.caKeyRecord._009=## ##
kratool.ldif.caKeyRecord._010=#########################################
kratool.ldif.caKeyRecord.cn=true
kratool.ldif.caKeyRecord.dateOfModify=true
kratool.ldif.caKeyRecord.dn=true
kratool.ldif.caKeyRecord.privateKeyData=true
kratool.ldif.caKeyRecord.serialno=true
kratool.ldif.namingContext._000=############################################
kratool.ldif.namingContext._001=## KRA Naming Context Fields ##
kratool.ldif.namingContext._002=############################################
kratool.ldif.namingContext._003=## ##
kratool.ldif.namingContext._004=## NEVER allow 'KRATOOL' the ability to ##
kratool.ldif.namingContext._005=## change the CA 'naming context' data ##
kratool.ldif.namingContext._006=## in the following 'non-KeyRecord / ##
kratool.ldif.namingContext._007=## non-Request' fields (as these records ##
kratool.ldif.namingContext._008=## should be removed via the option to ##
kratool.ldif.namingContext._009=## process requests and key records only ##
kratool.ldif.namingContext._010=## if this is a KRA migration): ##
kratool.ldif.namingContext._011=## ##
kratool.ldif.namingContext._012=## cn ##
kratool.ldif.namingContext._013=## sn ##
kratool.ldif.namingContext._014=## uid ##
kratool.ldif.namingContext._015=## uniqueMember ##
kratool.ldif.namingContext._016=## ##
kratool.ldif.namingContext._017=## NEVER allow 'KRATOOL' the ability to ##
kratool.ldif.namingContext._018=## change the KRA 'naming context' data ##
kratool.ldif.namingContext._019=## in the following 'non-KeyRecord / ##
kratool.ldif.namingContext._020=## non-Request' fields (as these records ##
kratool.ldif.namingContext._021=## should be removed via the option to ##
kratool.ldif.namingContext._022=## process requests and key records only ##
kratool.ldif.namingContext._023=## if this is a KRA migration): ##
kratool.ldif.namingContext._024=## ##
kratool.ldif.namingContext._025=## dc ##
kratool.ldif.namingContext._026=## dn ##
kratool.ldif.namingContext._027=## uniqueMember ##
kratool.ldif.namingContext._028=## ##
kratool.ldif.namingContext._029=## NEVER allow 'KRATOOL' the ability to ##
kratool.ldif.namingContext._030=## change the TPS 'naming context' data ##
kratool.ldif.namingContext._031=## in the following 'non-KeyRecord / ##
kratool.ldif.namingContext._032=## non-Request' fields (as these records ##
kratool.ldif.namingContext._033=## should be removed via the option to ##
kratool.ldif.namingContext._034=## process requests and key records only ##
kratool.ldif.namingContext._035=## if this is a KRA migration): ##
kratool.ldif.namingContext._036=## ##
kratool.ldif.namingContext._037=## uid ##
kratool.ldif.namingContext._038=## uniqueMember ##
kratool.ldif.namingContext._039=## ##
kratool.ldif.namingContext._040=## If '-source_naming_context ##
kratool.ldif.namingContext._041=## original source KRA naming context' ##
kratool.ldif.namingContext._042=## and '-target_naming_context ##
kratool.ldif.namingContext._043=## renamed target KRA naming context' ##
kratool.ldif.namingContext._044=## options are specified, ALWAYS ##
kratool.ldif.namingContext._045=## require 'KRATOOL' to change the ##
kratool.ldif.namingContext._046=## KRA 'naming context' data in ALL of ##
kratool.ldif.namingContext._047=## the following fields in EACH of the ##
kratool.ldif.namingContext._048=## following types of records: ##
kratool.ldif.namingContext._049=## ##
kratool.ldif.namingContext._050=## caEnrollmentRequest: ##
kratool.ldif.namingContext._051=## ##
kratool.ldif.namingContext._052=## dn ##
kratool.ldif.namingContext._053=## extdata-auth--005ftoken;user ##
kratool.ldif.namingContext._054=## extdata-auth--005ftoken;userdn ##
kratool.ldif.namingContext._055=## ##
kratool.ldif.namingContext._056=## caKeyRecord: ##
kratool.ldif.namingContext._057=## ##
kratool.ldif.namingContext._058=## dn ##
kratool.ldif.namingContext._059=## ##
kratool.ldif.namingContext._060=## recoveryRequest: ##
kratool.ldif.namingContext._061=## ##
kratool.ldif.namingContext._062=## dn ##
kratool.ldif.namingContext._063=## ##
kratool.ldif.namingContext._064=## tpsKeyRecord: ##
kratool.ldif.namingContext._065=## ##
kratool.ldif.namingContext._066=## dn ##
kratool.ldif.namingContext._067=## ##
kratool.ldif.namingContext._068=## tpsNetkeyKeygenRequest: ##
kratool.ldif.namingContext._069=## ##
kratool.ldif.namingContext._070=## dn ##
kratool.ldif.namingContext._071=## ##
kratool.ldif.namingContext._072=############################################
kratool.ldif.recoveryRequest._000=#####################################
kratool.ldif.recoveryRequest._001=## KRA CA / TPS Recovery Request ##
kratool.ldif.recoveryRequest._002=#####################################
kratool.ldif.recoveryRequest.cn=true
kratool.ldif.recoveryRequest.dateOfModify=true
kratool.ldif.recoveryRequest.dn=true
kratool.ldif.recoveryRequest.extdata.requestId=true
kratool.ldif.recoveryRequest.extdata.requestNotes=true
kratool.ldif.recoveryRequest.extdata.serialnumber=true
kratool.ldif.recoveryRequest.requestId=true
kratool.ldif.tpsKeyRecord._000=#########################################
kratool.ldif.tpsKeyRecord._001=## KRA TPS Key Record ##
kratool.ldif.tpsKeyRecord._002=#########################################
kratool.ldif.tpsKeyRecord._003=## ##
kratool.ldif.tpsKeyRecord._004=## NEVER allow 'KRATOOL' the ability ##
kratool.ldif.tpsKeyRecord._005=## to change the TPS 'naming context' ##
kratool.ldif.tpsKeyRecord._006=## data in the following fields: ##
kratool.ldif.tpsKeyRecord._007=## ##
kratool.ldif.tpsKeyRecord._008=## archivedBy ##
kratool.ldif.tpsKeyRecord._009=## ##
kratool.ldif.tpsKeyRecord._010=#########################################
kratool.ldif.tpsKeyRecord.cn=true
kratool.ldif.tpsKeyRecord.dateOfModify=true
kratool.ldif.tpsKeyRecord.dn=true
kratool.ldif.tpsKeyRecord.privateKeyData=true
kratool.ldif.tpsKeyRecord.serialno=true
kratool.ldif.tpsNetkeyKeygenRequest._000=#####################################
kratool.ldif.tpsNetkeyKeygenRequest._001=## KRA TPS Netkey Keygen Request ##
kratool.ldif.tpsNetkeyKeygenRequest._002=#####################################
kratool.ldif.tpsNetkeyKeygenRequest._003=## ##
kratool.ldif.tpsNetkeyKeygenRequest._004=## NEVER allow 'KRATOOL' the ##
kratool.ldif.tpsNetkeyKeygenRequest._005=## ability to change the ##
kratool.ldif.tpsNetkeyKeygenRequest._006=## TPS 'naming context' data in ##
kratool.ldif.tpsNetkeyKeygenRequest._007=## the following fields: ##
kratool.ldif.tpsNetkeyKeygenRequest._008=## ##
kratool.ldif.tpsNetkeyKeygenRequest._009=## extdata-updatedby ##
kratool.ldif.tpsNetkeyKeygenRequest._010=## ##
kratool.ldif.tpsNetkeyKeygenRequest._011=#####################################
kratool.ldif.tpsNetkeyKeygenRequest.cn=true
kratool.ldif.tpsNetkeyKeygenRequest.dateOfModify=true
kratool.ldif.tpsNetkeyKeygenRequest.dn=true
kratool.ldif.tpsNetkeyKeygenRequest.extdata.keyRecord=true
kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestId=true
kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestNotes=true
kratool.ldif.tpsNetkeyKeygenRequest.requestId=trueKRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -source_pki_security_database_path "/tmp/files/" -source_storage_token_name "Internal Key Storage Token" -source_storage_certificate_nickname "storageCert cert-pki-kra" -target_storage_certificate_file "/tmp/files/omega.cert"KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -append_id_offset 100000000000KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -remove_id_offset 100000000000KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -source_pki_security_database_path "/tmp/files/" -source_storage_token_name "Internal Key Storage Token" -source_storage_certificate_nickname "storageCert cert-pki-kra" -target_storage_certificate_file "/tmp/files/omega.cert" -append_id_offset 100000000000-
-
停止新的 KRA。
[root@newkra ~]# service pki-kra stop -
[root@newkra ~]# mkdir -p /export/pki -
[root@newkra ~]# certutil -L -d /var/lib/pki-kra/alias/ -n "storageCert cert-pki-kra" -a > /export/pki/newKRA.cert -
如果位于同一计算机上,停止新 KRA 的目录服务器实例。
>[root@newkra ~]# service dirsrv stop -
导出新 KRA 的配置信息。
[root@newkra ~]# /usr/lib[64]/disrv/slapd-instanceName/db2ldif -n newkra.example.com-pki-kra -a /export/pki/newkra.ldif
-
-
-
[root@oldkra ~]# mkdir -p /export/pki -
[root@oldkra ~]# cp /path/to/rhcs80-pki-kra.ldif /export/pki [root@oldkra ~]# sed -i -e "s/^archivedBy: kra_trusted_agent/archivedBy: CA/g" alpha.ldif -
[root@oldkra ~]# cp -p /opt/redhat-cs/alias/cert-instance-kra-cert8.db /export/pki/cert8.db [root@oldkra ~]# cp -p /opt/redhat-cs/alias/cert-instance-kra-key3.db /export/pki/key3.db [root@oldkra ~]# cp -p /opt/redhat-cs/alias/secmod.db /export/pki/secmod.db -
将 复制到具有旧 KRA 实例的计算机上,并拉取所有依赖项。对于 7.x 系统,包括
nsutil.jar和cmsutil.jar文件(这些文件已在 8.0 系统中可用)。例如:[root@oldkra ~]# mkdir -p /usr/share/pki/java-tools [root@oldkra ~]# mkdir -p /usr/share/java/pki [root@oldkra ~]# cd /usr/share/java/pki [root@oldkra ~]# sftp root@newkra.example.com sftp> cd /usr/share/java/pki sftp> get nsutil.jar sftp> get cmsutil.jar sftp> get cstools.jar sftp> lcd /usr/share/pki/java-tools sftp> cd /usr/share/pki/java-tools sftp> get KRATool.cfg sftp> lcd /usr/bin sftp> cd /usr/bin sftp> get KRATool sftp> quit -
从旧的
ldapjdk.jar文件创建一个符号链接到新的 8.x 位置。[root@oldkra ~]# ln -s /opt/redhat-cs/bin/cert/jars/ldapjdk.jar /usr/share/java/ldapjdk.jar -
[root@oldkra ~]#cd /export/pki -
[root@oldkra ~]# sftp root@newkra.example.com sftp> cd /export/pki sftp> get newKRA.cert sftp> quit -
如有必要,编辑默认
KRATool.cfg文件,以用于该工具。默认 文件也可以在不更改的情况下使用。 -
[root@oldkra ~]# KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file /export/pki/rhcs80-pki-kra.ldif -target_ldif_file /export/pki/old2newKRA.ldif -log_file /export/pki/kratool.log -source_pki_security_database_path /export/pki -source_storage_token_name 'Internal Key Storage Token' -source_storage_certificate_nickname 'storageCert cert-pki-kra' -target_storage_certificate_file /export/pki/newKRA.cert -append_id_offset 100000000000 -source_kra_naming_context "oldkra.example.com-pki-kra" -target_kra_naming_context "newkra.example.com-pki-kra" -process_requests_and_key_records_only完成后,命令会创建-target_ldif_file,old2newKRA.ldif中指定的文件。 -
[root@oldkra ~]# scp /export/pki/old2newKRA.ldif root@newkra.example.com:/export/pki
-
-
为
-target_ldif_file指定唯一值来创建单独的 LDIF 文件,并指定唯一的-append_id_offset值,以便在 LDIF 文件串联时没有冲突。 -
-
[root@newkra ~]# cd /export/pki -
[root@newkra ~]# cat newkra.ldif old2newKRA.ldif > combined.ldif -
[root@newkra ~]# /usr/lib[64]/disrv/slapd-instanceName/ldif2db -n newkra.example.com-pki-kra -i /export/pki/combined.ldif -
为新的 KRA 启动 Directory 服务器实例。
[root@newkra ~]# service dirsrv start -
启动新的 KRA。
[root@newkra ~]# service pki-kra start
-
