Skip to content

Revoking Certificate with CMC Shared Token

Endi S. Dewata edited this page Jun 6, 2023 · 4 revisions

Overview

This page describes the process to revoke a certificate using CMC shared token.

It assumes that:

  • The CA admin has created an issuance protection certificate.

  • The CA admin has configured CMC shared token authentication.

  • The CA admin has generated a CMC shared token for revoking the certificate.

Creating CMC Request

To create a CMC request prepare a CMCRequest configuration file (e.g. /usr/share/pki/tools/examples/cmc/testuser-cmc-revocation-request.cfg) and store the certificate serial number in the revRequest.serial property:

$ cp \
    /usr/share/pki/tools/examples/cmc/testuser-cmc-revocation-request.cfg \
    testuser-cmc-revocation-request.cfg

$ sed -i \
    -e "s/^\(revRequest.serial\)=.*/\1=<serial number>/" \
    testuser-cmc-revocation-request.cfg

Then execute the following command:

$ CMCRequest testuser-cmc-revocation-request.cfg

Submitting CMC Request

To submit the CMC request prepare an HttpClient configuration file (e.g. /usr/share/pki/tools/examples/cmc/testuser-cmc-revocation-submit.cfg), then execute the following command:

$ HttpClient testuser-cmc-revocation-submit.cfg

Processing CMC Response

To process the CMC response:

$ CMCResponse \
    -d /root/.dogtag/nssdb \
    -i testuser.cmc-revocation-response

See Also

Clone this wiki locally