Skip to content

Issuing OCSP Certificates with PKI CA

Endi S. Dewata edited this page Jun 8, 2023 · 4 revisions

Overview

This page describes the process to issue OCSP certificates with pki ca command on PKI 10.8 or later.

For older versions, see:

Submitting Certificate Requests

The certificate requests can be submitted to a PKI CA with the following commands:

$ pki -U <CA URL> ca-cert-request-submit --profile caSignedLogCert --csr-file ocsp_audit_signing.csr
$ pki -U <CA URL> ca-cert-request-submit --profile caOCSPCert --csr-file ocsp_signing.csr
$ pki -U <CA URL> ca-cert-request-submit --profile caServerCert --csr-file ocsp_sslserver.csr
$ pki -U <CA URL> ca-cert-request-submit --profile caSubsystemCert --csr-file ocsp_subsystem.csr
$ pki -U <CA URL> ca-cert-request-submit --profile AdminCert --csr-file ocsp_admin.csr

Approving Certificate Requests

The CA admin can approve the request by executing the following command:

$ pki -U <CA URL> -u caadmin -w Secret.123 ca-cert-request-approve <request ID>

Retrieving Issued Certificates

The certificates and the CA signing certificate can be downloaded with the following commands:

$ pki -U <CA URL> ca-cert-export <cert ID> --output-file ocsp_admin.crt
$ pki -U <CA URL> ca-cert-export <cert ID> --output-file ocsp_audit_signing.crt
$ pki -U <CA URL> ca-cert-export <cert ID> --output-file ocsp_signing.crt
$ pki -U <CA URL> ca-cert-export <cert ID> --output-file ocsp_sslserver.crt
$ pki -U <CA URL> ca-cert-export <cert ID> --output-file ocsp_subsystem.crt
$ pki -U <CA URL> ca-cert-signing-export --output-file ca_signing.crt
Clone this wiki locally