Provided by: pki-tools_10.6.0-1ubuntu2_amd64 bug


       CMCSharedToken - Used to process a user passphrase and create shared token to be stored by
       the CA to allow Shared Secret-based proof of origin  in  cases  such  as  CMC  certificate
       issuance and revocation.


       CMCSharedToken [OPTIONS]


       The   Certificate  Management  over  Cryptographic  Message  Syntax  (CMC)  shared  secret
       generation tool, CMCSharedToken, provides a command-line utility used to  process  a  user
       passphrase to be shared with the CA.

       It  takes  a  passphrase  provided  by  the  user, encrypts it with an issuance protection
       certificate, and outputs the encrypted blob which could be stored on the CA for subsequent
       enrollment or revocation activities by the user.

       This  tool can be run either by the user or by the administrator.  If run by the user, the
       output (encrypted passphrase, i.e. shared token) needs to be sent to the CA  administrator
       to  store  on  the  CA;  if run by the CA administrator, the passphrase itself needs to be
       passed to the intended user.  It is outside of the scope of this  software  to  state  how
       such communication takes place. It is up to the site policy to decide which way best suits
       the deployment site.

       For information on how the administrator would store the shared tokens on the CA, see  Red
       Hat Certificate System Administrator's Guide.


       The following are supported options.

       -d <database>
              Path of directory to the NSS database. This option is required.

       -h <token>
              Security token name (default: internal)

       -p <password>
              Security token password.

       -p <passphrase>
              CMC enrollment passphrase (shared secret) (put in "" if containing spaces)

       -b <issuance protection cert>
              PEM  issuance protection certificate. Note: only one of the -b or -n options should
              be used.

       -n <issuance protection cer nicknamet>
              PEM issuance protection certificate on token. Note:  only  one  of  the  -b  or  -n
              options should be used.

       -v     Run in verbose mode.


       CMCSharedToken  -d  . -p myNSSPassword -s "just another good day"  -o cmcSharedTok2.b64 -n
       "subsystemCert cert-pki-tomcat"


       Christina Fu <>.


       Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU  General  Public  License,
       version 2 (GPLv2). A copy of this license is available at