If server doesn't have a white-listed at Iconectiv IP address, ACME client cannot generate SPC tokens, required to prove ownership of SP account. In that case, you must use SPC token file, acquired from a different server, and skip this step.
gen_spc [--ca] {EC key path} {OCN}
- --ca - whether to create SPC for SCA or a regular SP certificate
- {EC key path} - path to EC private key, generated in the first step
- {OCN} - Iconectiv Service Provider account ID (4 alnum characters, e.g. 123H)
new_order [--ca] [--spc {SPC file path}] {EC key path} {OCN} {not_before} {not_after} {subject parameters}
- --ca - (optional) if set, order SCA certificate, otherwise order a regular SP certificate
- --spc - (optional) path to SPC file, generated in step 2. If not set, a new SPC will be requested from Iconectiv
- {EC key path} - path to EC private key, generated in the first step
- {OCN} - Iconectiv Service Provider account ID (4 alnum characters, e.g. 123H)
- {not_before} - (optional) certificate start date. This is a timestamp value.
- {not_after} - (optional) certificate expiration date. This is a timestamp value.
Subject parameters:
C={country} - mandatory (must be US)
S={state} - optional
L={locality} (e.g. city) - optional
O={organization} - mandatory
OU={organization unit} - optional
CN={common name} - mandatory
Your "O" and "CN" values must be unique. STI certificates shall include a Subject field containing a Distinguished Name (DN), which is unique for each subject entity certified under one CA issuer identity, as specified in RFC 5280 [Ref 11].
6.4.1 STI Certificate Requirements
This section defines the STI Certificate profile that shall be supported by SHAKEN-compliant STI-CAs and Service Providers.
....
STI certificates shall include a Subject field containing a Distinguished Name (DN), which is unique for each subject entity certified under one CA issuer identity, as specified in RFC 5280 [Ref 11]. The DN shall contain a Country (C=) attribute, a Common Name (CN=) attribute and an Organization (O=) attribute. Other DN attributes are optional. For non-End-Entity CA certificates (Basic Constraints CA boolean = TRUE), the Common Name attribute shall include the text string "SHAKEN" and also indicate whether the certificate is a root or intermediate certificate (e.g., CN=SHAKEN root). The Common Name attribute of an End-Entity certificate shall contain the text string “SHAKEN”, followed by a single space, followed by the SPC value identified in the TNAuthList of the End-Entity certificate (e.g., "CN=SHAKEN 1234"). The Organization (O=) attribute shall include a legal name of the service provider in order to facilitate traceback and operations. STI certificates shall include an Issuer field. For root certificates, the Issuer field shall match the certificate’s Subject field. For intermediate and End-Entity certificates, the Issuer field shall match the Subject field of the parent certificate.
"Subject" string combination must be unique for all valid certificates.
