<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>This patch is for <a class="moz-txt-link-freetext" href="https://pagure.io/dogtagpki/issue/2618">https://pagure.io/dogtagpki/issue/2618</a> <span
id="summary_alias_container"><span
id="short_desc_nonedit_display">allow CA to process pre-signed
CMC renewal cert requests</span></span></p>
<p><span id="summary_alias_container"><span
id="short_desc_nonedit_display"> Ticket#2618 feature:
pre-signed CMC renewal request<br>
<br>
This patch provides the feature implementation to allow CA
to process pre-signed CMC renewal requests. In the world of
CMC, renewal request are full CMC requests that are signed by
previously issued signing certificate.<br>
The implementation approach is to use the
caFullCMCUserSignedCert with the enhanced profile constraint:
UniqueKeyConstraint.<br>
UniqueKeyConstraint has been updated to disallow renewal
of same key shared by a revoked certificate. It also saves
the origNotAfter of the newest certificate sharing the same
key in the request to be used by the
RenewGracePeriodConstraint.<br>
The profile caFullCMCUserSignedCert.cfg has been updated
to have both UniqueKeyConstraint and
RenewGracePeriodConstraint. They must be placed in the
correct order. By default in the UniqueKeyConstraint the
constraint parameter allowSameKeyRenewal=true.<br>
</span></span></p>
<p><span id="summary_alias_container"><span
id="short_desc_nonedit_display">Thanks,</span></span></p>
<p><span id="summary_alias_container"><span
id="short_desc_nonedit_display">Christina<br>
</span></span></p>
</body>
</html>