<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>This patch is for <a class="moz-txt-link-freetext" href="https://pagure.io/dogtagpki/issue/2618">https://pagure.io/dogtagpki/issue/2618</a> <span
        id="summary_alias_container"><span
          id="short_desc_nonedit_display">allow CA to process pre-signed
          CMC renewal cert requests</span></span></p>
    <p><span id="summary_alias_container"><span
          id="short_desc_nonedit_display">    Ticket#2618 feature:
          pre-signed CMC renewal request<br>
              <br>
              This patch provides the feature implementation to allow CA
          to process pre-signed CMC renewal requests. In the world of
          CMC, renewal request are full CMC requests that are signed by
          previously issued signing certificate.<br>
              The implementation approach is to use the
          caFullCMCUserSignedCert with the enhanced profile constraint:
          UniqueKeyConstraint.<br>
              UniqueKeyConstraint has been updated to disallow renewal
          of same key shared by a revoked certificate.  It also saves
          the origNotAfter of the newest certificate sharing the same
          key in the request to be used by the
          RenewGracePeriodConstraint.<br>
              The profile caFullCMCUserSignedCert.cfg has been updated
          to have both UniqueKeyConstraint and
          RenewGracePeriodConstraint.  They must be placed in the
          correct order. By default in the UniqueKeyConstraint the
          constraint parameter allowSameKeyRenewal=true.<br>
        </span></span></p>
    <p><span id="summary_alias_container"><span
          id="short_desc_nonedit_display">Thanks,</span></span></p>
    <p><span id="summary_alias_container"><span
          id="short_desc_nonedit_display">Christina<br>
        </span></span></p>
  </body>
</html>