[Pki-users] base64 CMC Request format

Kamal Perera techpkiuser at gmail.com
Wed Jul 13 11:57:12 UTC 2016 

Dear All,

sorry for taking this old post in to focus.

I'm trying to create a CMC enrolment process with our DogTag CA. Can
someone advice me how to create a CMCRequest.A sample configuration would
be much helpful.



On Fri, Oct 4, 2013 at 3:38 PM, Elliott William C OSS sIT <
WilliamC.Elliott at s-itsolutions.at> wrote:

> Hello Christina,
>
> Many thanks for the idea.  We'll try it out.
>
> Best regards,
> Bill Elliott
>
> -----Ursprüngliche Nachricht-----
> Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
> Im Auftrag von Christina Fu
> Gesendet: Donnerstag, 03. Oktober 2013 23:25
> An: pki-users at redhat.com
> Betreff: Re: [Pki-users] base64 CMC Request format [bayes][heur]
>
> Hi Bill,
>
> Yes the profileSubmitCMCFull servlet only takes and responds in binary.
> However, the profileSubmit servlet does take base64 encoded requests
> (see the caCMCUserCert prfoile from the ee page).  Which means,
> technically, it can be done, though may not be straight-forward at first
> glance.
>
> Here is what you can do (I just tried it and it works for me):
> 1. take your Base64-encoded CMC request blob and URL encode it.
> 2. create a file, say sendCMCreq.txt, which contains the following data:
> profileId=caCMCUserCert&cert_request_type=cmc&cert_request=<your
> b64-encoded/url-encoded request>
> e.g. my sendCMCreq.txt reads:
>
> profileId=caCMCUserCert&cert_request_type=cmc&cert_request=MIILqAYJKoZIhvcNAQ...
> 3. run the following: wget --post-file sendCMCreq.txt http://<your ca
> host:port>/ca/ee/ca/profileSubmit
> 4. Once you get the successsful response (in HTML), glean for
>              outputList.outputVal=xxx
> The "xxx" is your b64 encoded certificate.  It's formatted for display
> so you might want to further process it.
>
> Hope this helps.
> Christina
>
> On 10/02/2013 11:47 PM, Elliott William C OSS sIT wrote:
> > We already use CMC enrollment (using profile caFullCMCUserCert) remotely
> from a RedHat system. It works without a hitch.  It requires (ala Docu)
> converting the requests to binary format with AtoB before sending them on
> with HttpClient to the CMC servlet (/ca/ee/ca/profileSubmitCMCFull), and
> then receiving the (binary-encoded) response.
> >
> > When the card management system under windows sends a request - it is
> base64-encoded.  The CA cannot parse it and the authentication fails:
> >
> > [02/Oct/2013:14:03:26][http-9543-3]: SignedAuditEventFactory: create()
> message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$]
> agent pre-approved CMC request signature verification
> >
> > Best regards,
> > Bill Elliott
> >
> > -----Ursprüngliche Nachricht-----
> > Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
> Im Auftrag von Andrew Wnuk
> > Gesendet: Mittwoch, 02. Oktober 2013 21:07
> > An: pki-users at redhat.com
> > Betreff: Re: [Pki-users] base64 CMC Request format [heur]
> >
> > On 10/02/2013 11:26 AM, Elliott William C OSS sIT wrote:
> >> Hi all,
> >>
> >> Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting
> base64-encoded CMC requests? Is there a parameter somewhere? Or would it
> require reprogramming?
> >>
> >> We have a (smart-)card management system (runs under Windows) which
> sends the requests and expects the responses to both be base64 encoded.
> >>
> >>       Thanks and best regards,
> >>
> >>       William Elliott
> >>       s IT Solutions
> >>       Open System Services
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-users
> > Check profiles/ca/caCMCUserCert.cfg profile.
> > You may also check
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/CertProfileReference.html#CMC_Certificate_Request_Input
> > and
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Setting_up_CMC_Enrollment.html
> >
> > Andrew
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
> >
> >
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160713/7efb9b20/attachment.htm>

More information about the Pki-users mailing list