<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi Kamel, Just type CMCRequest at command line and it will spit out a sample config file which you can take and modify. It contains comments where you can find out more info. hope this helps. Christina <div class="moz-cite-prefix">On 07/13/2016 04:57 AM, Kamal Perera wrote: </div> <blockquote cite="mid:CAA0gsCOXPsP5+99DZdps16tJgymkuhs_epvgg8OOzxoNmyLq_A@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div>Dear All, </div> sorry for taking this old post in to focus. </div> I'm trying to create a CMC enrolment process with our DogTag CA. Can someone advice me how to create a CMCRequest.A sample configuration would be much helpful. <div class="gmail_extra"> <div class="gmail_quote">On Fri, Oct 4, 2013 at 3:38 PM, Elliott William C OSS sIT <<a moz-do-not-send="true" href="mailto:WilliamC.Elliott@s-itsolutions.at" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:WilliamC.Elliott@s-itsolutions.at">WilliamC.Elliott@s-itsolutions.at</a></a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello Christina, Many thanks for the idea. We'll try it out. Best regards, Bill Elliott -----Ursprüngliche Nachricht----- Von: <a moz-do-not-send="true" href="mailto:pki-users-bounces@redhat.com">pki-users-bounces@redhat.com</a> [mailto:<a moz-do-not-send="true" href="mailto:pki-users-bounces@redhat.com">pki-users-bounces@redhat.com</a>] Im Auftrag von Christina Fu Gesendet: Donnerstag, 03. Oktober 2013 23:25 An: <a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a> Betreff: Re: [Pki-users] base64 CMC Request format [bayes][heur] <div class=""> <div class="h5"> Hi Bill, Yes the profileSubmitCMCFull servlet only takes and responds in binary. However, the profileSubmit servlet does take base64 encoded requests (see the caCMCUserCert prfoile from the ee page). Which means, technically, it can be done, though may not be straight-forward at first glance. Here is what you can do (I just tried it and it works for me): 1. take your Base64-encoded CMC request blob and URL encode it. 2. create a file, say sendCMCreq.txt, which contains the following data: profileId=caCMCUserCert&cert_request_type=cmc&cert_request=<your b64-encoded/url-encoded request> e.g. my sendCMCreq.txt reads: profileId=caCMCUserCert&cert_request_type=cmc&cert_request=MIILqAYJKoZIhvcNAQ... 3. run the following: wget --post-file sendCMCreq.txt <a class="moz-txt-link-freetext" href="http://">http://</a><your ca host:port>/ca/ee/ca/profileSubmit 4. Once you get the successsful response (in HTML), glean for outputList.outputVal=xxx The "xxx" is your b64 encoded certificate. It's formatted for display so you might want to further process it. Hope this helps. Christina On 10/02/2013 11:47 PM, Elliott William C OSS sIT wrote: > We already use CMC enrollment (using profile caFullCMCUserCert) remotely from a RedHat system. It works without a hitch. It requires (ala Docu) converting the requests to binary format with AtoB before sending them on with HttpClient to the CMC servlet (/ca/ee/ca/profileSubmitCMCFull), and then receiving the (binary-encoded) response. > > When the card management system under windows sends a request - it is base64-encoded. The CA cannot parse it and the authentication fails: > > [02/Oct/2013:14:03:26][http-9543-3]: SignedAuditEventFactory: create() message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$] agent pre-approved CMC request signature verification > > Best regards, > Bill Elliott > > -----Ursprüngliche Nachricht----- > Von: <a moz-do-not-send="true" href="mailto:pki-users-bounces@redhat.com">pki-users-bounces@redhat.com</a> [mailto:<a moz-do-not-send="true" href="mailto:pki-users-bounces@redhat.com">pki-users-bounces@redhat.com</a>] Im Auftrag von Andrew Wnuk > Gesendet: Mittwoch, 02. Oktober 2013 21:07 > An: <a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a> > Betreff: Re: [Pki-users] base64 CMC Request format [heur] > > On 10/02/2013 11:26 AM, Elliott William C OSS sIT wrote: >> Hi all, >> >> Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming? >> >> We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded. >> >> Thanks and best regards, >> >> William Elliott >> s IT Solutions >> Open System Services >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> <a moz-do-not-send="true" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a> >> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a> > Check profiles/ca/caCMCUserCert.cfg profile. > You may also check > <a moz-do-not-send="true" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/CertProfileReference.html#CMC_Certificate_Request_Input" rel="noreferrer" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/CertProfileReference.html#CMC_Certificate_Request_Input</a> > and > <a moz-do-not-send="true" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Setting_up_CMC_Enrollment.html" rel="noreferrer" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Setting_up_CMC_Enrollment.html</a> > > Andrew > > _______________________________________________ > Pki-users mailing list > <a moz-do-not-send="true" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a> > <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a> > > > > _______________________________________________ > Pki-users mailing list > <a moz-do-not-send="true" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a> > <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a> _______________________________________________ Pki-users mailing list <a moz-do-not-send="true" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a> _______________________________________________ Pki-users mailing list <a moz-do-not-send="true" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a> </div> </div> </blockquote> </div> </div> </div> <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Pki-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre> </blockquote> </body> </html>