<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Kamel,</p>
<p>Just type CMCRequest at command line and it will spit out a
sample config file which you can take and modify. It contains
comments where you can find out more info.</p>
<p>hope this helps.</p>
<p>Christina<br>
</p>
<div class="moz-cite-prefix">On 07/13/2016 04:57 AM, Kamal Perera
wrote:<br>
</div>
<blockquote
cite="mid:CAA0gsCOXPsP5+99DZdps16tJgymkuhs_epvgg8OOzxoNmyLq_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Dear All,<br>
<br>
</div>
sorry for taking this old post in to focus.<br>
<br>
</div>
I'm trying to create a CMC enrolment process with our DogTag CA.
Can someone advice me how to create a CMCRequest.A sample
configuration would be much helpful.<br>
<br>
<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 4, 2013 at 3:38 PM,
Elliott William C OSS sIT <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:WilliamC.Elliott@s-itsolutions.at"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:WilliamC.Elliott@s-itsolutions.at">WilliamC.Elliott@s-itsolutions.at</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Hello Christina,<br>
<br>
Many thanks for the idea. We'll try it out.<br>
<span class=""><br>
Best regards,<br>
Bill Elliott<br>
<br>
-----Ursprüngliche Nachricht-----<br>
</span>Von: <a moz-do-not-send="true"
href="mailto:pki-users-bounces@redhat.com">pki-users-bounces@redhat.com</a>
[mailto:<a moz-do-not-send="true"
href="mailto:pki-users-bounces@redhat.com">pki-users-bounces@redhat.com</a>]
Im Auftrag von Christina Fu<br>
Gesendet: Donnerstag, 03. Oktober 2013 23:25<br>
An: <a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a><br>
Betreff: Re: [Pki-users] base64 CMC Request format
[bayes][heur]<br>
<div class="">
<div class="h5"><br>
Hi Bill,<br>
<br>
Yes the profileSubmitCMCFull servlet only takes and
responds in binary.<br>
However, the profileSubmit servlet does take base64
encoded requests<br>
(see the caCMCUserCert prfoile from the ee page).
Which means,<br>
technically, it can be done, though may not be
straight-forward at first<br>
glance.<br>
<br>
Here is what you can do (I just tried it and it works
for me):<br>
1. take your Base64-encoded CMC request blob and URL
encode it.<br>
2. create a file, say sendCMCreq.txt, which contains
the following data:<br>
profileId=caCMCUserCert&cert_request_type=cmc&cert_request=<your<br>
b64-encoded/url-encoded request><br>
e.g. my sendCMCreq.txt reads:<br>
profileId=caCMCUserCert&cert_request_type=cmc&cert_request=MIILqAYJKoZIhvcNAQ...<br>
3. run the following: wget --post-file sendCMCreq.txt
<a class="moz-txt-link-freetext" href="http://">http://</a><your ca<br>
host:port>/ca/ee/ca/profileSubmit<br>
4. Once you get the successsful response (in HTML),
glean for<br>
outputList.outputVal=xxx<br>
The "xxx" is your b64 encoded certificate. It's
formatted for display<br>
so you might want to further process it.<br>
<br>
Hope this helps.<br>
Christina<br>
<br>
On 10/02/2013 11:47 PM, Elliott William C OSS sIT
wrote:<br>
> We already use CMC enrollment (using profile
caFullCMCUserCert) remotely from a RedHat system. It
works without a hitch. It requires (ala Docu)
converting the requests to binary format with AtoB
before sending them on with HttpClient to the CMC
servlet (/ca/ee/ca/profileSubmitCMCFull), and then
receiving the (binary-encoded) response.<br>
><br>
> When the card management system under windows
sends a request - it is base64-encoded. The CA cannot
parse it and the authentication fails:<br>
><br>
> [02/Oct/2013:14:03:26][http-9543-3]:
SignedAuditEventFactory: create()
message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$]
agent pre-approved CMC request signature verification<br>
><br>
> Best regards,<br>
> Bill Elliott<br>
><br>
> -----Ursprüngliche Nachricht-----<br>
> Von: <a moz-do-not-send="true"
href="mailto:pki-users-bounces@redhat.com">pki-users-bounces@redhat.com</a>
[mailto:<a moz-do-not-send="true"
href="mailto:pki-users-bounces@redhat.com">pki-users-bounces@redhat.com</a>]
Im Auftrag von Andrew Wnuk<br>
> Gesendet: Mittwoch, 02. Oktober 2013 21:07<br>
> An: <a moz-do-not-send="true"
href="mailto:pki-users@redhat.com">pki-users@redhat.com</a><br>
> Betreff: Re: [Pki-users] base64 CMC Request
format [heur]<br>
><br>
> On 10/02/2013 11:26 AM, Elliott William C OSS sIT
wrote:<br>
>> Hi all,<br>
>><br>
>> Can Dogtag (in this case v. 9.0.3-30.el6 ) be
coerced into accepting base64-encoded CMC requests? Is
there a parameter somewhere? Or would it require
reprogramming?<br>
>><br>
>> We have a (smart-)card management system
(runs under Windows) which sends the requests and
expects the responses to both be base64 encoded.<br>
>><br>
>> Thanks and best regards,<br>
>><br>
>> William Elliott<br>
>> s IT Solutions<br>
>> Open System Services<br>
>><br>
>><br>
>><br>
>><br>
>>
_______________________________________________<br>
>> Pki-users mailing list<br>
>> <a moz-do-not-send="true"
href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br>
>> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pki-users"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
> Check profiles/ca/caCMCUserCert.cfg profile.<br>
> You may also check<br>
> <a moz-do-not-send="true"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/CertProfileReference.html#CMC_Certificate_Request_Input"
rel="noreferrer" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/CertProfileReference.html#CMC_Certificate_Request_Input</a><br>
> and<br>
> <a moz-do-not-send="true"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Setting_up_CMC_Enrollment.html"
rel="noreferrer" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Setting_up_CMC_Enrollment.html</a><br>
><br>
> Andrew<br>
><br>
> _______________________________________________<br>
> Pki-users mailing list<br>
> <a moz-do-not-send="true"
href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pki-users"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Pki-users mailing list<br>
> <a moz-do-not-send="true"
href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pki-users"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
<br>
_______________________________________________<br>
Pki-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pki-users"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
<br>
<br>
<br>
_______________________________________________<br>
Pki-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pki-users"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</body>
</html>