[Pki-users] CMC support
Christina Fu
cfu at redhat.com
Fri Sep 19 16:23:55 UTC 2008
Michael Peck wrote:
> Hi -
>
> My question is a follow-on to the CMC enrollment thread from April 28.
>
> The earlier thread says CMC requests have to be inputted through the
> web based "certificate enrollment profiles" by filling in a form field
> with the request data.
>
> I noticed the Dogtag CA has servlets running at:
> /ee/ca/profileSubmitCMCFull
> /ee/ca/profileSubmitCMCSimple
> /ee/ca/CMCRevReq
> Is it possible for a client to send requests directly to those
> servlets instead of going through the web form -- and is there a way
> for the client to receive the CMC Response from the server as
> described in the RFC, rather than just the text message / base64
> certificate returned by the web form after it is submitted?
You don' t have to use a web form. Here is an example of how to use
sslget to submit a request:
https://www.redhat.com/docs/manuals/cert-system/tools/7.2/SSLGet-Usage.html
While the example on the page is not the same servlet and request type,
I imagine it's similar. Response can be xmloutput instead of a web
form, as you can see in the example. Just make sure you tweak the
enrollment profile "output" and "input" to fit your needs.
You can learn about how to tweak/customize your profiles here:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Certificate_Profiles.html
>
> Also, do CMC requests always have to be signed by an authorized agent,
> or has there been any thought to allowing clients to rekey their own
> certificates directly with the CA? (e.g. authenticate a new
> certificate request using the old certificate with the same subject)
authentication and authorization can also be customized. You can
eliminate the authz all together if that's what you wish. You can also
write your own authorization or authentication plugins. You can copy
one from existing plugins and work from there too. All the existing
authentication plugins are in
pki/base/common/src/com/netscape/cms/authentication and all the
authorization plugins are in
/home/cfu/dogtag/src4/pki/base/common/src/com/netscape/cms/authorization.
You can customize the enrollment servlets too.
Finally, if you feel that your plugins could be contributed bacl to
Dogtag, we welcome you to submit it for review!
Thanks!
Christina
>
> Has interoperability been tested with any tools besides the ones
> described here http://pki.fedoraproject.org/wiki/PKI_Java_Tools
> (CMCEnroll/CMCRequest/etc.)? Do any other CMC clients actually exist?
>
> Thanks,
> Mike Peck
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list