[Pki-users] CRMF aka CMP format reader or howto get private key from crmf with proof of possesion

Marcin Mierzejewski marcinmierzejewski1024 at gmail.com
Sun Nov 1 13:15:24 UTC 2015 

Christina You were right I shouldn't try to do that functionality

2015-10-28 17:53 GMT+01:00 Marcin Mierzejewski <
marcinmierzejewski1024 at gmail.com>:

> Hi Christina
>
> I read and reread your email a few times but am still not sure why you
>> want the CA to be responsible for giving you the p12, especially the CA has
>> no idea what password was used for enveloping
>
> envolope password may be empty, or defined by user in renewal request to
> my application.
>
> Could the user not just get the renewed cert, import it into the nss db,
>> and then export the cert and its keys into a p12 themselves?  Why use an
>> old p12?
>
> My users can't do that kind of thing like repacking private key to new
> certificate. They just want new private key without asking for it from kra
> and waiting for approval.
>
>
>
>
> 2015-10-28 1:12 GMT+01:00 Christina Fu <cfu at redhat.com>:
>
>> I read and reread your email a few times but am still not sure why you
>> want the CA to be responsible for giving you the p12, especially the CA has
>> no idea what password was used for enveloping. And why does the user need
>> the private key if the user is supposed to already have the private key?
>> The KRA does allow you to recover keys if you lost your keys, but it
>> requires agent approval.
>>
>> Could the user not just get the renewed cert, import it into the nss db,
>> and then export the cert and its keys into a p12 themselves?  Why use an
>> old p12?
>>
>> Christina
>>
>>
>>
>> On 10/27/2015 04:20 AM, Marcin Mierzejewski wrote:
>>
>> I'm trying to generate new .p12 file for renewed certificate, becouse old
>> version p12 file after that renewation has private key linked to
>> certificate which is not the latest one(however keypair and all subject
>> data are the same)
>> What is my idea?
>> - create "caManualRenewal" enrollment
>> - read crmf from enrollment
>> - get private key from crmf
>> - approve renewal request
>> - return new p12 file with new cert and this privkey to user
>>
>> It's even possible to do something like this? It makes sense to recreate
>> that file or user can use old p12 file even after renewal?
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20151101/6ffee82a/attachment.htm>

More information about the Pki-users mailing list