[Pki-users] CRMF aka CMP format reader or howto get private key from crmf with proof of possesion
Marcin Mierzejewski
marcinmierzejewski1024 at gmail.com
Wed Oct 28 16:53:23 UTC 2015
Hi Christina
I read and reread your email a few times but am still not sure why you want
> the CA to be responsible for giving you the p12, especially the CA has no
> idea what password was used for enveloping
envolope password may be empty, or defined by user in renewal request to my
application.
Could the user not just get the renewed cert, import it into the nss db,
> and then export the cert and its keys into a p12 themselves? Why use an
> old p12?
My users can't do that kind of thing like repacking private key to new
certificate. They just want new private key without asking for it from kra
and waiting for approval.
2015-10-28 1:12 GMT+01:00 Christina Fu <cfu at redhat.com>:
> I read and reread your email a few times but am still not sure why you
> want the CA to be responsible for giving you the p12, especially the CA has
> no idea what password was used for enveloping. And why does the user need
> the private key if the user is supposed to already have the private key?
> The KRA does allow you to recover keys if you lost your keys, but it
> requires agent approval.
>
> Could the user not just get the renewed cert, import it into the nss db,
> and then export the cert and its keys into a p12 themselves? Why use an
> old p12?
>
> Christina
>
>
>
> On 10/27/2015 04:20 AM, Marcin Mierzejewski wrote:
>
> I'm trying to generate new .p12 file for renewed certificate, becouse old
> version p12 file after that renewation has private key linked to
> certificate which is not the latest one(however keypair and all subject
> data are the same)
> What is my idea?
> - create "caManualRenewal" enrollment
> - read crmf from enrollment
> - get private key from crmf
> - approve renewal request
> - return new p12 file with new cert and this privkey to user
>
> It's even possible to do something like this? It makes sense to recreate
> that file or user can use old p12 file even after renewal?
>
>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20151028/a7dfbe5b/attachment.htm>
More information about the Pki-users
mailing list