[Pki-users] base64 CMC Request format
Christina Fu
cfu at redhat.com
Wed Jul 13 20:41:23 UTC 2016
Hi Kamel,
Just type CMCRequest at command line and it will spit out a sample
config file which you can take and modify. It contains comments where
you can find out more info.
hope this helps.
Christina
On 07/13/2016 04:57 AM, Kamal Perera wrote:
> Dear All,
>
> sorry for taking this old post in to focus.
>
> I'm trying to create a CMC enrolment process with our DogTag CA. Can
> someone advice me how to create a CMCRequest.A sample configuration
> would be much helpful.
>
>
>
> On Fri, Oct 4, 2013 at 3:38 PM, Elliott William C OSS sIT
> <WilliamC.Elliott at s-itsolutions.at
> <mailto:WilliamC.Elliott at s-itsolutions.at>> wrote:
>
> Hello Christina,
>
> Many thanks for the idea. We'll try it out.
>
> Best regards,
> Bill Elliott
>
> -----Ursprüngliche Nachricht-----
> Von: pki-users-bounces at redhat.com
> <mailto:pki-users-bounces at redhat.com>
> [mailto:pki-users-bounces at redhat.com
> <mailto:pki-users-bounces at redhat.com>] Im Auftrag von Christina Fu
> Gesendet: Donnerstag, 03. Oktober 2013 23:25
> An: pki-users at redhat.com <mailto:pki-users at redhat.com>
> Betreff: Re: [Pki-users] base64 CMC Request format [bayes][heur]
>
> Hi Bill,
>
> Yes the profileSubmitCMCFull servlet only takes and responds in
> binary.
> However, the profileSubmit servlet does take base64 encoded requests
> (see the caCMCUserCert prfoile from the ee page). Which means,
> technically, it can be done, though may not be straight-forward at
> first
> glance.
>
> Here is what you can do (I just tried it and it works for me):
> 1. take your Base64-encoded CMC request blob and URL encode it.
> 2. create a file, say sendCMCreq.txt, which contains the following
> data:
> profileId=caCMCUserCert&cert_request_type=cmc&cert_request=<your
> b64-encoded/url-encoded request>
> e.g. my sendCMCreq.txt reads:
> profileId=caCMCUserCert&cert_request_type=cmc&cert_request=MIILqAYJKoZIhvcNAQ...
> 3. run the following: wget --post-file sendCMCreq.txt http://<your ca
> host:port>/ca/ee/ca/profileSubmit
> 4. Once you get the successsful response (in HTML), glean for
> outputList.outputVal=xxx
> The "xxx" is your b64 encoded certificate. It's formatted for display
> so you might want to further process it.
>
> Hope this helps.
> Christina
>
> On 10/02/2013 11:47 PM, Elliott William C OSS sIT wrote:
> > We already use CMC enrollment (using profile caFullCMCUserCert)
> remotely from a RedHat system. It works without a hitch. It
> requires (ala Docu) converting the requests to binary format with
> AtoB before sending them on with HttpClient to the CMC servlet
> (/ca/ee/ca/profileSubmitCMCFull), and then receiving the
> (binary-encoded) response.
> >
> > When the card management system under windows sends a request -
> it is base64-encoded. The CA cannot parse it and the
> authentication fails:
> >
> > [02/Oct/2013:14:03:26][http-9543-3]: SignedAuditEventFactory:
> create()
> message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$]
> agent pre-approved CMC request signature verification
> >
> > Best regards,
> > Bill Elliott
> >
> > -----Ursprüngliche Nachricht-----
> > Von: pki-users-bounces at redhat.com
> <mailto:pki-users-bounces at redhat.com>
> [mailto:pki-users-bounces at redhat.com
> <mailto:pki-users-bounces at redhat.com>] Im Auftrag von Andrew Wnuk
> > Gesendet: Mittwoch, 02. Oktober 2013 21:07
> > An: pki-users at redhat.com <mailto:pki-users at redhat.com>
> > Betreff: Re: [Pki-users] base64 CMC Request format [heur]
> >
> > On 10/02/2013 11:26 AM, Elliott William C OSS sIT wrote:
> >> Hi all,
> >>
> >> Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into
> accepting base64-encoded CMC requests? Is there a parameter
> somewhere? Or would it require reprogramming?
> >>
> >> We have a (smart-)card management system (runs under Windows)
> which sends the requests and expects the responses to both be
> base64 encoded.
> >>
> >> Thanks and best regards,
> >>
> >> William Elliott
> >> s IT Solutions
> >> Open System Services
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> >> https://www.redhat.com/mailman/listinfo/pki-users
> > Check profiles/ca/caCMCUserCert.cfg profile.
> > You may also check
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/CertProfileReference.html#CMC_Certificate_Request_Input
> > and
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Setting_up_CMC_Enrollment.html
> >
> > Andrew
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/pki-users
> >
> >
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160713/50abff14/attachment.htm>
More information about the Pki-users
mailing list