[Pki-users] base64 CMC Request format

Christina Fu cfu at redhat.com
Wed Jul 13 20:41:23 UTC 2016


Hi Kamel,

Just type CMCRequest at command line and it will spit out a sample 
config file which you can take and modify.  It contains comments where 
you can find out more info.

hope this helps.

Christina

On 07/13/2016 04:57 AM, Kamal Perera wrote:
> Dear All,
>
> sorry for taking this old post in to focus.
>
> I'm trying to create a CMC enrolment process with our DogTag CA. Can 
> someone advice me how to create a CMCRequest.A sample configuration 
> would be much helpful.
>
>
>
> On Fri, Oct 4, 2013 at 3:38 PM, Elliott William C OSS sIT 
> <WilliamC.Elliott at s-itsolutions.at 
> <mailto:WilliamC.Elliott at s-itsolutions.at>> wrote:
>
>     Hello Christina,
>
>     Many thanks for the idea.  We'll try it out.
>
>     Best regards,
>     Bill Elliott
>
>     -----Ursprüngliche Nachricht-----
>     Von: pki-users-bounces at redhat.com
>     <mailto:pki-users-bounces at redhat.com>
>     [mailto:pki-users-bounces at redhat.com
>     <mailto:pki-users-bounces at redhat.com>] Im Auftrag von Christina Fu
>     Gesendet: Donnerstag, 03. Oktober 2013 23:25
>     An: pki-users at redhat.com <mailto:pki-users at redhat.com>
>     Betreff: Re: [Pki-users] base64 CMC Request format [bayes][heur]
>
>     Hi Bill,
>
>     Yes the profileSubmitCMCFull servlet only takes and responds in
>     binary.
>     However, the profileSubmit servlet does take base64 encoded requests
>     (see the caCMCUserCert prfoile from the ee page). Which means,
>     technically, it can be done, though may not be straight-forward at
>     first
>     glance.
>
>     Here is what you can do (I just tried it and it works for me):
>     1. take your Base64-encoded CMC request blob and URL encode it.
>     2. create a file, say sendCMCreq.txt, which contains the following
>     data:
>     profileId=caCMCUserCert&cert_request_type=cmc&cert_request=<your
>     b64-encoded/url-encoded request>
>     e.g. my sendCMCreq.txt reads:
>     profileId=caCMCUserCert&cert_request_type=cmc&cert_request=MIILqAYJKoZIhvcNAQ...
>     3. run the following: wget --post-file sendCMCreq.txt http://<your ca
>     host:port>/ca/ee/ca/profileSubmit
>     4. Once you get the successsful response (in HTML), glean for
>                  outputList.outputVal=xxx
>     The "xxx" is your b64 encoded certificate.  It's formatted for display
>     so you might want to further process it.
>
>     Hope this helps.
>     Christina
>
>     On 10/02/2013 11:47 PM, Elliott William C OSS sIT wrote:
>     > We already use CMC enrollment (using profile caFullCMCUserCert)
>     remotely from a RedHat system. It works without a hitch.  It
>     requires (ala Docu) converting the requests to binary format with
>     AtoB before sending them on with HttpClient to the CMC servlet
>     (/ca/ee/ca/profileSubmitCMCFull), and then receiving the
>     (binary-encoded) response.
>     >
>     > When the card management system under windows sends a request -
>     it is base64-encoded.  The CA cannot parse it and the
>     authentication fails:
>     >
>     > [02/Oct/2013:14:03:26][http-9543-3]: SignedAuditEventFactory:
>     create()
>     message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$]
>     agent pre-approved CMC request signature verification
>     >
>     > Best regards,
>     > Bill Elliott
>     >
>     > -----Ursprüngliche Nachricht-----
>     > Von: pki-users-bounces at redhat.com
>     <mailto:pki-users-bounces at redhat.com>
>     [mailto:pki-users-bounces at redhat.com
>     <mailto:pki-users-bounces at redhat.com>] Im Auftrag von Andrew Wnuk
>     > Gesendet: Mittwoch, 02. Oktober 2013 21:07
>     > An: pki-users at redhat.com <mailto:pki-users at redhat.com>
>     > Betreff: Re: [Pki-users] base64 CMC Request format [heur]
>     >
>     > On 10/02/2013 11:26 AM, Elliott William C OSS sIT wrote:
>     >> Hi all,
>     >>
>     >> Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into
>     accepting base64-encoded CMC requests? Is there a parameter
>     somewhere? Or would it require reprogramming?
>     >>
>     >> We have a (smart-)card management system (runs under Windows)
>     which sends the requests and expects the responses to both be
>     base64 encoded.
>     >>
>     >>       Thanks and best regards,
>     >>
>     >>       William Elliott
>     >>       s IT Solutions
>     >>       Open System Services
>     >>
>     >>
>     >>
>     >>
>     >> _______________________________________________
>     >> Pki-users mailing list
>     >> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>     >> https://www.redhat.com/mailman/listinfo/pki-users
>     > Check profiles/ca/caCMCUserCert.cfg profile.
>     > You may also check
>     >
>     https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/CertProfileReference.html#CMC_Certificate_Request_Input
>     > and
>     >
>     https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Setting_up_CMC_Enrollment.html
>     >
>     > Andrew
>     >
>     > _______________________________________________
>     > Pki-users mailing list
>     > Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>     > https://www.redhat.com/mailman/listinfo/pki-users
>     >
>     >
>     >
>     > _______________________________________________
>     > Pki-users mailing list
>     > Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>     > https://www.redhat.com/mailman/listinfo/pki-users
>
>     _______________________________________________
>     Pki-users mailing list
>     Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
>     _______________________________________________
>     Pki-users mailing list
>     Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160713/50abff14/attachment.htm>


More information about the Pki-users mailing list