Per discussion with Ade and Endi on unrelated audit-event-specific topic, we decide to not split events into SUCCESS and FAILURE.

This updated patch un-split the events that I split prior to the conversation/decision.

thanks,

Christina

On 05/15/2017 06:29 PM, Christina Fu wrote:

(pague ticket is yet to be cloned)

Bug 1447080 - CC: CMC: allow enrollment key signed (self-signed) CMC with identity proof

This patch implements handling of the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user.

The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg

The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request.

When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information.

thanks!

Christina
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel