My question is a follow-on to the CMC enrollment thread from April 28.
The earlier thread says CMC requests have to be inputted through the web
based "certificate enrollment profiles" by filling in a form field with the
I noticed the Dogtag CA has servlets running at:
Is it possible for a client to send requests directly to those servlets
instead of going through the web form -- and is there a way for the client
to receive the CMC Response from the server as described in the RFC, rather
than just the text message / base64 certificate returned by the web form
after it is submitted?
Also, do CMC requests always have to be signed by an authorized agent, or
has there been any thought to allowing clients to rekey their own
certificates directly with the CA? (e.g. authenticate a new certificate
request using the old certificate with the same subject)
Has interoperability been tested with any tools besides the ones described
(CMCEnroll/CMCRequest/etc.)? Do any other CMC clients actually exist?
I have mounted the Fedora PKI and all modules are installed correctly but as
soon restart the machine no longer works at all. When i start the pki-ca and
try to access to agent services, it asks me for authentication, then i enter
the password correctly and it showed me the options of the pki-ca but in the
middle it say "Invalid credentials". The same problem occurs in the other
modules when i try to access.
Anyone else have had the same ploblem??? The PKI is mounted in Fedora 8 and
i had the problem in the configuration of the pki-ra of the packet nss-tools
but this is already solved.
I'd like to put some load balancers in front of a set of TPS instances (acting as a single virtual TPS) and in front of the CAs that would issue the actual certs. The balancers would be more for reliability and uptime than performance.
Are there any limitations I need to know about? Is it possible to have multiple TPS instances talk to a single TKS instance?