Dear All,

sorry for taking this old post in to focus.

I'm trying to create a CMC enrolment process with our DogTag CA. Can someone advice me how to create a CMCRequest.A sample configuration would be much helpful.

 

On Fri, Oct 4, 2013 at 3:38 PM, Elliott William C OSS sIT <WilliamC.Elliott@s-itsolutions.at> wrote:
Hello Christina,

Many thanks for the idea.  We'll try it out.

Best regards,
Bill Elliott

-----Ursprüngliche Nachricht-----
Von: pki-users-bounces@redhat.com [mailto:pki-users-bounces@redhat.com] Im Auftrag von Christina Fu
Gesendet: Donnerstag, 03. Oktober 2013 23:25
An: pki-users@redhat.com
Betreff: Re: [Pki-users] base64 CMC Request format [bayes][heur]

Hi Bill,

Yes the profileSubmitCMCFull servlet only takes and responds in binary.
However, the profileSubmit servlet does take base64 encoded requests
(see the caCMCUserCert prfoile from the ee page).  Which means,
technically, it can be done, though may not be straight-forward at first
glance.

Here is what you can do (I just tried it and it works for me):
1. take your Base64-encoded CMC request blob and URL encode it.
2. create a file, say sendCMCreq.txt, which contains the following data:
profileId=caCMCUserCert&cert_request_type=cmc&cert_request=<your
b64-encoded/url-encoded request>
e.g. my sendCMCreq.txt reads:
profileId=caCMCUserCert&cert_request_type=cmc&cert_request=MIILqAYJKoZIhvcNAQ...
3. run the following: wget --post-file sendCMCreq.txt http://<your ca
host:port>/ca/ee/ca/profileSubmit
4. Once you get the successsful response (in HTML), glean for
             outputList.outputVal=xxx
The "xxx" is your b64 encoded certificate.  It's formatted for display
so you might want to further process it.

Hope this helps.
Christina

On 10/02/2013 11:47 PM, Elliott William C OSS sIT wrote:
> We already use CMC enrollment (using profile caFullCMCUserCert) remotely from a RedHat system. It works without a hitch.  It requires (ala Docu) converting the requests to binary format with AtoB before sending them on with HttpClient to the CMC servlet (/ca/ee/ca/profileSubmitCMCFull), and then receiving the (binary-encoded) response.
>
> When the card management system under windows sends a request - it is base64-encoded.  The CA cannot parse it and the authentication fails:
>
> [02/Oct/2013:14:03:26][http-9543-3]: SignedAuditEventFactory: create() message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$] agent pre-approved CMC request signature verification
>
> Best regards,
> Bill Elliott
>
> -----Ursprüngliche Nachricht-----
> Von: pki-users-bounces@redhat.com [mailto:pki-users-bounces@redhat.com] Im Auftrag von Andrew Wnuk
> Gesendet: Mittwoch, 02. Oktober 2013 21:07
> An: pki-users@redhat.com
> Betreff: Re: [Pki-users] base64 CMC Request format [heur]
>
> On 10/02/2013 11:26 AM, Elliott William C OSS sIT wrote:
>> Hi all,
>>
>> Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
>>
>> We have a (smart-)card management system (runs under Windows) which sends the requests and expects the responses to both be base64 encoded.
>>
>>       Thanks and best regards,
>>
>>       William Elliott
>>       s IT Solutions
>>       Open System Services
>>
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
> Check profiles/ca/caCMCUserCert.cfg profile.
> You may also check
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/CertProfileReference.html#CMC_Certificate_Request_Input
> and
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Setting_up_CMC_Enrollment.html
>
> Andrew
>
> _______________________________________________
> Pki-users mailing list
> Pki-users@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users



_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users