3:41 p.m.
Hi Kamel,
Just type CMCRequest at command line and it will spit out a sample
config file which you can take and modify. It contains comments where
you can find out more info.
hope this helps.
Christina
On 07/13/2016 04:57 AM, Kamal Perera wrote:
Dear All,
sorry for taking this old post in to focus.
I'm trying to create a CMC enrolment process with our DogTag CA. Can
someone advice me how to create a CMCRequest.A sample configuration
would be much helpful.
On Fri, Oct 4, 2013 at 3:38 PM, Elliott William C OSS sIT
<WilliamC.Elliott(a)s-itsolutions.at
<mailto:WilliamC.Elliott@s-itsolutions.at>> wrote:
Hello Christina,
Many thanks for the idea. We'll try it out.
Best regards,
Bill Elliott
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces(a)redhat.com
<mailto:pki-users-bounces@redhat.com>
[mailto:pki-users-bounces@redhat.com
<mailto:pki-users-bounces@redhat.com>] Im Auftrag von Christina Fu
Gesendet: Donnerstag, 03. Oktober 2013 23:25
An: pki-users(a)redhat.com <mailto:pki-users@redhat.com>
Betreff: Re: [Pki-users] base64 CMC Request format [bayes][heur]
Hi Bill,
Yes the profileSubmitCMCFull servlet only takes and responds in
binary.
However, the profileSubmit servlet does take base64 encoded requests
(see the caCMCUserCert prfoile from the ee page). Which means,
technically, it can be done, though may not be straight-forward at
first
glance.
Here is what you can do (I just tried it and it works for me):
1. take your Base64-encoded CMC request blob and URL encode it.
2. create a file, say sendCMCreq.txt, which contains the following
data:
profileId=caCMCUserCert&cert_request_type=cmc&cert_request=<your
b64-encoded/url-encoded request>
e.g. my sendCMCreq.txt reads:
profileId=caCMCUserCert&cert_request_type=cmc&cert_request=MIILqAYJKoZIhvcNAQ...
3. run the following: wget --post-file sendCMCreq.txt http://<your ca
host:port>/ca/ee/ca/profileSubmit
4. Once you get the successsful response (in HTML), glean for
outputList.outputVal=xxx
The "xxx" is your b64 encoded certificate. It's formatted for display
so you might want to further process it.
Hope this helps.
Christina
On 10/02/2013 11:47 PM, Elliott William C OSS sIT wrote:
> We already use CMC enrollment (using profile caFullCMCUserCert)
remotely from a RedHat system. It works without a hitch. It
requires (ala Docu) converting the requests to binary format with
AtoB before sending them on with HttpClient to the CMC servlet
(/ca/ee/ca/profileSubmitCMCFull), and then receiving the
(binary-encoded) response.
>
> When the card management system under windows sends a request -
it is base64-encoded. The CA cannot parse it and the
authentication fails:
>
> [02/Oct/2013:14:03:26][http-9543-3]: SignedAuditEventFactory:
create()
message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$]
agent pre-approved CMC request signature verification
>
> Best regards,
> Bill Elliott
>
> -----Ursprüngliche Nachricht-----
> Von: pki-users-bounces(a)redhat.com
<mailto:pki-users-bounces@redhat.com>
[mailto:pki-users-bounces@redhat.com
<mailto:pki-users-bounces@redhat.com>] Im Auftrag von Andrew Wnuk
> Gesendet: Mittwoch, 02. Oktober 2013 21:07
> An: pki-users(a)redhat.com <mailto:pki-users@redhat.com>
> Betreff: Re: [Pki-users] base64 CMC Request format [heur]
>
> On 10/02/2013 11:26 AM, Elliott William C OSS sIT wrote:
>> Hi all,
>>
>> Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into
accepting base64-encoded CMC requests? Is there a parameter
somewhere? Or would it require reprogramming?
>>
>> We have a (smart-)card management system (runs under Windows)
which sends the requests and expects the responses to both be
base64 encoded.
>>
>> Thanks and best regards,
>>
>> William Elliott
>> s IT Solutions
>> Open System Services
>>
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
> Check profiles/ca/caCMCUserCert.cfg profile.
> You may also check
>
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...
> and
>
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...
>
> Andrew
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users