5:08 a.m.
Hello Christina,
Many thanks for the idea. We'll try it out.
Best regards,
Bill Elliott
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com] Im Auftrag von
Christina Fu
Gesendet: Donnerstag, 03. Oktober 2013 23:25
An: pki-users(a)redhat.com
Betreff: Re: [Pki-users] base64 CMC Request format [bayes][heur]
Hi Bill,
Yes the profileSubmitCMCFull servlet only takes and responds in binary.
However, the profileSubmit servlet does take base64 encoded requests
(see the caCMCUserCert prfoile from the ee page). Which means,
technically, it can be done, though may not be straight-forward at first
glance.
Here is what you can do (I just tried it and it works for me):
1. take your Base64-encoded CMC request blob and URL encode it.
2. create a file, say sendCMCreq.txt, which contains the following data:
profileId=caCMCUserCert&cert_request_type=cmc&cert_request=<your
b64-encoded/url-encoded request>
e.g. my sendCMCreq.txt reads:
profileId=caCMCUserCert&cert_request_type=cmc&cert_request=MIILqAYJKoZIhvcNAQ...
3. run the following: wget --post-file sendCMCreq.txt http://<your ca
host:port>/ca/ee/ca/profileSubmit
4. Once you get the successsful response (in HTML), glean for
outputList.outputVal=xxx
The "xxx" is your b64 encoded certificate. It's formatted for display
so you might want to further process it.
Hope this helps.
Christina
On 10/02/2013 11:47 PM, Elliott William C OSS sIT wrote:
We already use CMC enrollment (using profile caFullCMCUserCert)
remotely from a RedHat system. It works without a hitch. It requires (ala Docu)
converting the requests to binary format with AtoB before sending them on with HttpClient
to the CMC servlet (/ca/ee/ca/profileSubmitCMCFull), and then receiving the
(binary-encoded) response.
When the card management system under windows sends a request - it is base64-encoded.
The CA cannot parse it and the authentication fails:
[02/Oct/2013:14:03:26][http-9543-3]: SignedAuditEventFactory: create()
message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$]
agent pre-approved CMC request signature verification
Best regards,
Bill Elliott
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com] Im Auftrag von
Andrew Wnuk
Gesendet: Mittwoch, 02. Oktober 2013 21:07
An: pki-users(a)redhat.com
Betreff: Re: [Pki-users] base64 CMC Request format [heur]
On 10/02/2013 11:26 AM, Elliott William C OSS sIT wrote:
> Hi all,
>
> Can Dogtag (in this case v. 9.0.3-30.el6 ) be coerced into accepting base64-encoded
CMC requests? Is there a parameter somewhere? Or would it require reprogramming?
>
> We have a (smart-)card management system (runs under Windows) which sends the
requests and expects the responses to both be base64 encoded.
>
> Thanks and best regards,
>
> William Elliott
> s IT Solutions
> Open System Services
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
Check profiles/ca/caCMCUserCert.cfg profile.
You may also check
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...
and
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...
Andrew
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users