[Pki-users] Best way to bypass challenge password verification

Hello, Our group is developing its own RA to be part of a PKI solution that includes Dogtag. Our solution uses EST (RFC 7030) between the the clients and the RA, with the EST protocol terminating at the RA. The RA then takes the CSRs and sends them on to Dogtag using REST commands. This project has been going very well, however we did just hit one issue that we were hoping others might be able to provide some guidance on. The EST protocol defines a feature called Proof Of Possession (PoP) where the clients insert the TLS unique ID of the TLS session between it and the EST server, in our case our RA. This TLS UID is sent in the challenge password attribute field of the CSR so that it can be signed by the client. The EST server is responsible for verifying this TLS UID, and once this verification is performed the value in the challenge password field no longer has any meaning. Because the CSR cannot be resigned at this point, the challenge password cannot be taken out of the CSR. This CSR is passed as is along to Dogtag and we're currently finding that Dogtag is checking the CSR and does not like the challenge password attribute: [03/Dec/2014:13:37:59][http-bio-8444-exec-3]: Start parsePKCS10(): MIIBdDCB3gIBADAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAMPNKtwZO82WfR5u/hS+SsVghdS9jD5BQS6Z5ymXrKcr9R4t DtSeEQ+AtCZ5qVNXcangb00vJgVqgS/7NH4MzSqscgNzZdpx9+mPklvOUuqTuYCv MFIlMwP/2DJ6TBrmF86vJ1I0GmZAyTSzHg4V4YWaN7r0V7x0RyvFqoBnZU51AgMB AAGgITAfBgkqhkiG9w0BCQcxEgwQTUR4clVZNmd6TnZqdWRmNzANBgkqhkiG9w0B AQsFAAOBgQAAKLbWGndYFfa+8IhopufYOEKIOAmcT+Nhr27vFt5I4ymoUwSlKX9L K+KpLho5Q2GsRoItNXJ6VxRcGe1CPZBW2ef7yPdZaKhFmnxXsYVQaqPY5BGI8kAY MMMr75WQcpn+XUpu+FNB4F2j8YY314u2rsplCMbOdR4tcrgc8WqucA== [03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10: signature verification enabled [03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10: use internal token [03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10 setting thread token [03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10 java.io.IOException: DerValue.getPrintableString, not a string 12 [03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10 restoring thread token So we're wondering what the best approach might be to handle this. Is there a way to configure Dogtag so that it will ignore the challenge password? Thanks very much, Pete Beal