CMC Examples Agent Signed EC CMC Request - dogtagpki/pki GitHub Wiki
This example shows generation of and EC cert request that is pre-signed with an agent (RSA) cert.
-
Generate an EC pkcs10 request, e.g.:
$ PKCS10Client -d . -p netscape -a ec -c nistp256 -o p10-ec.req -n "CN=cfuEC" PKCS10Client: Debug: got token. PKCS10Client: Debug: thread token set. PKCS10Client: token Internal Key Storage Token logged in... PKCS10Client: key pair generated. PKCS10Client: CertificationRequest created. PKCS10Client: b64encode completes. Keypair private key id: 1aaa5f1c7e68cded2a9aeaeca1c203e9e65449b4 -----BEGIN CERTIFICATE REQUEST----- MIHJMHICAQAwEDEOMAwGA1UEAwwFY2Z1RUMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1KwcgUYIYLQn8V216jOqhlv/5t36rjdFD6Xe2/unLzvq5i92iiRr0GD8pp99x0CYA4KXZmnwvgb4J5MR5s9T9oAAwCgYIKoZIzj0EAwIDRwAwRAIgV9DVBvNhudP8nvt6jJLBjAbTq8iDa6ArZVQKGtVjlQQCIEzfw+neiCWZ3bLX8dQTedqj7lRHjh2ifh5iDc5mtEDg -----END CERTIFICATE REQUEST----- PKCS10Client: done. Request written to file: p10-ec.req
-
Create an agent-signed CMC request config file: cmc.role_p10.cfg
-
make sure the
nickname
value incmc.role_p10.cfg
is an agent cert -
make sure the
input
points to the CSR you just generated -
(in this case) make sure the
format
ispkcs10
-
-
Run
CMCRequest
to generate the CMC request
$ CMCRequest cmc.role_p10.cfg cert/key prefix = path = /root/cfu/test/cmc/ CryptoManger initialized token internal logged in... got signerCert: cfuAgent2 cert createPKIData: begins k=0 createPKIData: format: pkcs10 PKCS10: PKCS10: begins PKCS10: PKCS10: ends selfSign is false... signData: begins: getPrivateKey: got signing cert signData: got signer privKey createSignedData: begins getSigningAlgFromPrivate: begins. getSigningAlgFromPrivate: found signingKeyType=RSA getSigningAlgFromPrivate: using SignatureAlgorithm: RSASignatureWithSHA256Digest createSignedData: digest created for pkidata createSignedData: digest algorithm =RSA createSignedData: building cert chain signData: signed request generated. getCMCBlob: begins getCMCBlob: generating signed data The CMC enrollment request in base-64 encoded format: MIIKlwYJKoZIhvcNAQcCoIIKiDCCCoQCAQMxDzANBglghkgBZQMEAgEFADCB8AYI <snip> The CMC enrollment request in binary format is stored in /root/cfu/test/cmc/cmc.role_p10-ec.req
-
Create an
HttpClient
cfg file. e.g. HttpClient_role_p10-ec.cfg -
Run
HttpClient
to submit request
$ HttpClient HttpClient_role_p10-ec.cfg Total number of bytes read = 2715 after SSLSocket created, thread token is Internal Key Storage Token client cert is not null handshake happened writing to socket Total number of bytes read = 2291 MIII7wYJKoZIhvcNAQcCoIII4DCCCNwCAQMxDzANBglghkgBZQMEAgEFADAxBggr <snip> The response in binary format is stored in /root/cfu/test/cmc/cmc.role_p10-ec.resp
-
run
CMCResponse
to see result:
$ CMCResponse -d . -i /root/cfu/test/cmc/cmc.role_p10-ec.resp Certificates: Certificate: Data: Version: v3 Serial Number: 0x165 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain Validity: Not Before: Wednesday, October 25, 2017 11:55:31 AM PDT America/Los_Angeles Not After: Monday, April 23, 2018 11:55:31 AM PDT America/Los_Angeles Subject: CN=cfuEC Subject Public Key Info: Algorithm: EC - 1.2.840.10045.2.1 Public Key: 04:B5:2B:07:20:51:82:18:2D:09:FC:57:6D:7A:8C:EA: <snip> Number of controls is 1 Control #0: CMCStatusInfoV2 OID: {1 3 6 1 5 5 7 7 25} BodyList: 1 Status: SUCCESS
-
Note the
SUCCESS
status in theCMCResponse
; In addition, you can-
Check relevant audit messages, e.g.:
-
0.http-bio-8443-exec-2 - [25/Oct/2017:11:55:31 PDT] [14] [6] [AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=UID=TestAgent2,OU=example][Outcome=Success][ReqType=enrollment][CertSubject=CN=cfuEC][SignerInfo=UID=TestAgent2,OU=example] agent pre-approved CMC request signature verification 0.http-bio-8443-exec-2 - [25/Oct/2017:11:55:31 PDT] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=cfu][Outcome=Success][Role=Certificate Manager Agents] assume privileged role 0.http-bio-8443-exec-2 - [25/Oct/2017:11:55:31 PDT] [14] [6] [AuditEvent=PROOF_OF_POSSESSION][SubjectID=cfu][Outcome=Success][Info=method=EnrollProfile: fillTaggedRequest: ] proof of possession 0.http-bio-8443-exec-2 - [25/Oct/2017:11:55:31 PDT] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=cfu][Outcome=Success][ReqID=563][ProfileID=caFullCMCUserCert][CertSubject=CN=cfuEC] certificate request made with certificate profiles 0.http-bio-8443-exec-2 - [25/Oct/2017:11:55:31 PDT] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=cfu][Outcome=Success][ReqID=563][CertSerialNum=357] certificate request processed 0.http-bio-8443-exec-2 - [25/Oct/2017:11:55:31 PDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=x1.x2.x3.x4][ServerIP=y1.y2.y3.y4][SubjectID=UID=TestAgent2,OU=example][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated