PKI 10.4 CMC Profiles - dogtagpki/pki GitHub Wiki

Prior to PKI 10.4, the accessing URI to CMC requests is /ee/ca/profileSubmitCMCFull, which would lead to the enrollment profile caFullCMCUserCert.cfg, where authentication instance CMCAuth is specified. As discussed before, that is an agent-only authentication.

In PKI 10.4, for non-agent approved CMC enrollment, two new accessing URI are introduced, each would lead to a new enrollment profile:

  • /ee/ca/profileSubmitUserSignedCMCFull β‡’ caFullCMCUserSignedCert.cfg

    • As the name implied, this is the case when a user already has a valid signing certificate, which is used to sign other CMC certificate requests.

    • This is the same access point for renewals.

    • Profile caFullCMCUserSignedCert.cfg by default contains the following relevant profile default/constraints:

      • CmcUserSignedSubjectNameDefault / CmcUserSignedSubjectNameConstraint - to ensure that the new certificate will contain the same subject name as that of the signing certificate

      • UniqueKeyConstraint - provides control for whether same key renewal is allowed or not; It searches for the newest cert in the repository with the same key to renew if allowed. Revoked certificates are not renewable.

      • RenewGracePeriodConstraint - allows for control of renewal grace period in case of same key renewals. Rekey renewal would not be able to use this as it would be treated as new enrollment.

  • /ee/ca/profileSubmitSelfSignedCMCFull β‡’ caFullCMCSelfSignedCert.cfg

    • As the name implied, this is the case when a user does not already have a valid signing certificate, so it’s self-signed, and Identity Proof (v2) control would be needed to complete the proof of origin.

For system certificates using CMC enrollment, the following new accessing URIs are introduced, each would lead to a new enrollment profile:

  • /ee/ca/profileSubmitCMCFullCACert β‡’ caCMCcaCert.cfg

  • /ee/ca/profileSubmitCMCFullServerCert β‡’ caCMCserverCert.cfg

  • /ee/ca/profileSubmitCMCFullSubsystemCert β‡’ caCMCsubsystemCert.cfg

  • /ee/ca/profileSubmitCMCFullOCSPCert β‡’ caCMCocspCert.cfg

  • /ee/ca/profileSubmitCMCFullAuditSigningCert β‡’ caCMCauditSigningCert.cfg

  • /ee/ca/profileSubmitCMCFullKRAstorageCert β‡’ caCMCkraStorageCert.cfg

  • /ee/ca/profileSubmitCMCFullKRAtransportCert β‡’ caCMCkraTransportCert.cfg

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️