PKI 10.4 CMC Update - dogtagpki/pki GitHub Wiki

Overview

Prior to PKI 10.4, CMC implementation was based on a subset of RFC 2797, released in 2000, while the most current RFC (RFC 5272 with update from RFC 6402) was dated 2011. The only means of authentication for CMC requests was the CMCAuth authentication plugin, which only allows a CA agent to pre-sign a CMC request. The only form of proof of possession is by the nature of PKCS#10 CSR signature or CRMF POP control, both of which require the private key to be capable of signing.

In 10.4, our goal was to try to fill the fairly large gap by adding the missing and updating the outdated features to conform to RFC 5272 with update from RFC 6402.

This document describes how this release provides the following tighter security and better versatility:

  • Proof of Identity (or Proof of Origin) for non-agent users

  • Proof of Possession (POP) - proving that the enrollment initiator (subscriber) possesses the private key that pairs with the public key in the request

  • Link between the identity and the POP - in this case, a control that contains data generated from the shared-secret between the server and the initiator is signed into the POP.

  • Various enrollment and renewal conditions

  • Appropriate auditing.

Design

Certificate Issuance User Workflow

Practical Usage Scenarios

Examples

RSA User Certificates

Note: It is highly recommended that you read the Certificate Issuance User Workflow section above first before following the examples in this section.

Note: Audit events shown in the examples are for information only; They are not finalized at the point of this writing.

EC User Certificates

The following are a couple examples for EC user certificates.

Note that for convenience, in the following examples, I’m using an RSA CA as the issuance CA, and the agent certificate itself is an RSA certificate.

System Certificates

Note: A generic CMC servlet improvement has been made since the instruction below was initially provided. Please see PKI 10.5 Installation with CMC for newer examples on making system cert requests

Note:

  1. It is highly recommended that you read the Certificate Issuance User Workflow section above first before following the examples in this section.

  2. It is important to note that all of the system cert requests need to be signed by a CA agent.

This section gives examples on how to procure PKI system certificates via CMC.

Role User (Administrator, Agent, or Auditor) Certificate

⚠️ **GitHub.com Fallback** ⚠️