Prior to PKI 10.4, CMC implementation was based on a subset of RFC 2797, released in 2000, while the most current RFC (RFC 5272 with update from RFC 6402) was dated 2011. The only means of authentication for CMC requests was the CMCAuth authentication plugin, which only allows a CA agent to pre-sign a CMC request. The only form of proof of possession is by the nature of PKCS#10 CSR signature or CRMF POP control, both of which require the private key to be capable of signing.

In 10.4, our goal was to try to fill the fairly large gap by adding the missing and updating the outdated features to conform to RFC 5272 with update from RFC 6402.

This document describes how this release provides the following tighter security and better versatility:

• Proof of Identity (or Proof of Origin) for non-agent users

• Proof of Possession (POP) - proving that the enrollment initiator (subscriber) possesses the private key that pairs with the public key in the request

• Link between the identity and the POP - in this case, a control that contains data generated from the shared-secret between the server and the initiator is signed into the POP.

• Various enrollment and renewal conditions

• Appropriate auditing.

Note: It is highly recommended that you read the Certificate Issuance User Workflow section above first before following the examples in this section.

Note: Audit events shown in the examples are for information only; They are not finalized at the point of this writing.

• CMC Examples - User-Signed CMC Request with PopLinkWitnessV2

• CMC Examples - Self-Signed CMC Request with IdentityProofV2

• CMC Examples - User-Signed CMC Request without POP

• CMC Examples - User-Signed CMC Renewal Request

• CMC Examples - User-Signed CMC Revocation Request

• CMC Examples - Unsigned CMC Revocation Request

The following are a couple examples for EC user certificates.

Note that for convenience, in the following examples, I’m using an RSA CA as the issuance CA, and the agent certificate itself is an RSA certificate.

Note: A generic CMC servlet improvement has been made since the instruction below was initially provided. Please see PKI 10.5 Installation with CMC for newer examples on making system cert requests

Note:

1. It is highly recommended that you read the Certificate Issuance User Workflow section above first before following the examples in this section.

2. It is important to note that all of the system cert requests need to be signed by a CA agent.

This section gives examples on how to procure PKI system certificates via CMC.

• CMC Examples - Agent-Signed EC CMC Request

• CMC Examples - User-Signed EC CMC Request

• CMC Examples - Getting Subordinate CA Certificate

• CMC Examples - Getting OCSP Signing Certificate

• CMC Examples - Getting SSL Server Certificate

• CMC Examples - Getting Subsystem Certificate

• CMC Examples - Getting Audit Signing Certificate

• CMC Examples - Getting KRA Transport Certificate

• CMC Examples - Getting KRA Storage Certificate

• CMC Examples - Getting Role User Certificate