dogtagpki

Clone
Source Code
GIT

#2673 allow enrollment key signed CMC with identity proof
Closed: fixed 8 years ago Opened 8 years ago by mharmsen.

Closed: fixed
Reopen Issue

per rfc 5272, CMC Full PKI Request could be either signed with pre-existing
cert or private key matching the public key in the request itself.

The pre-existing cert option has been satisfied by

https://pagure.io/dogtagpki/issue/2617

This ticket is to cover the other option. When agent-presigning is not
available, and existing user signing cert is not available, this (signing with
matching key from request) would work with identity proof (v2) to prove
identity.

Metadata Update from @mharmsen:
- Custom field component adjusted to General
- Custom field feature adjusted to ''
- Custom field origin adjusted to Community
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1447080
- Custom field type adjusted to defect
- Custom field version adjusted to ''
- Issue priority set to: critical
8 years ago

Metadata Update from @cfu:
- Issue assigned to cfu
8 years ago

commit 3c43b1119ca978c296a38a9fe404e1c0cdcdab63
Author: Christina Fu cfu@redhat.com
Date: Mon May 15 18:15:36 2017 -0700

Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity proof

This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.

Metadata Update from @cfu:
- Custom field type adjusted to enhancement (was: defect)
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
8 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.5 (was: 10.4)
8 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.4.7-1.fc27
8 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2793

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Log in to comment on this ticket.

Metadata
None
None
None
critical
None
None
enhancement
''
None
None
None
''
Community
''
pki-core-10.4.7-1.fc27
None
None
None
''
General
''
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.