-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Serverside generated Tokens over CMP are labeled as usergenerated #408
Comments
Hi, The use case to store keys generated by CMP CA generated keys is not implemented. The use case for CMP CA generated keys has so far been to generate keys for devices that don't have good, or fast, enough onboard key generation. So for CA generated authentication keys, which are not recoverable. Indeed the label usergenerated sounds confusing. It is expected behavior at this time. It's considered a feature request for now. I will create a developer ticket for this, but since we haven't had this use case before I can't say that it will be in a roadmap any time soon. |
For references (not publicly available yet, but in the future): https://jira.primekey.se/browse/ECA-11981 |
For reference, I started this work in ECA-11981, some refactoring and clean-ups is needed to implement this nicely. |
I'm using the Keyfactor Docker ejbca-ce version 8.0.0 (as a test case) to request client certificates from the server over CMP (with bouncycastle) with the server-side generated keys workflow. The certificates from the clients are used to encrypt files, therefore they need to be recoverable, so all server-side generated tokens are configured to be recoverable. The issue is, all CMP requested certificates are labeled in the RA GUI as user-generated and therefore are not recoverable. The CMP message from the client does not include a private key, the answer from the server includes a private key and certificate that i can extract and use.
My workflow is similar to https://github.com/rgorosito/ejbca/blob/master/modules/systemtests/src-test/org/ejbca/core/protocol/cmp/CrmfRequestTest.java -> test12ServerGeneratedKeys.
Is there a different way to recover CMP requested keys ? Or is this some unexpected behavior ?
At the very moment my request does not contain a certificate template with unique values, i'm just sending the new user (userDN), the public key for the encryption secret and the algorithms that should be used.
The text was updated successfully, but these errors were encountered: