-
Notifications
You must be signed in to change notification settings - Fork 148
PKI 10.4 CMC Authentication Plugin
As mentioned above, prior to PKI 10.4 CMCAuth was the only method of CMC authentication. It requires a CA agent to sign the requests. In PKI 10.4 CMCUserSignedAuth has been introduced to handle:
-
Requests that are self-signed (signed with private key of the request itself) — via
SignerIdentifier.SUBJECT_KEY_IDENTIFIER-
This is normally used to obtain user’s first certificate (a signing cert), which would later be used to obtain other type of certificates.
-
Again, this has to be combined with the Identity Proof (v2) control for proof of origin.
-
Both
CRMFPopClientandPKCS10Clienthave been updated to handle the-yoption for self-signed requests.
-
-
Requests signed by non-privileged users — via
SignerIdentifier.ISSUER_AND_SERIALNUMBER-
This can only be used when the user already obtained a signing certificate so that it can be used to prove its identity for other certificates.
-
Here is an example that shows a profile that requires authentication through CMCUserSignedAuth (user-signed)
auth.instance_id=CMCUserSignedAuth
The new profiles that has this authentication by default are :
-
caFullCMCUserSignedCert -
caFullCMCSelfSignedCert
Here is an example that shows a profile that requires authentication through CMCAuth (agent-signed)
auth.instance_id=CMCAuth
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |