Skip to content

PKI 10.4 CMC Configuration

Jump to bottom
Endi S. Dewata edited this page Nov 26, 2025 · 1 revision

The following are CMC-related configuration parameters in the CA’s CS.cfg (with defaults displayed)

cmc.popLinkWitnessRequired=false
cmc.token=internal

cert.issuance_protection.nickname=cmcIssuanceProtectionCert

  • cmc.popLinkWitnessRequired - This requires sharedSecret; By default it is false; Replace with true to turn it on

    • note: see cmc.sharedSecret below

  • cmc.revokeCert.sharedSecret.class - (to be implemented) - 10.5 update: implemented. See PKI 10.5 CMC Shared Token

    • note: before the sharedSecret class is implemented, this parameter is removed from the default CS.cfg at installation

    • for testing purposes, "mock SharedSecret plugin" can be added in CS.cfg, but be sure to remove it for production:

      • cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret

  • cmc.sharedSecret.class (to be implemented) - 10.5 update: implemented. See PKI 10.5 CMC Shared Token

    • note: before the sharedSecret class is implemented, this parameter is removed from the default CS.cfg at installation

    • for testing purposes, "mock SharedSecret plugin" can be added in CS.cfg, but be sure to remove it for production:

      • cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret

  • cmc.token - This is the token name that should matches with the token where the CA’s subsystem certificate (and keys) reside.

  • cert.issuance_protection.nickname - Contains the nickname of the Issuance Protection certificate used for PoP related encryption; By default, when this parameter is not set, the subsystem certificate specified in cert.subsystem.nickname is used.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.

Clone this wiki locally