-
Notifications
You must be signed in to change notification settings - Fork 148
PKI 10.4 CMC Profiles
Prior to PKI 10.4, the accessing URI to CMC requests is /ee/ca/profileSubmitCMCFull, which would lead to the enrollment profile caFullCMCUserCert.cfg, where authentication instance CMCAuth is specified. As discussed before, that is an agent-only authentication.
In PKI 10.4, for non-agent approved CMC enrollment, two new accessing URI are introduced, each would lead to a new enrollment profile:
-
/ee/ca/profileSubmitUserSignedCMCFull⇒caFullCMCUserSignedCert.cfg-
As the name implied, this is the case when a user already has a valid signing certificate, which is used to sign other CMC certificate requests.
-
This is the same access point for renewals.
-
Profile
caFullCMCUserSignedCert.cfgby default contains the following relevant profile default/constraints:-
CmcUserSignedSubjectNameDefault/CmcUserSignedSubjectNameConstraint- to ensure that the new certificate will contain the same subject name as that of the signing certificate -
UniqueKeyConstraint- provides control for whether same key renewal is allowed or not; It searches for the newest cert in the repository with the same key to renew if allowed. Revoked certificates are not renewable. -
RenewGracePeriodConstraint- allows for control of renewal grace period in case of same key renewals. Rekey renewal would not be able to use this as it would be treated as new enrollment.
-
-
-
/ee/ca/profileSubmitSelfSignedCMCFull⇒caFullCMCSelfSignedCert.cfg-
As the name implied, this is the case when a user does not already have a valid signing certificate, so it’s self-signed, and Identity Proof (v2) control would be needed to complete the proof of origin.
-
For system certificates using CMC enrollment, the following new accessing URIs are introduced, each would lead to a new enrollment profile:
-
/ee/ca/profileSubmitCMCFullCACert⇒caCMCcaCert.cfg -
/ee/ca/profileSubmitCMCFullServerCert⇒caCMCserverCert.cfg -
/ee/ca/profileSubmitCMCFullSubsystemCert⇒caCMCsubsystemCert.cfg -
/ee/ca/profileSubmitCMCFullOCSPCert⇒caCMCocspCert.cfg -
/ee/ca/profileSubmitCMCFullAuditSigningCert⇒caCMCauditSigningCert.cfg -
/ee/ca/profileSubmitCMCFullKRAstorageCert⇒caCMCkraStorageCert.cfg -
/ee/ca/profileSubmitCMCFullKRAtransportCert⇒caCMCkraTransportCert.cfg
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |