Skip to content

PKI 10.4 CMC Tools

Jump to bottom
Endi S. Dewata edited this page Nov 26, 2025 · 1 revision

The following clients have been updated to support the new CMC features:

  • CRMFPopClient

    • a -y option has been added to support self-sign, where a subjectKeyIdentifier extension is required by the RFC to be present in the request

    • private key id is printed in output for use in needed CMC controls

    • due to limitation of HSM, if KRA is employs HSM, CRMFPopClient should be run with the following option:

      • -w "AES/CBC/PKCS5Padding"

  • PKCS10Client

    • a -y option has been added to support self-sign, where a subjectKeyIdentifier extension is required by the RFC to be present in the request

    • private key id is printed in output for use in needed CMC controls

  • CMCRequest (for more information: man CMCRequest)

    • identityProofV2 - prove identity in self-signed case

      • identityProofV2.enable - true to enable, false otherwise.

      • identityProofV2.hashAlg - supported values are: SHA-1, SHA-256, SHA-384, and SHA-512

      • identityProofV2.macAlg - supported values are: SHA-1-HMAC, SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC

    • witness - Used for identityProofV2 and popLinkWitnessV2

      • witness.sharedSecret - value must match what’s stored with CA;

    • request.selfSign - true is self-sign, false otherwise

    • request.privKeyId - used for the case of self-sign or popLinkWitnessV2

    • identification - Used for identityProofV2 and popLinkWitnessV2

      • identification.enable - true will add id-cmc-identification control, false otherwise

      • identification - value must match what CA knows;

    • popLinkWitnessV2 - used to link identity with POP

      • popLinkWitnessV2.enable - true to enable, false otherwise

      • popLinkWitnessV2.keyGenAlg - supported values are: SHA-1, SHA-256, SHA-384, and SHA-512

      • popLinkWitnessV2.macAlg - supported values are: SHA-1-HMAC, SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC

    • DecryptedPOP -used after EncryptedPop is received after round-1, where round-1 being a CMC request without POP

      • decryptedPop.enable - true enabled, false otherwise

      • encryptedPopResponseFile - input file from the output of round-1 in case of success

      • decryptedPopRequestFile - output file

  • CMCResponse (for more information: man CMCResponse)

    • modified to handle EncryptedPOP; no new options;

Note: clients that are not listed above have not been updated to support the newest CMC features.

  • (New in 10.5) CMCSharedToken (for more information: man CMCSharedToken)

    • new tool to process a user passphrase and create shared token to be stored by the CA to allow Shared Secret-based proof of origin in cases such as CMC certificate issuance and revocation.

Tips: If CA’s system keys are on an HSM, Two things to keep in mind

  • CRMFPopClient should be used with the -y false

  • CA’s CS.cfg should have the cmc.token parameter set to the HSM token

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.

Clone this wiki locally