-
Notifications
You must be signed in to change notification settings - Fork 139
CMC Examples Unsigned CMC Revocation Request
Endi S. Dewata edited this page Jan 29, 2021
·
1 revision
This example demonstrate an unsigned, sharedToken-based CMC revocation request.
-
Create a CMC revocation request config file; Note that
-
nickname
is not needed in the unsigned case and will be ignored -
revRequest.serial
,revRequest.reason
,revRequest.issuer
andrevRequest.sharedSecret
must contain valid values, e.g.:-
revRequest.serial=56
-
revRequest.reason=unspecified
-
revRequest.issuer=<issuer subjectdn>
-
revRequest.sharedSecret=<shared secret>
-
-
optionally
revRequest.comment
can be added
-
-
See example cmc-revoke-shared-secret.cfg
$ CMCRequest cmc-revoke-shared-secret.cfg cert/key prefix = path = /root/cfu/test/cmc/ CryptoManger initialized token internal logged in... Missing format..assume revocation addRevRequestAttr: sharedSecret found; request will be unsigned; addRevRequestAttr: RevokeRequest control created. getCMCBlob: begins getCMCBlob: generating unsigned data The CMC enrollment request in base-64 encoded format: MIHTBgkqhkiG9w0BBwGggcUEgcIwgb8wgbYwgbMCAQEGCCsGAQUFBwcRMYGjMIGg <snip> The CMC enrollment request in data format is stored in /root/cfu/test/cmc/cmc.revoke.sharedSecret.req.
-
Submit request; See
HttpClient
example config file: HttpClient.revoke.sharedSecret.cfg
$ HttpClient HttpClient.revoke.sharedSecret.cfg Total number of bytes read = 214 after SSLSocket created, thread token is Internal Key Storage Token handshake happened writing to socket handshake happened Total number of bytes read = 1598 MIIGOgYJKoZIhvcNAQcCoIIGKzCCBicCAQMxDzANBglghkgBZQMEAgEFADAxBggr <snip> The response in data format is stored in /root/cfu/test/cmc/cmc.revoke.resp
-
Observe the
CMCResponse
to beSUCCESS
$ CMCResponse -d . -i /root/cfu/test/cmc/cmc.revoke.resp Certificates: Certificate: Data: Version: v3 Serial Number: 0x1 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=unknown00262DFC6A5E Security Domain Validity: Not Before: Wednesday, May 17, 2017 6:06:50 PM PDT America/Los_Angeles Not After: Sunday, May 17, 2037 6:06:50 PM PDT America/Los_Angeles Subject: CN=CA Signing Certificate,OU=pki-tomcat,O=unknown00262DFC6A5E Security Domain <snip> Number of controls is 1 Control #0: CMCStatusInfo OID: {1 3 6 1 5 5 7 7 1} BodyList: 1 Status: SUCCESS
-
observe the audit log events
0.http-bio-8443-exec-19 - [15/Jun/2017:18:08:53 PDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=y.y.y.y][ServerIP=x.x.x.x][SubjectID=][Outcome=Success] access session establish success 0.http-bio-8443-exec-19 - [15/Jun/2017:18:08:53 PDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success 0.http-bio-8443-exec-19 - [15/Jun/2017:18:08:54 PDT] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=Signer Christina Fu][Outcome=Success][ReqID=$Unidentified$][CertSerialNum=44][RequestType=revoke][RevokeReasonNum=Unspecified][Approval=complete] certificate status change request processed 0.http-bio-8443-exec-19 - [15/Jun/2017:18:08:54 PDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=y.y.y.y][ServerIP=x.x.x.x][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |