Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1518096

Summary:

ExternalCA: Failures in ExternalCA when tried to setup with CMC signed certificates

Product:

Red Hat Enterprise Linux 7

Reporter:

Geetika Kapoor <gkapoor>

Component:

pki-core

Assignee:

Christina Fu <cfu>

Status:

CLOSED ERRATA

QA Contact:

Asha Akkiangady <aakkiang>

Severity:

unspecified

Docs Contact:

Marc Muehlfeld <mmuehlfe>

Priority:

unspecified

Version:

7.4

CC:

cfu, enewland, mharmsen

Target Milestone:

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

pki-core-10.5.1-5.el7

Doc Type:

Bug Fix

Doc Text:

Certificate System issued certificates with an expiration date later than the expiration date of the CA certificate Previously, when signing a certificate for an external Certificate Authority (CA), Certificate System used the *ValidityConstraint* plug-in. Consequently, it was possible to issue certificates with a later expiry date than the expiry date of the issuing CA. This update adds the *CAValidityConstraint* plug-in to the registry so that it becomes available for the enrollment profiles. In addition, the *ValidityConstraint* plug-in in the *caCMCcaCert* profile has been replaced with the *CAValidityConstraint* plug-in which effectively sets the restrictions. As a result, issuing certificates with an expiry date later than the issuing CA is no longer allowed.

Story Points:

---

Clone Of:

Environment:

Last Closed:

2018-04-10 17:02:54 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
test_steps	none

Description Geetika Kapoor 2017-11-28 08:23:55 UTC

Created attachment 1359709 [details]
test_steps

Description of problem:

Setup :

RootCA --> ExternalCA --> ExternalCA1

Failure observed in externalCA1 when ExternalCA signed certificate for it using CMC.

Installation failed with "CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: extra DER value data (constructor)".

Version-Release number of selected component (if applicable):

pki-ca-10.5.1-1.el7.noarch

How reproducible:

Tried few times and got this exception

Steps to Reproduce:

1. Generate a step1 configuration file for generating csr for ExternalCA1.
2. Use this csr and proceed with "Issuing CA Signing Certificate with CMC ". Here in while sending HttpClient request i point to ExternalCA credentials.
if i get my certificate signed using procedure as mentioned in Document(http://pki.fedoraproject.org/wiki/Issuing_CA_Signing_Certificate_with_CMC), I get pkcs7 certificate at the end which i have put in "pki_cert_chain_path"

-- pki_ca_signing_cert_path=Ca.crt (I got this certificate from CA Agent page)
This is get signed using the ExternalCA using CMC mechanism.

-- pki_cert_chain_path=ca_signing.crt
This is my certificate chain in pkcs7 format which has RootCA , ExternalCA, ExternalCA1 certs in it.

3. Proceed with step2 of installation.
So while doing 2nd step for ExternalCA1 it fails  with "Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: extra DER value data (constructor)"

Note : Attached test_steps for more details
=====

Actual results:

Installation failed
<system>

0.http-bio-31443-exec-3 - [25/Nov/2017:00:41:24 IST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Unable to initialize, java.io.IOException: extra DER value data (constructor)
</system>

Expected results:

Installation should work and ExternalCA1 should be up.


Additional info:
<system>

0.http-bio-31443-exec-3 - [25/Nov/2017:00:41:24 IST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Unable to initialize, java.io.IOException: extra DER value data (constructor)
</system>

Detailed logs:


[25/Nov/2017:00:41:25][http-bio-31443-exec-3]: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: extra DER value data (constructor)
Unable to get ca certificate: Unable to initialize, java.io.IOException: extra DER value data (constructor)
        at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
        at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
        at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:539)
        at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2766)
        at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2590)
        at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:476)
        at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: Unable to initialize, java.io.IOException: extra DER value data (constructor)
        at com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1618)
        at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:315)
        ... 70 more
Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: extra DER value data (constructor)
        at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:186)
        at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:160)
        at com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1610)
        ... 71 more
[25/Nov/2017:00:41:25][http-bio-31443-exec-3]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED

Comment 2 Geetika Kapoor 2017-11-28 09:12:44 UTC

Another Observation:

--> RootCA certificate validity is 1 year.

        Version: 3 (0x2)
        Serial Number: 24243 (0x5eb3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=ROOT, CN=Root CA Signing Certificate
        Validity
            Not Before: Nov 24 10:47:45 2017 GMT
            Not After : Feb 24 10:47:45 2018 GMT
        Subject: O=ROOT, CN=Root CA Signing Certificate

--> RootCA when signed certificate for ExternalCA

        Version: 3 (0x2)
        Serial Number: 25725 (0x647d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=ROOT, CN=Root CA Signing Certificate
        Validity
            Not Before: Nov 24 10:48:19 2017 GMT
            Not After : Feb 24 10:48:19 2018 GMT
        Subject: O=EXAMPLE, OU=pki-tomcat, CN=CA Signing Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

--> ExternalCA which is dogtag when signed certificate for another ExternalCA1 which is dogtag it has signed certificate where expiry is 2037. So i think Expiry of this certificate should <= expiry of it's parentCA?
I suspect this could be the reason of failure that we are seeing failure.


        Version: 3 (0x2)
        Serial Number: 7 (0x7)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXAMPLE, OU=pki-tomcat, CN=CA Signing Certificate
        Validity
            Not Before: Nov 24 19:05:37 2017 GMT
            Not After : Nov 24 19:05:37 2037 GMT
        Subject: O=EXAMPLE, OU=topology-CA-EX, CN=CA Signing Certificate

Comment 3 Christina Fu 2017-11-28 18:27:03 UTC

If I am reading your description correctly, in step A 2, you used certutil to sign externalCA cert with root ca cert.  This is not using Dogtag, so expiration (and just about everything else) is controlled by the person who runs certutil.  You should make sure the expiration is correct there before you go on.

Comment 4 Geetika Kapoor 2017-11-28 20:16:27 UTC

RootCA --> ExternalCA --> ExternalCA1
(nssdb)    (dogtagCA)     (dogtagCA1)


Yes I have used nssdb(rootca) to get ExternalCA. But ExternalCA is
dogtag CA which has an expiry of 1 year. Now if i use this ExternalCA
which is dogtag CA to sign another ExternalCA1 so dogtagCA signs Dogtag
CA so when it signed certificate for ExternalCA1 so that has an expiry
after 20 years.So i think Expiry of this certificate should <= expiry of
it's parentCA?
So what i thought was now since signing CA is dogtagCA for ExternalCA1
,ExternalCA1 signing certs expiry should be controlled by ExternalCA.

Logs:

ExternalCA logs while signing CMC certs for ExternalCA1:
========================================================


[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCFull is LDAP based, not XML {1}, use default authz mgr: {2}.
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCFull is LDAP based, not XML {1}, use default authz mgr: {2}.
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitCMCFull
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: CMSServlet::service() param name='profileId' value='caCMCcaCert'
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: CMSServlet: caProfileSubmitCMCFull start to service.
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: Start of ProfileSubmitCMCServlet Input Parameters
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet Input Parameter profileId='caCMCcaCert'
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: End of ProfileSubmitCMCServlet Input Parameters
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: start serving
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: SubId=profile
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: profileId caCMCcaCert
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: authenticator CMCAuth found
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: set Inputs into Context
[29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: set sslClientCertProvider
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: start checking signature
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: found signing cert... verifying
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: verifySignerInfo: ssl client cert principal and cmc signer principal match
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: signing key alg=RSA
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: verifying signature with public key
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: finished checking signature
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertUserDBAuth: started
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertUserDBAuth: Retrieving client certificate
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertUserDBAuth: Got client certificate
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn()
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Authentication: client certificate found
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn()
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Authentication: mapped certificate to user
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: authenticated uid=caadmin,ou=people,dc=ca,dc=example,dc=com
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: verifySignerInfo:  Principal name = CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: authenticate: numReqs not 0, assume enrollment request
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: type is PKCS10
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event CMC_SIGNED_REQUEST_SIG_VERIFY
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: authenticate: setting auditSubjectID in SessionContext:caadmin
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event AUTH
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet authToken not null
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet.authorize(DirAclAuthz)
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: in auditSubjectID
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@b2d9a2f, userid=caadmin, cmcRequestCertSubject=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE, profileContext=com.netscape.cms.profile.common.ProfileContext@14b37c4a, sslClientCert=[
[
  Version: V3
  Subject: CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  algorithm = RSA, unparsed keybits = 
30 82 01 0A 02 82 01 01 00 9A DD 6B A3 AD 5C F2 3E F9 B1 CB 
26 FC CC 90 87 2F 56 11 50 16 6A 12 64 F2 88 99 9E 6F C8 E8 
8B 32 65 80 CC 09 B6 6A 09 E0 C0 4D DC A3 FC 34 EC C4 6C 08 
E5 5A 75 9A 9B CA 84 0A CF 2F C0 CE DA 8F 15 A0 63 84 DB 40 
F0 26 C2 B1 D4 B4 86 F6 DE 64 F5 51 A3 8E 74 62 BF AC D8 F6 
34 B0 70 E9 68 5E 4E 0C 95 AB AF 31 5E 2A BA 92 40 2E 2F B7 
55 37 9E 14 8A A5 AF 2F 0D C1 30 25 CD D7 BB F1 F9 68 40 36 
F1 C0 D4 66 A9 6E 46 B0 3E 54 82 B7 F7 B4 9E 1D 45 FD 99 19 
72 22 91 38 56 8E 38 41 D8 6C 20 18 81 CE BB 60 25 32 52 18 
31 7E B0 EF ED 6B 56 E0 86 9C C7 6F 44 4D 1C E7 62 B1 CF 03 
2B CA D0 19 F4 96 A1 BE E5 63 E8 59 F7 15 8C 01 F1 B5 F3 AF 
CC 8D 36 78 CD 0A 93 3A 65 4E 43 5D BB D7 63 1D 59 D6 FF E9 
98 C6 31 89 1C 3F CE F3 39 61 DF 4D AA 68 39 56 04 5C 9F F3 
3A D0 C7 A5 4B 02 03 01 00 01

  Validity: [From: Tue Nov 28 17:00:48 IST 2017,
               To: Wed Feb 28 16:59:53 IST 2018]
  Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  SerialNumber: [    05]
  Extension[0] = ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
30 78 31 31 30 62 39 37 62 32 32 66 37 38 65 38 35 65 30 62 
33 64 65 35 38 30 61 38 39 33 61 36 65 30 31 64 64 64 66 32 
63 34 37 38 39 36 37 38 35 36 34 35 33 34 32 36 37 38 39 30 
31
]
]
  Extension[1] = ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthInfoAccess [
(0) 1.3.6.1.5.5.7.48.1 URIName: http://pki1.example.com:8080/ca/ocsp]
  Extension[2] = ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
]
  Extension[3] = oid=2.5.29.37  val=48 20 6 8 43 6 1 5 5 7 3 2 6 8 43 6 1 5 5 7 3 4 
]
  Algorithm: [SHA256withRSA]
  Signature:
BC 52 6F 4E 1A F3 76 C3 06 06 59 20 1C 29 1B DA F4 3A A3 36 
CA A7 12 95 F5 B4 CE 5D 21 1A D3 1D 82 78 E1 95 7B EB 25 51 
81 A3 7B F9 A7 5D 49 75 FA 64 28 BA 07 C5 59 53 AD B2 BF D9 
CE 44 C2 24 85 8F 58 88 62 5F 90 C5 31 2E 20 99 DB 0E 96 98 
24 7E 74 96 07 49 3F C7 43 2C 0D 71 5B 81 0B CA 82 FC 21 7F 
1B BB 63 04 04 66 DD 3B 87 09 B6 EE 2C C4 DC 7A D2 9E 40 3F 
F1 85 18 D9 78 85 72 73 72 10 96 43 2B B4 1C B5 E8 3F A5 D9 
D6 B6 E2 A8 55 E3 DA 5E 4F CA A8 7A AB D9 21 12 8A BB EC 55 
A4 F5 8F 89 46 5C 5B 68 24 20 71 DF F4 8D 94 4F 6B 84 4E 12 
0D 06 06 CD 36 70 4C 70 E5 19 4E 7E CE BF 3C 45 5A C6 BB ED 
B3 65 D5 70 06 B4 8B 44 C1 26 D9 49 BB 32 87 8A 8E 41 75 FE 
0D D0 0A F2 ED 98 8B DA 20 64 5D C4 35 EA 4B C4 B2 F8 87 1E 
02 A2 FF 3D 98 EB 7A E4 02 4F D1 58 95 BB 97 E1
], authManagerId=CMCAuth}
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet auditSubjectID: subjectID: caadmin
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: in auditGroupID
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: auditGroupID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@b2d9a2f, userid=caadmin, cmcRequestCertSubject=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE, profileContext=com.netscape.cms.profile.common.ProfileContext@14b37c4a, sslClientCert=[
[
  Version: V3
  Subject: CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  algorithm = RSA, unparsed keybits = 
30 82 01 0A 02 82 01 01 00 9A DD 6B A3 AD 5C F2 3E F9 B1 CB 
26 FC CC 90 87 2F 56 11 50 16 6A 12 64 F2 88 99 9E 6F C8 E8 
8B 32 65 80 CC 09 B6 6A 09 E0 C0 4D DC A3 FC 34 EC C4 6C 08 
E5 5A 75 9A 9B CA 84 0A CF 2F C0 CE DA 8F 15 A0 63 84 DB 40 
F0 26 C2 B1 D4 B4 86 F6 DE 64 F5 51 A3 8E 74 62 BF AC D8 F6 
34 B0 70 E9 68 5E 4E 0C 95 AB AF 31 5E 2A BA 92 40 2E 2F B7 
55 37 9E 14 8A A5 AF 2F 0D C1 30 25 CD D7 BB F1 F9 68 40 36 
F1 C0 D4 66 A9 6E 46 B0 3E 54 82 B7 F7 B4 9E 1D 45 FD 99 19 
72 22 91 38 56 8E 38 41 D8 6C 20 18 81 CE BB 60 25 32 52 18 
31 7E B0 EF ED 6B 56 E0 86 9C C7 6F 44 4D 1C E7 62 B1 CF 03 
2B CA D0 19 F4 96 A1 BE E5 63 E8 59 F7 15 8C 01 F1 B5 F3 AF 
CC 8D 36 78 CD 0A 93 3A 65 4E 43 5D BB D7 63 1D 59 D6 FF E9 
98 C6 31 89 1C 3F CE F3 39 61 DF 4D AA 68 39 56 04 5C 9F F3 
3A D0 C7 A5 4B 02 03 01 00 01

  Validity: [From: Tue Nov 28 17:00:48 IST 2017,
               To: Wed Feb 28 16:59:53 IST 2018]
  Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  SerialNumber: [    05]
  Extension[0] = ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
30 78 31 31 30 62 39 37 62 32 32 66 37 38 65 38 35 65 30 62 
33 64 65 35 38 30 61 38 39 33 61 36 65 30 31 64 64 64 66 32 
63 34 37 38 39 36 37 38 35 36 34 35 33 34 32 36 37 38 39 30 
31
]
]
  Extension[1] = ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthInfoAccess [
(0) 1.3.6.1.5.5.7.48.1 URIName: http://pki1.example.com:8080/ca/ocsp]
  Extension[2] = ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
]
  Extension[3] = oid=2.5.29.37  val=48 20 6 8 43 6 1 5 5 7 3 2 6 8 43 6 1 5 5 7 3 4 
]
  Algorithm: [SHA256withRSA]
  Signature:
BC 52 6F 4E 1A F3 76 C3 06 06 59 20 1C 29 1B DA F4 3A A3 36 
CA A7 12 95 F5 B4 CE 5D 21 1A D3 1D 82 78 E1 95 7B EB 25 51 
81 A3 7B F9 A7 5D 49 75 FA 64 28 BA 07 C5 59 53 AD B2 BF D9 
CE 44 C2 24 85 8F 58 88 62 5F 90 C5 31 2E 20 99 DB 0E 96 98 
24 7E 74 96 07 49 3F C7 43 2C 0D 71 5B 81 0B CA 82 FC 21 7F 
1B BB 63 04 04 66 DD 3B 87 09 B6 EE 2C C4 DC 7A D2 9E 40 3F 
F1 85 18 D9 78 85 72 73 72 10 96 43 2B B4 1C B5 E8 3F A5 D9 
D6 B6 E2 A8 55 E3 DA 5E 4F CA A8 7A AB D9 21 12 8A BB EC 55 
A4 F5 8F 89 46 5C 5B 68 24 20 71 DF F4 8D 94 4F 6B 84 4E 12 
0D 06 06 CD 36 70 4C 70 E5 19 4E 7E CE BF 3C 45 5A C6 BB ED 
B3 65 D5 70 06 B4 8B 44 C1 26 D9 49 BB 32 87 8A 8E 41 75 FE 
0D D0 0A F2 ED 98 8B DA 20 64 5D C4 35 EA 4B C4 B2 F8 87 1E 
02 A2 FF 3D 98 EB 7A E4 02 4F D1 58 95 BB 97 E1
], authManagerId=CMCAuth}
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet auditGroupID: groupID: null
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn()
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: AAclAuthz.checkPermission(certServer.ee.profile, submit)
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: checkPermission(): expressions: user="anybody"
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: evaluating expressions: user="anybody"
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: evaluated expression: user="anybody" to be true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DirAclAuthz: authorization passed
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event AUTHZ
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event ROLE_ASSUME
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: createRequests: begins
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: starts
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: getPKIDataFromCMCblob: starts
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: getPKIDataFromCMCblob: cmc request content is signed data
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: authManagerId =CMCAuth
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: numcontrols=0
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: found numOfOtherMsgs: 0
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: getting :cmc.popLinkWitnessRequired
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: popLinkWitness(V2) not required
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: nummsgs =1
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: ends
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: createRequests: parseCMC returns cmc_msgs num_requests=1
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: in getNextSerialNumber. 
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn()
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: getSerialNumber()
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: getSerialNumber  serial=0
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: in InitCache
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: Instance of Request Repository or CRLRepository.
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: minSerial:1 maxSerial: 10000000
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: nextMinSerial:  nextMaxSerial: 
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: increment:10000000 lowWaterMark: 2000000
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestRepository: in getLastSerialNumberInRange: min 1 max 10000000
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestRepository: mRequestQueue com.netscape.cmscore.request.RequestQueue@28c7e5b1
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestRepository: about to call mRequestQueue.getLastRequestIdInRange
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: getLastRequestId: low 1 high 10000000
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: getLastRequestId: filter (requeststate=*) fromId 10000000
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn()
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (requeststate=*) attrs: null pageSize -5 startFrom 0810000000
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DBVirtualList: searching for entry 0810000000
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DBVirtualList.getEntries()
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DBVirtualList: entries: 6
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DBVirtualList: top: 2
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DBVirtualList: size: 8
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: getLastRequestId: size   8
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: getSizeBeforeJumpTo: 8
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: curReqId: 8
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: getLastRequestId : returning value 8
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository:  mLastSerialNo: 8
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: checkRange  mLastSerialNo=9
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: getNextSerialNumber: returning retSerial 9
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: setDefaultCertInfo: setting issuerDN using exact CA signing cert subjectDN encoding
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: createEnrollmentRequest 9
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: createRequests: setting cmc TaggedRequest in request
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet profileSetid=caCertSet
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: request 9
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: populating request inputs
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertReqInput: populate: begins
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertReqInput: populate: cert_request_type= REQ_TYPE_CMC
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: getPKIDataFromCMCblob: starts
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: getPKIDataFromCMCblob: cmc request content is signed data
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertReqInput: populate: pkiData.getReqSequence() called; nummsgs =1
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillTaggedRequest: begins
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillTaggedRequest: PKCS10:  TaggedRequest type == pkcs10
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillTaggedRequest: PKCS10: sigver true, POP is to be verified
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event PROOF_OF_POSSESSION
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillPKCS10: begins
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillPKCS10: Found PKCS10 extension
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillPKCS10: PKCS10 found extensions [ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: undefined
]
, ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_CertSign
  Crl_Sign
]
]
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillPKCS10: Finish parsePKCS10 - CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillTaggedRequest: PKCS10: done
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: populate: begins
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicProfile: populate: policy setid =caCertSet
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: UserSubjectNameDefault: start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: UserSubjectNameDefault: end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: CAValidityDefault: start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAValidityDefault: start time: 0
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAValidityDefault: not before: Wed Nov 29 01:00:10 IST 2017
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAValidityDefault: range: 7304
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAValidityDefault: range unit: day
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAValidityDefault: not after: Sat Nov 28 01:00:10 IST 2037
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: CAValidityDefault: end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: UserKeyDefault: start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: UserKeyDefault: end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: AuthorityKeyIdentifierExtDefault: start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: AuthorityKeyIdentifierExtDefault: end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: BasicConstraintsExtDefault: start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: BasicConstraintsExtDefault: end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: KeyUsageExtDefault: start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: KeyUsageExtDefault: end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: SubjectKeyIdentifierExtDefault: start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectKeyIdentifierExtDefault: getKeyIdentifier:  configured hash alg: 
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectKeyIdentifierExtDefault: getKeyIdentifier:  generating hash with default alg: SHA-1
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: SubjectKeyIdentifierExtDefault: end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: SigningAlgDefault: start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: SigningAlgDefault: end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: AuthInfoAccessExtDefault: start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: AuthInfoAccess: createExtension i=0
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: AuthInfoAccessExtDefault: end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: in auditSubjectID
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@b2d9a2f, userid=caadmin, cmcRequestCertSubject=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE, profileContext=com.netscape.cms.profile.common.ProfileContext@14b37c4a, sslClientCert=[
[
  Version: V3
  Subject: CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  algorithm = RSA, unparsed keybits = 
30 82 01 0A 02 82 01 01 00 9A DD 6B A3 AD 5C F2 3E F9 B1 CB 
26 FC CC 90 87 2F 56 11 50 16 6A 12 64 F2 88 99 9E 6F C8 E8 
8B 32 65 80 CC 09 B6 6A 09 E0 C0 4D DC A3 FC 34 EC C4 6C 08 
E5 5A 75 9A 9B CA 84 0A CF 2F C0 CE DA 8F 15 A0 63 84 DB 40 
F0 26 C2 B1 D4 B4 86 F6 DE 64 F5 51 A3 8E 74 62 BF AC D8 F6 
34 B0 70 E9 68 5E 4E 0C 95 AB AF 31 5E 2A BA 92 40 2E 2F B7 
55 37 9E 14 8A A5 AF 2F 0D C1 30 25 CD D7 BB F1 F9 68 40 36 
F1 C0 D4 66 A9 6E 46 B0 3E 54 82 B7 F7 B4 9E 1D 45 FD 99 19 
72 22 91 38 56 8E 38 41 D8 6C 20 18 81 CE BB 60 25 32 52 18 
31 7E B0 EF ED 6B 56 E0 86 9C C7 6F 44 4D 1C E7 62 B1 CF 03 
2B CA D0 19 F4 96 A1 BE E5 63 E8 59 F7 15 8C 01 F1 B5 F3 AF 
CC 8D 36 78 CD 0A 93 3A 65 4E 43 5D BB D7 63 1D 59 D6 FF E9 
98 C6 31 89 1C 3F CE F3 39 61 DF 4D AA 68 39 56 04 5C 9F F3 
3A D0 C7 A5 4B 02 03 01 00 01

  Validity: [From: Tue Nov 28 17:00:48 IST 2017,
               To: Wed Feb 28 16:59:53 IST 2018]
  Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  SerialNumber: [    05]
  Extension[0] = ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
30 78 31 31 30 62 39 37 62 32 32 66 37 38 65 38 35 65 30 62 
33 64 65 35 38 30 61 38 39 33 61 36 65 30 31 64 64 64 66 32 
63 34 37 38 39 36 37 38 35 36 34 35 33 34 32 36 37 38 39 30 
31
]
]
  Extension[1] = ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthInfoAccess [
(0) 1.3.6.1.5.5.7.48.1 URIName: http://pki1.example.com:8080/ca/ocsp]
  Extension[2] = ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
]
  Extension[3] = oid=2.5.29.37  val=48 20 6 8 43 6 1 5 5 7 3 2 6 8 43 6 1 5 5 7 3 4 
]
  Algorithm: [SHA256withRSA]
  Signature:
BC 52 6F 4E 1A F3 76 C3 06 06 59 20 1C 29 1B DA F4 3A A3 36 
CA A7 12 95 F5 B4 CE 5D 21 1A D3 1D 82 78 E1 95 7B EB 25 51 
81 A3 7B F9 A7 5D 49 75 FA 64 28 BA 07 C5 59 53 AD B2 BF D9 
CE 44 C2 24 85 8F 58 88 62 5F 90 C5 31 2E 20 99 DB 0E 96 98 
24 7E 74 96 07 49 3F C7 43 2C 0D 71 5B 81 0B CA 82 FC 21 7F 
1B BB 63 04 04 66 DD 3B 87 09 B6 EE 2C C4 DC 7A D2 9E 40 3F 
F1 85 18 D9 78 85 72 73 72 10 96 43 2B B4 1C B5 E8 3F A5 D9 
D6 B6 E2 A8 55 E3 DA 5E 4F CA A8 7A AB D9 21 12 8A BB EC 55 
A4 F5 8F 89 46 5C 5B 68 24 20 71 DF F4 8D 94 4F 6B 84 4E 12 
0D 06 06 CD 36 70 4C 70 E5 19 4E 7E CE BF 3C 45 5A C6 BB ED 
B3 65 D5 70 06 B4 8B 44 C1 26 D9 49 BB 32 87 8A 8E 41 75 FE 
0D D0 0A F2 ED 98 8B DA 20 64 5D C4 35 EA 4B C4 B2 F8 87 1E 
02 A2 FF 3D 98 EB 7A E4 02 4F D1 58 95 BB 97 E1
], numOfOtherMsgs=0, authManagerId=CMCAuth}
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet auditSubjectID: subjectID: caadmin
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profileapprovedby$ value=admin
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.authenticatedname$ value=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.cert_request$ value=oIICygIBATCCAsMwggGrAgEAMEwxEDAOBgNVBAoTB0VYQU1QTEUxFzAVBgNVBAsT
DnRvcG9sb2d5LUNBLUVYMR8wHQYDVQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRl
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvm9figSADMeisYcP4bdB
+ZcFoxoISXcNIimWsqvoFo8MqO44O7fWSb2roN/726mIVOarMbLu/1L5gtBQ8jZB
lHyVaBltRROSUpzMXrjX2m0PJ/0ufCmtfs3XDM4e8WjvHac/+A0JVn4tNccT+xoV
b5nz0yvPJvA2ZFz4u8XXg1Y5TV5z+PQiiUYU4tuMfwj2slX+P4r+VJNCg7uRpCc7
15E9nbbXKHFd/D1x24c8Fi5ioGvCFKJvrsCv5f/ybgXhGi2N/oQN9t89mLyREE6Z
dqSDr1JO/8serPFSILAQliy9qwgABwmghJcAY5NS1O7zgpalnTx9eby5u2ZprDik
wwIDAQABoDIwMAYJKoZIhvcNAQkOMSMwITAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
DwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEApx8JzPztkApVV0w+3ZT3Doio
XEoCYCn1gn1NQ3M+dYg3Auu0JNWUeWLFVEL2yKesp0fRuHR4Z8NsNPyUhb8w8qOm
DfIfYo5WzpXSip+qgVcUwYosKNSm2pHQ6UQm4avBEXTJ7D3of8RysjMe7uT2e1Kt
JsP7E3oO2ze3k5ReTNyRWXYHg0wKn49HmEIP06f7GYT2SUF+UCuKcxSVBiaA/kBV
Kb0duDdw52GKK30kX2D44obXP3oILkzKII3eAwF5uHl6aZMYi4eCdzwCYVWKyFEB
pVT+0J/tyvdzASVW6MAILVF4aaibLjOvRzesJ7MznHtyQMbPpi4VDuZig/U/2A==

[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profile$ value=true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.requestversion$ value=1.0.0
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_subject_name.cn$ value=CA Signing Certificate
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_locale$ value=en
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.dbstatus$ value=NOT_UPDATED
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.requeststatus$ value=begin
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_key$ value=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvm9figSADMeisYcP4bdB
+ZcFoxoISXcNIimWsqvoFo8MqO44O7fWSb2roN/726mIVOarMbLu/1L5gtBQ8jZB
lHyVaBltRROSUpzMXrjX2m0PJ/0ufCmtfs3XDM4e8WjvHac/+A0JVn4tNccT+xoV
b5nz0yvPJvA2ZFz4u8XXg1Y5TV5z+PQiiUYU4tuMfwj2slX+P4r+VJNCg7uRpCc7
15E9nbbXKHFd/D1x24c8Fi5ioGvCFKJvrsCv5f/ybgXhGi2N/oQN9t89mLyREE6Z
dqSDr1JO/8serPFSILAQliy9qwgABwmghJcAY5NS1O7zgpalnTx9eby5u2ZprDik
wwIDAQAB

[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.authmgrinstname$ value=CMCAuth
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.uid$ value=CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.userid$ value=caadmin
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.cert_request_type$ value=cmc-pkcs10
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profileid$ value=caCMCcaCert
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.requestid$ value=9
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.tokencertsubject$ value=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.sslclientcert$ value=5
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.authtime$ value=1511897409924
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_x509info$ value=MIICx6ADAgECAgEAMA0GCSqGSIb3DQEBCwUAMEgxEDAOBgNVBAoTB0VYQU1QTEUx
EzARBgNVBAsTCnBraS10b21jYXQxHzAdBgNVBAMTFkNBIFNpZ25pbmcgQ2VydGlm
aWNhdGUwHhcNMTcxMTI4MTkzMDEwWhcNMzcxMTI3MTkzMDEwWjBMMRAwDgYDVQQK
EwdFWEFNUExFMRcwFQYDVQQLEw50b3BvbG9neS1DQS1FWDEfMB0GA1UEAxMWQ0Eg
U2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAL5vX4oEgAzHorGHD+G3QfmXBaMaCEl3DSIplrKr6BaPDKjuODu31km9q6Df
+9upiFTmqzGy7v9S+YLQUPI2QZR8lWgZbUUTklKczF6419ptDyf9LnwprX7N1wzO
HvFo7x2nP/gNCVZ+LTXHE/saFW+Z89MrzybwNmRc+LvF14NWOU1ec/j0IolGFOLb
jH8I9rJV/j+K/lSTQoO7kaQnO9eRPZ221yhxXfw9cduHPBYuYqBrwhSib67Ar+X/
8m4F4Rotjf6EDfbfPZi8kRBOmXakg69STv/LHqzxUiCwEJYsvasIAAcJoISXAGOT
UtTu84KWpZ08fXm8ubtmaaw4pMMCAwEAAaOBzzCBzDBIBgNVHSMEQTA/gD0weDEx
MGI5N2IyMmY3OGU4NWUwYjNkZTU4MGE4OTNhNmUwMWRkZGYyYzQ3ODk2Nzg1NjQ1
MzQyNjc4OTAxMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1Ud
DgQWBBTDS0Gk93o5FbqHxYgI1nOozyicuzBABggrBgEFBQcBAQQ0MDIwMAYIKwYB
BQUHMAGGJGh0dHA6Ly9wa2kxLmV4YW1wbGUuY29tOjgwODAvY2Evb2NzcA==

[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_seq_num$ value=0
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profilesetid$ value=caCertSet
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_subject_name.uid$ value=
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profileremoteaddr$ value=10.65.207.97
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.requesttype$ value=enrollment
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_extensions$ value=oyMwITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxg==

[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_subject_name$ value=MEwxEDAOBgNVBAoTB0VYQU1QTEUxFzAVBgNVBAsTDnRvcG9sb2d5LUNBLUVYMR8w
HQYDVQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRl

[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.bodypartid$ value=1
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profileremotehost$ value=10.65.207.97
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: submit: begins
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: submit: popChallengeRequired =false
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn()
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: submit:  auth token is not null
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile.validate: start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile.validate: cert subject name:CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event PROFILE_CERT_REQUEST
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicProfile: validate start on setId=caCertSet
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectNameConstraint: validate start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectNameConstraint: validate start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectNameConstraint: validate cert subject =CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectNameConstraint: validate() - sn500 dname = CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectNameConstraint: validate end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: validate start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: not before: Wed Nov 29 01:00:10 IST 2017
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: not after: Sat Nov 28 01:00:10 IST 2037
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: range: 7304
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: range unit: day
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: limit: Sat Nov 28 01:00:10 IST 2037
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: validate end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: KeyConstraint: validate start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: KeyConstraint.validate: RSA key contraints passed.
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: KeyConstraint: validate end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicConstraintsExtConstraint: validate start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicConstraintsExtConstraint: validate end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: KeyUsageExtConstraint: validate start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: KeyUsageExtConstraint: validate end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SigningAlgConstraint: validate start
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SigningAlgConstraint: validate end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicProfile: change to pending state
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicProfile: validate end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile.validate: end
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAEnrollProfile: execute request ID 9
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: issueX509Cert
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: dnUTF8Encoding false
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAService: issueX509Cert: CA cert issuance past CA's NOT_AFTER.
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertificateRepository: getNextSerialNumber  mEnableRandomSerialNumbers=false
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: in getNextSerialNumber. 
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: checkRange  mLastSerialNo=9
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: getNextSerialNumber: returning retSerial 9
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAService: issueX509Cert: setting issuerDN using exact CA signing cert subjectDN encoding
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: About to ca.sign cert.
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: sign cert get algorithm
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: sign cert encoding cert
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: sign cert encoding algorithm
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CA cert signing: signing cert
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Signing Certificate
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: storeX509Cert 9
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In storeX509Cert
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn()
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: done storeX509Cert
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event CERT_REQUEST_PROCESSED
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn()
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ARequestNotifier  notify mIsPublishingQueueEnabled=false mMaxThreads=1
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: done serving
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: createFullResponse: begins with cert_request_type=cmc
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: createFullResponse:  processing cmc
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: createFullResponse:  error_codes[0]=0
[29/Nov/2017:01:00:10][Thread-13]: RunListeners:: noQueue  SingleRequest
[29/Nov/2017:01:00:10][Thread-13]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateIssuedListener
[29/Nov/2017:01:00:10][Thread-13]: CertificateIssuedListener: accept 9
[29/Nov/2017:01:00:10][Thread-13]: RunListeners: IRequestListener = com.netscape.ca.CRLIssuingPoint$RevocationRequestListener
[29/Nov/2017:01:00:10][Thread-13]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateRevokedListener
[29/Nov/2017:01:00:10][Thread-13]: RunListeners:  noQueue  SingleRequest
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: createFullResponse:  after new ResponseBody, respBody not null
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: getContentInfo: begins
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: getContentInfo:  - done
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: createFullResponse: ends
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: curDate=Wed Nov 29 01:00:10 IST 2017 id=caProfileSubmitCMCFull time=860
[29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED
====================================================


CMC Response output:

[root@pki1 test]# CMCResponse -i ca_signing-cmc-response.bin -o ca_signing.crty
Certificates: 
    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x35B0
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=Root CA Signing Certificate,O=ROOT
            Validity: 
                Not Before: Tuesday, November 28, 2017 4:59:52 PM IST Asia/Kolkata
                Not  After: Wednesday, February 28, 2018 4:59:52 PM IST Asia/Kolkata
            Subject: CN=Root CA Signing Certificate,O=ROOT
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 
                    Exponent: 65537
                    Public Key Modulus: (2048 bits) :
                        B2:FB:61:3C:E2:9E:CA:A3:42:B6:CE:FF:08:10:42:A4:
                        D2:B1:DE:5E:6D:3F:DE:8D:18:65:AE:AE:F3:D8:46:69:
                        BF:4D:13:1F:78:B6:F6:88:8D:45:E1:6E:76:1E:A0:5A:
                        55:E0:33:4D:2C:A2:A3:2E:8A:A5:DC:16:A9:01:66:D7:
                        0E:92:95:34:CC:1F:97:00:B8:6B:A6:5B:E0:F1:03:28:
                        8A:22:51:51:16:86:62:92:CA:FC:04:89:D7:AB:48:88:
                        BB:24:10:39:F4:76:E9:20:1E:D6:A5:5B:49:41:47:D8:
                        66:5A:3B:1C:E2:24:51:8C:4C:71:D3:8C:D1:68:B2:DE:
                        70:C8:6B:9F:48:EE:96:3F:32:DD:4C:97:38:5A:47:61:
                        F7:73:32:F4:4E:E9:7E:C8:22:EC:99:99:B9:49:C1:67:
                        A9:06:6F:69:CC:83:01:B4:45:B7:76:D6:84:A7:9D:7B:
                        77:FA:AF:EB:81:68:F6:01:FB:DC:FA:37:AB:17:43:C8:
                        F4:8E:2B:2B:0A:1D:6C:30:12:4D:CD:34:24:39:B5:62:
                        62:CA:49:B3:CF:45:4A:BD:A3:AA:A6:09:80:2D:F7:7E:
                        F0:BD:75:03:1D:88:FF:54:CA:FE:EE:38:DD:5E:4C:C8:
                        5D:81:9D:FE:1F:4A:C4:AF:D6:6F:1C:29:33:77:A5:39
            Extensions: 
                Identifier: 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Value: 
                        30:2B:30:29:06:08:2B:06:01:05:05:07:30:01:86:1D:
                        68:74:74:70:3A:2F:2F:6C:6F:63:61:6C:68:6F:73:74:
                        3A:38:30:38:30:2F:63:61:2F:6F:63:73:70
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2:
                        BA:39:70:72
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2:
                        BA:39:70:72
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key CertSign 
                        Crl Sign 
        Signature: 
            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Signature: 
                6B:BE:A5:87:D7:25:3E:9B:6D:83:41:70:47:8E:BB:36:
                3B:44:AF:98:38:EF:4C:49:1D:8A:A8:CF:DB:9F:43:B6:
                82:D4:3B:B9:E3:F3:62:F1:95:39:D1:01:0C:D0:6A:07:
                6E:6E:86:75:10:F4:BC:DE:D8:C0:74:DE:C9:88:DB:20:
                43:49:51:8E:93:40:3F:B8:19:8E:1F:D7:EE:9F:FB:63:
                2E:C8:24:5A:14:C0:62:41:FE:F1:44:E3:5B:5A:17:5F:
                3B:59:BC:9F:C2:33:F1:11:32:2F:E2:F4:2C:03:15:D4:
                F4:BF:2F:90:F7:75:DD:D8:DB:3B:48:DB:93:24:0A:A2:
                83:75:8B:D3:C2:42:C5:78:C8:04:33:9E:56:AE:F0:8E:
                64:A5:CA:49:4B:7B:B2:DD:33:83:E5:F4:A6:3D:62:6B:
                43:4D:4E:2D:96:88:76:8C:85:AC:85:38:44:63:3B:C4:
                F1:B3:A4:2B:02:8F:40:17:EC:C4:1C:5F:9E:66:1B:A9:
                58:AF:79:5F:5B:1A:E8:08:07:1D:8B:9A:F5:73:BE:98:
                4F:A8:A3:78:B9:C8:A6:40:81:C6:18:3F:6C:AD:4C:35:
                B8:09:93:70:CE:40:B4:E2:20:3E:AE:20:4D:43:D8:7D:
                F4:DB:CC:E5:18:AE:46:6A:A3:34:6D:7B:32:2E:6E:5B
        FingerPrint
            MD2:
                E2:C9:97:BB:6D:83:42:DE:06:ED:0E:65:1E:15:89:CC
            MD5:
                66:A4:E0:BB:DA:9E:06:E5:07:E6:45:82:BB:F6:6F:6E
            SHA-1:
                FA:97:4F:FB:FF:24:CE:69:41:69:79:FC:E5:2C:AF:C6:
                9A:47:66:B9
            SHA-256:
                C1:7A:B7:6E:7F:A3:C1:63:7A:C0:42:62:A8:6E:BE:84:
                A3:C5:7B:19:49:FB:12:95:60:63:4F:2F:7B:2D:1C:D0
            SHA-512:
                59:1E:AA:15:C6:0F:C2:F8:20:34:4F:FF:F8:C7:07:0E:
                9E:65:A2:A9:BF:52:4F:97:FB:BE:7D:97:17:D1:55:37:
                E4:A9:FD:27:76:18:6A:26:D4:63:89:67:B5:4B:F3:67:
                D5:12:EE:B4:04:6F:0C:E2:60:3C:13:E9:A3:B5:D8:EA
    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x5E08
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=Root CA Signing Certificate,O=ROOT
            Validity: 
                Not Before: Tuesday, November 28, 2017 4:59:53 PM IST Asia/Kolkata
                Not  After: Wednesday, February 28, 2018 4:59:53 PM IST Asia/Kolkata
            Subject: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 
                    Exponent: 65537
                    Public Key Modulus: (2048 bits) :
                        D2:72:AA:90:79:54:DF:C8:0E:F2:CD:D6:A3:25:2E:15:
                        BA:FB:AF:8A:D9:A6:9B:0B:E5:3D:41:76:3C:75:84:ED:
                        06:67:F9:AE:C9:B8:69:AF:7F:0C:2F:D8:5F:03:19:22:
                        48:16:6F:68:AB:5E:0E:CA:3E:21:F1:1C:18:CF:5F:F0:
                        87:6C:61:A0:5D:8F:A5:37:EB:0A:87:1C:53:07:0D:25:
                        49:76:14:D0:04:00:17:A2:2C:94:E2:96:8F:8C:16:9C:
                        A0:E7:78:51:76:3B:DC:F0:CF:D0:BF:28:4D:7B:2F:1D:
                        3C:F6:9B:5A:FB:4A:40:01:6F:3E:67:25:D0:2A:5C:A7:
                        56:D9:9C:4F:DC:D0:E8:A7:72:20:5A:83:B5:3C:E5:EC:
                        53:5F:BA:55:22:23:7F:B4:1D:E9:02:26:0E:3D:16:B1:
                        17:90:DF:BB:04:E1:60:9F:CC:E2:5E:85:AE:E7:61:33:
                        1B:60:7A:F9:CD:FC:9C:37:37:60:2A:45:E6:0B:08:22:
                        B9:F2:25:1A:71:13:18:2F:F4:B5:89:A9:C2:BA:6B:EC:
                        51:42:26:45:0D:CB:99:45:51:9C:3D:76:86:74:CE:84:
                        88:B3:DF:2A:D6:90:39:CE:FD:A1:88:7C:26:5C:47:3C:
                        D7:A8:F4:07:8C:64:09:F4:18:70:F1:9C:DF:85:0D:05
            Extensions: 
                Identifier: 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Value: 
                        30:2B:30:29:06:08:2B:06:01:05:05:07:30:01:86:1D:
                        68:74:74:70:3A:2F:2F:6C:6F:63:61:6C:68:6F:73:74:
                        3A:38:30:38:30:2F:63:61:2F:6F:63:73:70
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        30:78:31:31:30:62:39:37:62:32:32:66:37:38:65:38:
                        35:65:30:62:33:64:65:35:38:30:61:38:39:33:61:36:
                        65:30:31:64:64:64:66:32:63:34:37:38:39:36:37:38:
                        35:36:34:35:33:34:32:36:37:38:39:30:31
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2:
                        BA:39:70:72
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key CertSign 
                        Crl Sign 
        Signature: 
            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Signature: 
                02:22:BB:5B:E2:F2:BD:C6:8F:43:BF:56:F8:02:72:D1:
                50:EF:50:16:C3:F0:2A:6A:AA:4D:33:0C:95:72:EE:6C:
                28:F5:BF:80:BF:CC:8D:84:BC:70:CC:43:2A:AA:74:23:
                3F:F1:A7:1C:42:AA:DE:8E:D4:A2:81:8B:66:92:2B:65:
                FF:2D:5C:16:92:67:5E:C5:A9:61:29:E2:C9:A2:24:38:
                8F:4D:61:8C:FD:BF:51:9D:2A:43:D4:94:D7:A6:C1:3F:
                A3:57:43:A6:DD:AE:A8:A9:D2:C9:F1:E7:0D:18:B3:01:
                8F:F2:FC:E6:51:16:EA:82:64:1A:C1:34:74:90:1A:49:
                64:D3:A3:76:8C:2A:71:E6:89:35:1D:7D:1E:5F:2F:03:
                14:08:EB:72:F7:21:60:E1:2C:0C:76:84:45:F1:62:37:
                56:6D:65:B3:3F:84:F6:0F:A1:E7:AA:E4:D4:A1:57:55:
                78:2F:09:D6:17:D7:AA:9E:FD:34:90:46:41:7D:32:EC:
                01:41:3A:D6:4D:8B:FC:37:A1:04:93:B4:9C:B6:85:D5:
                31:EF:6B:52:D0:A5:6F:50:31:03:D3:D1:D0:CD:3F:20:
                F6:28:87:30:73:42:90:E8:9A:68:44:DB:9E:76:EA:5E:
                DC:BC:A6:1B:85:97:96:F1:9C:97:2D:E6:18:F9:94:51
        FingerPrint
            MD2:
                54:F5:66:00:69:4D:B1:6C:4E:6D:87:30:A3:75:E2:74
            MD5:
                28:F8:D7:EC:A1:A6:B0:7C:54:EE:B7:60:5F:93:CD:C8
            SHA-1:
                F0:FF:AF:CD:52:59:00:14:80:9E:23:0F:AE:E2:D9:1F:
                63:95:FE:F3
            SHA-256:
                6A:2A:91:FD:61:E9:A0:EC:3C:90:D2:39:FC:57:75:0F:
                1F:13:42:C3:02:10:44:FC:10:15:20:7C:50:54:1C:5D
            SHA-512:
                8E:9A:89:45:07:AD:1D:85:1B:EB:E8:49:39:58:7B:EB:
                91:26:6E:07:4F:9E:A2:93:66:55:7A:7A:E3:25:0C:56:
                F6:CB:26:36:4D:7D:B3:89:14:0D:AE:60:CF:7B:97:1B:
                68:DE:31:27:3D:6A:62:DC:F7:DA:25:83:87:74:15:74
    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x9
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
            Validity: 
                Not Before: Wednesday, November 29, 2017 1:00:10 AM IST Asia/Kolkata
                Not  After: Saturday, November 28, 2037 1:00:10 AM IST Asia/Kolkata
            Subject: CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 
                    Exponent: 65537
                    Public Key Modulus: (2048 bits) :
                        BE:6F:5F:8A:04:80:0C:C7:A2:B1:87:0F:E1:B7:41:F9:
                        97:05:A3:1A:08:49:77:0D:22:29:96:B2:AB:E8:16:8F:
                        0C:A8:EE:38:3B:B7:D6:49:BD:AB:A0:DF:FB:DB:A9:88:
                        54:E6:AB:31:B2:EE:FF:52:F9:82:D0:50:F2:36:41:94:
                        7C:95:68:19:6D:45:13:92:52:9C:CC:5E:B8:D7:DA:6D:
                        0F:27:FD:2E:7C:29:AD:7E:CD:D7:0C:CE:1E:F1:68:EF:
                        1D:A7:3F:F8:0D:09:56:7E:2D:35:C7:13:FB:1A:15:6F:
                        99:F3:D3:2B:CF:26:F0:36:64:5C:F8:BB:C5:D7:83:56:
                        39:4D:5E:73:F8:F4:22:89:46:14:E2:DB:8C:7F:08:F6:
                        B2:55:FE:3F:8A:FE:54:93:42:83:BB:91:A4:27:3B:D7:
                        91:3D:9D:B6:D7:28:71:5D:FC:3D:71:DB:87:3C:16:2E:
                        62:A0:6B:C2:14:A2:6F:AE:C0:AF:E5:FF:F2:6E:05:E1:
                        1A:2D:8D:FE:84:0D:F6:DF:3D:98:BC:91:10:4E:99:76:
                        A4:83:AF:52:4E:FF:CB:1E:AC:F1:52:20:B0:10:96:2C:
                        BD:AB:08:00:07:09:A0:84:97:00:63:93:52:D4:EE:F3:
                        82:96:A5:9D:3C:7D:79:BC:B9:BB:66:69:AC:38:A4:C3
            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        30:78:31:31:30:62:39:37:62:32:32:66:37:38:65:38:
                        35:65:30:62:33:64:65:35:38:30:61:38:39:33:61:36:
                        65:30:31:64:64:64:66:32:63:34:37:38:39:36:37:38:
                        35:36:34:35:33:34:32:36:37:38:39:30:31
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key CertSign 
                        Crl Sign 
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        C3:4B:41:A4:F7:7A:39:15:BA:87:C5:88:08:D6:73:A8:
                        CF:28:9C:BB
                Identifier: 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Value: 
                        30:32:30:30:06:08:2B:06:01:05:05:07:30:01:86:24:
                        68:74:74:70:3A:2F:2F:70:6B:69:31:2E:65:78:61:6D:
                        70:6C:65:2E:63:6F:6D:3A:38:30:38:30:2F:63:61:2F:
                        6F:63:73:70
        Signature: 
            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Signature: 
                6D:6D:FB:D2:FD:FC:B0:0B:95:38:31:5D:20:6E:4B:85:
                A6:C8:92:4F:AC:71:9A:AC:42:9C:62:11:68:49:CF:FF:
                7C:28:C6:10:17:0D:DF:82:B4:E5:69:E9:CC:E8:F7:B2:
                69:4F:09:2A:4F:97:D6:B4:D1:64:49:30:0D:42:65:1C:
                84:25:E2:2A:42:9F:38:44:CC:01:DA:18:E2:7A:25:15:
                14:A2:28:EC:1C:F2:C9:85:E8:6E:EB:90:7C:62:44:72:
                3D:0B:6F:0A:BE:21:97:20:B6:A2:E6:8F:58:F0:45:AD:
                F8:07:0A:80:7C:FD:FB:33:AC:72:E7:CC:49:72:AF:0E:
                FE:4F:1E:EF:2E:71:76:6D:3F:96:A6:6A:C7:82:BC:27:
                00:E6:05:B1:52:39:C3:E7:79:33:47:92:F1:6A:64:1A:
                4E:AB:7C:18:BA:EB:91:E1:91:09:9E:BC:8D:15:B7:E3:
                F1:6C:9E:8D:5D:9D:2D:29:DE:11:F7:78:E5:77:DE:11:
                55:86:C4:FC:2D:87:C7:45:43:9E:39:87:4D:CF:B0:78:
                F5:13:5C:E2:70:A7:89:74:CF:19:DE:DC:BD:ED:20:2D:
                4C:4E:3F:23:A2:92:FD:F7:9E:C3:BE:81:24:C0:A0:DC:
                51:E9:FA:90:5D:D4:4D:E8:02:D9:1B:62:6B:6B:EF:0F
        FingerPrint
            MD2:
                0E:3E:0E:83:C2:84:9A:B5:B9:31:91:E0:77:7F:19:25
            MD5:
                4D:19:40:98:37:2F:BB:AD:96:05:32:FE:6A:81:80:C4
            SHA-1:
                27:19:AB:29:5C:1D:47:19:70:DF:DF:CF:64:EE:28:18:
                F1:10:A4:56
            SHA-256:
                55:29:03:74:46:9B:90:8F:93:C7:5A:65:5D:58:65:E2:
                D9:E8:C3:B8:00:52:56:FC:CE:5C:8E:C1:E9:B6:D4:E8
            SHA-512:
                12:3C:A3:57:50:23:3B:CB:8F:2E:25:F6:35:49:72:B0:
                A6:04:7B:52:AA:36:0B:ED:19:31:54:87:F5:EE:25:65:
                8B:7F:60:F5:FA:53:54:B3:6D:D0:74:EF:BB:F3:0F:66:
                BE:EF:C9:86:6A:45:40:30:C4:80:8A:97:E9:3B:C1:02


Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1 
   Status: SUCCESS

Comment 5 Christina Fu 2017-11-28 21:01:29 UTC

quick observation is that CAValidityConstraint doesn't seem to kick in.
I just looked into the profile caCMCcaCert.cfg.
Geetika, could you try changing caCMCcaCert.cfg so that the following is caValidityDefaultImpl instead?
policyset.caCertSet.2.constraint.class_id=validityConstraintImpl
policyset.caCertSet.2.constraint.name=Validity Constraint
policyset.caCertSet.2.constraint.params.range=7305
policyset.caCertSet.2.constraint.params.notBeforeCheck=false
policyset.caCertSet.2.constraint.params.notAfterCheck=false

If that works, then it could be a potential quick fix.

Comment 6 Geetika Kapoor 2017-11-29 04:34:03 UTC

I tried the suggested steps:

1. I opened caCMCcaCert.cfg of ExternalCA.
2. I did below change:


#policyset.caCertSet.2.constraint.class_id=validityConstraintImpl
policyset.caCertSet.2.constraint.class_id=caValidityDefaultImpl

3. Restart the ExternalCA instance.
4. Now i did step1 installation for ExternalCA1.
5. perform the cmc request.
6. Send HttpClient cert request to ExternalCA.
7. Check the CMC response.

CMCResponse:


[root@pki1 test]# CMCResponse -i ca_signing-cmc-response.bin -o ca_signing.crty
Certificates: 
    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x35B0
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=Root CA Signing Certificate,O=ROOT
            Validity: 
                Not Before: Tuesday, November 28, 2017 4:59:52 PM IST Asia/Kolkata
                Not  After: Wednesday, February 28, 2018 4:59:52 PM IST Asia/Kolkata
            Subject: CN=Root CA Signing Certificate,O=ROOT
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 
                    Exponent: 65537
                    Public Key Modulus: (2048 bits) :
                        B2:FB:61:3C:E2:9E:CA:A3:42:B6:CE:FF:08:10:42:A4:
                        D2:B1:DE:5E:6D:3F:DE:8D:18:65:AE:AE:F3:D8:46:69:
                        BF:4D:13:1F:78:B6:F6:88:8D:45:E1:6E:76:1E:A0:5A:
                        55:E0:33:4D:2C:A2:A3:2E:8A:A5:DC:16:A9:01:66:D7:
                        0E:92:95:34:CC:1F:97:00:B8:6B:A6:5B:E0:F1:03:28:
                        8A:22:51:51:16:86:62:92:CA:FC:04:89:D7:AB:48:88:
                        BB:24:10:39:F4:76:E9:20:1E:D6:A5:5B:49:41:47:D8:
                        66:5A:3B:1C:E2:24:51:8C:4C:71:D3:8C:D1:68:B2:DE:
                        70:C8:6B:9F:48:EE:96:3F:32:DD:4C:97:38:5A:47:61:
                        F7:73:32:F4:4E:E9:7E:C8:22:EC:99:99:B9:49:C1:67:
                        A9:06:6F:69:CC:83:01:B4:45:B7:76:D6:84:A7:9D:7B:
                        77:FA:AF:EB:81:68:F6:01:FB:DC:FA:37:AB:17:43:C8:
                        F4:8E:2B:2B:0A:1D:6C:30:12:4D:CD:34:24:39:B5:62:
                        62:CA:49:B3:CF:45:4A:BD:A3:AA:A6:09:80:2D:F7:7E:
                        F0:BD:75:03:1D:88:FF:54:CA:FE:EE:38:DD:5E:4C:C8:
                        5D:81:9D:FE:1F:4A:C4:AF:D6:6F:1C:29:33:77:A5:39
            Extensions: 
                Identifier: 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Value: 
                        30:2B:30:29:06:08:2B:06:01:05:05:07:30:01:86:1D:
                        68:74:74:70:3A:2F:2F:6C:6F:63:61:6C:68:6F:73:74:
                        3A:38:30:38:30:2F:63:61:2F:6F:63:73:70
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2:
                        BA:39:70:72
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2:
                        BA:39:70:72
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key CertSign 
                        Crl Sign 
        Signature: 
            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Signature: 
                6B:BE:A5:87:D7:25:3E:9B:6D:83:41:70:47:8E:BB:36:
                3B:44:AF:98:38:EF:4C:49:1D:8A:A8:CF:DB:9F:43:B6:
                82:D4:3B:B9:E3:F3:62:F1:95:39:D1:01:0C:D0:6A:07:
                6E:6E:86:75:10:F4:BC:DE:D8:C0:74:DE:C9:88:DB:20:
                43:49:51:8E:93:40:3F:B8:19:8E:1F:D7:EE:9F:FB:63:
                2E:C8:24:5A:14:C0:62:41:FE:F1:44:E3:5B:5A:17:5F:
                3B:59:BC:9F:C2:33:F1:11:32:2F:E2:F4:2C:03:15:D4:
                F4:BF:2F:90:F7:75:DD:D8:DB:3B:48:DB:93:24:0A:A2:
                83:75:8B:D3:C2:42:C5:78:C8:04:33:9E:56:AE:F0:8E:
                64:A5:CA:49:4B:7B:B2:DD:33:83:E5:F4:A6:3D:62:6B:
                43:4D:4E:2D:96:88:76:8C:85:AC:85:38:44:63:3B:C4:
                F1:B3:A4:2B:02:8F:40:17:EC:C4:1C:5F:9E:66:1B:A9:
                58:AF:79:5F:5B:1A:E8:08:07:1D:8B:9A:F5:73:BE:98:
                4F:A8:A3:78:B9:C8:A6:40:81:C6:18:3F:6C:AD:4C:35:
                B8:09:93:70:CE:40:B4:E2:20:3E:AE:20:4D:43:D8:7D:
                F4:DB:CC:E5:18:AE:46:6A:A3:34:6D:7B:32:2E:6E:5B
        FingerPrint
            MD2:
                E2:C9:97:BB:6D:83:42:DE:06:ED:0E:65:1E:15:89:CC
            MD5:
                66:A4:E0:BB:DA:9E:06:E5:07:E6:45:82:BB:F6:6F:6E
            SHA-1:
                FA:97:4F:FB:FF:24:CE:69:41:69:79:FC:E5:2C:AF:C6:
                9A:47:66:B9
            SHA-256:
                C1:7A:B7:6E:7F:A3:C1:63:7A:C0:42:62:A8:6E:BE:84:
                A3:C5:7B:19:49:FB:12:95:60:63:4F:2F:7B:2D:1C:D0
            SHA-512:
                59:1E:AA:15:C6:0F:C2:F8:20:34:4F:FF:F8:C7:07:0E:
                9E:65:A2:A9:BF:52:4F:97:FB:BE:7D:97:17:D1:55:37:
                E4:A9:FD:27:76:18:6A:26:D4:63:89:67:B5:4B:F3:67:
                D5:12:EE:B4:04:6F:0C:E2:60:3C:13:E9:A3:B5:D8:EA
    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x5E08
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=Root CA Signing Certificate,O=ROOT
            Validity: 
                Not Before: Tuesday, November 28, 2017 4:59:53 PM IST Asia/Kolkata
                Not  After: Wednesday, February 28, 2018 4:59:53 PM IST Asia/Kolkata
            Subject: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 
                    Exponent: 65537
                    Public Key Modulus: (2048 bits) :
                        D2:72:AA:90:79:54:DF:C8:0E:F2:CD:D6:A3:25:2E:15:
                        BA:FB:AF:8A:D9:A6:9B:0B:E5:3D:41:76:3C:75:84:ED:
                        06:67:F9:AE:C9:B8:69:AF:7F:0C:2F:D8:5F:03:19:22:
                        48:16:6F:68:AB:5E:0E:CA:3E:21:F1:1C:18:CF:5F:F0:
                        87:6C:61:A0:5D:8F:A5:37:EB:0A:87:1C:53:07:0D:25:
                        49:76:14:D0:04:00:17:A2:2C:94:E2:96:8F:8C:16:9C:
                        A0:E7:78:51:76:3B:DC:F0:CF:D0:BF:28:4D:7B:2F:1D:
                        3C:F6:9B:5A:FB:4A:40:01:6F:3E:67:25:D0:2A:5C:A7:
                        56:D9:9C:4F:DC:D0:E8:A7:72:20:5A:83:B5:3C:E5:EC:
                        53:5F:BA:55:22:23:7F:B4:1D:E9:02:26:0E:3D:16:B1:
                        17:90:DF:BB:04:E1:60:9F:CC:E2:5E:85:AE:E7:61:33:
                        1B:60:7A:F9:CD:FC:9C:37:37:60:2A:45:E6:0B:08:22:
                        B9:F2:25:1A:71:13:18:2F:F4:B5:89:A9:C2:BA:6B:EC:
                        51:42:26:45:0D:CB:99:45:51:9C:3D:76:86:74:CE:84:
                        88:B3:DF:2A:D6:90:39:CE:FD:A1:88:7C:26:5C:47:3C:
                        D7:A8:F4:07:8C:64:09:F4:18:70:F1:9C:DF:85:0D:05
            Extensions: 
                Identifier: 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Value: 
                        30:2B:30:29:06:08:2B:06:01:05:05:07:30:01:86:1D:
                        68:74:74:70:3A:2F:2F:6C:6F:63:61:6C:68:6F:73:74:
                        3A:38:30:38:30:2F:63:61:2F:6F:63:73:70
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        30:78:31:31:30:62:39:37:62:32:32:66:37:38:65:38:
                        35:65:30:62:33:64:65:35:38:30:61:38:39:33:61:36:
                        65:30:31:64:64:64:66:32:63:34:37:38:39:36:37:38:
                        35:36:34:35:33:34:32:36:37:38:39:30:31
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2:
                        BA:39:70:72
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key CertSign 
                        Crl Sign 
        Signature: 
            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Signature: 
                02:22:BB:5B:E2:F2:BD:C6:8F:43:BF:56:F8:02:72:D1:
                50:EF:50:16:C3:F0:2A:6A:AA:4D:33:0C:95:72:EE:6C:
                28:F5:BF:80:BF:CC:8D:84:BC:70:CC:43:2A:AA:74:23:
                3F:F1:A7:1C:42:AA:DE:8E:D4:A2:81:8B:66:92:2B:65:
                FF:2D:5C:16:92:67:5E:C5:A9:61:29:E2:C9:A2:24:38:
                8F:4D:61:8C:FD:BF:51:9D:2A:43:D4:94:D7:A6:C1:3F:
                A3:57:43:A6:DD:AE:A8:A9:D2:C9:F1:E7:0D:18:B3:01:
                8F:F2:FC:E6:51:16:EA:82:64:1A:C1:34:74:90:1A:49:
                64:D3:A3:76:8C:2A:71:E6:89:35:1D:7D:1E:5F:2F:03:
                14:08:EB:72:F7:21:60:E1:2C:0C:76:84:45:F1:62:37:
                56:6D:65:B3:3F:84:F6:0F:A1:E7:AA:E4:D4:A1:57:55:
                78:2F:09:D6:17:D7:AA:9E:FD:34:90:46:41:7D:32:EC:
                01:41:3A:D6:4D:8B:FC:37:A1:04:93:B4:9C:B6:85:D5:
                31:EF:6B:52:D0:A5:6F:50:31:03:D3:D1:D0:CD:3F:20:
                F6:28:87:30:73:42:90:E8:9A:68:44:DB:9E:76:EA:5E:
                DC:BC:A6:1B:85:97:96:F1:9C:97:2D:E6:18:F9:94:51
        FingerPrint
            MD2:
                54:F5:66:00:69:4D:B1:6C:4E:6D:87:30:A3:75:E2:74
            MD5:
                28:F8:D7:EC:A1:A6:B0:7C:54:EE:B7:60:5F:93:CD:C8
            SHA-1:
                F0:FF:AF:CD:52:59:00:14:80:9E:23:0F:AE:E2:D9:1F:
                63:95:FE:F3
            SHA-256:
                6A:2A:91:FD:61:E9:A0:EC:3C:90:D2:39:FC:57:75:0F:
                1F:13:42:C3:02:10:44:FC:10:15:20:7C:50:54:1C:5D
            SHA-512:
                8E:9A:89:45:07:AD:1D:85:1B:EB:E8:49:39:58:7B:EB:
                91:26:6E:07:4F:9E:A2:93:66:55:7A:7A:E3:25:0C:56:
                F6:CB:26:36:4D:7D:B3:89:14:0D:AE:60:CF:7B:97:1B:
                68:DE:31:27:3D:6A:62:DC:F7:DA:25:83:87:74:15:74


Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 0 
   Status String: Profile caCMCcaCert Not Found
   OtherInfo type: FAIL
     failInfo=internal ca error
ERROR: CMC status for [0]: failed

=============================================

Debug logs when cmc request input is sent to ExternalCA:
-------------------------------------------------------

[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCFull is LDAP based, not XML {1}, use default authz mgr: {2}.
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCFull is LDAP based, not XML {1}, use default authz mgr: {2}.
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitCMCFull
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: CMSServlet::service() param name='profileId' value='caCMCcaCert'
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: CMSServlet: caProfileSubmitCMCFull start to service.
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: Start of ProfileSubmitCMCServlet Input Parameters
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: ProfileSubmitCMCServlet Input Parameter profileId='caCMCcaCert'
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: End of ProfileSubmitCMCServlet Input Parameters
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: start serving
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: SubId=profile
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: profileId caCMCcaCert
[29/Nov/2017:09:49:58][http-bio-8443-exec-1]: CMCOutputTemplate: getContentInfo: begins
[29/Nov/2017:09:49:59][http-bio-8443-exec-1]: CMCOutputTemplate: getContentInfo:  - done
[29/Nov/2017:09:49:59][http-bio-8443-exec-1]: CMSServlet: curDate=Wed Nov 29 09:49:59 IST 2017 id=caProfileSubmitCMCFull time=102
[29/Nov/2017:09:49:59][http-bio-8443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED




8. So looks like it could not get the profile for caCMCcaCert.
9. I check the CS.cfg but i could see that profile in list.

[root@pki1 test]# grep -i "caCMCcaCert" /etc/pki/pki-tomcat/ca/CS.cfg
profile.caCMCcaCert.class_id=caEnrollImpl
profile.caCMCcaCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caCMCcaCert.cfg
profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment

Comment 7 Geetika Kapoor 2017-11-29 04:39:07 UTC

List of packages that are installed in machine:

[root@pki1 ~]# rpm -qa pki-ca
pki-ca-10.5.1-1.el7.noarch
[root@pki1 ~]# rpm -qa pki-*
pki-core-debuginfo-10.4.1-17.el7_4.x86_64
pki-tools-10.5.1-1.el7.x86_64
pki-ocsp-10.5.1-1.el7pki.noarch
pki-kra-10.5.1-1.el7.noarch
pki-console-10.5.1-1.el7pki.noarch
pki-tps-10.5.1-1.el7pki.x86_64
pki-javadoc-10.4.1-17.el7_4.noarch
pki-base-java-10.5.1-1.el7.noarch
pki-ca-10.5.1-1.el7.noarch
pki-base-10.5.1-1.el7.noarch
pki-symkey-10.5.1-1.el7.x86_64
pki-server-10.5.1-1.el7.noarch
pki-tks-10.5.1-1.el7pki.noarch

Comment 8 Christina Fu 2017-11-29 17:39:30 UTC

It appears that CAValidityConstraint is not in the config by default.  Lets try the following to see if it's still supported:

in registry.cfg, add:
constraintPolicy.caValidityConstraintImpl.class=com.netscape.cms.profile.constraint.CAValidityConstraint
constraintPolicy.caValidityConstraintImpl.desc=CA Validity Constraint
constraintPolicy.caValidityConstraintImpl.name=CA Validity Constraint

find constraintPolicy.ids= and add to the list: caValidityConstraintImpl

in caCMCcaCert.cfg
replace the line:
policyset.caCertSet.2.constraint.class_id=validityConstraintImpl
with
policyset.caCertSet.2.constraint.class_id=caValidityConstraintImpl

restart the server

Comment 9 Christina Fu 2017-12-01 00:53:01 UTC

Pushed to Dogtag master
https://pagure.io/dogtagpki/issue/2861#comment-482371

Comment 14 Geetika Kapoor 2018-02-13 19:29:51 UTC

Test Env:
========

pki-ca-10.5.1-7.el7.noarch

Test Steps:
===========

1. Make sure we have a CA installed.
2. Use CMC profile for certificate signing.Make sure it should not create a certificate >= parent CA expiry date.
3. This needs to be set manually in the caCMCcaCert profile.
4. Make sure profile has policyset.caCertSet.2.default.class_id=caValidityDefaultImpl.


Note:
====

I was thinking of a practical scenario.

1. I have a rootCA installed. (expiry 7305 days) -- so it will expire
say on 20 jan 2038
2. After 10 days i thought of installing another CA signed by RootCA.
3. I choose CMC way of getting my certs signed.
4. Installation will fail because because of profile expiry will be 30
jan 2038.
5.This will fail because its expiry > Rootca expiry which is correct.

Question: In this case user have to change everytime in profile before
they signs a SubCA or ExternalCA certificate?


--- Already ticket exist for it https://pagure.io/dogtagpki/issue/2912

Comment 16 errata-xmlrpc 2018-04-10 17:02:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925