Bug 1447080
| Summary: | CC: CMC: allow enrollment key signed (self-signed) CMC with identity proof | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Christina Fu <cfu> |
| Component: | pki-core | Assignee: | Christina Fu <cfu> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | arubin, cfu, gkapoor, mharmsen |
| Target Milestone: | rc | ||
| Target Release: | 7.4 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.4.1-5.el7 | Doc Type: | No Doc Update |
| Doc Text: |
See Doc Text field in BZ#1404413.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 22:50:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Christina Fu
2017-05-01 16:31:10 UTC
Pushed to Dogtag master: https://pagure.io/dogtagpki/issue/2673#comment-441315 I wanted to ask how to use "-w" option with CRMFpopClient to make this work. Last time ade suggested to add "-g false". Please refer "test Result". Also, I am planning to test self-signed CMC test case for this Bugzilla .Do you think that is sufficient as part of this Bugzilla. Test Document: ============== https://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_%28RFC5272%29#Self-Signed_CMC_Request_Example_.28with_IdentityProofV2.29 Test Steps: =========== 1. Setup IdentityProof which is needed only in case of self-signed certificate. 2. Generate a self signed request. CRMFPopClient -d . -p SECret.123 -n "cn=Test1, uid=Testing" -q POP_SUCCESS -b kra.transport -y -v -o self-signed/crmf.req Initializing security database: . Loading transport certificate Parsing subject DN RDN: UID=Testing RDN: CN=Test1 Generating key pair Keypair private key id: 418a17139d95f74f34a678fdc87b1f31c64106d3 Using key wrap algorithm: AES KeyWrap/Padding Creating certificate request CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension. CryptoUtil: createKeyIdentifier: begins Creating signer Creating POP Creating CRMF request Storing CRMF requrest into self-signed/crmf.req 3. set the new generated "Keypair private key id:" in cmc.self.cfg CMCRequest self-signed/cmc.self.cfg cert/key prefix = path = /opt/rhqa_pki/certs_db/ CryptoManger initialized token internal logged in... got signerCert: PKI CA Administrator got request privKeyId: 418a17139d95f74f34a678fdc87b1f31c64106d3 got private key createPKIData: begins createPopLinkWitnessV2Attr: begins createPopLinkWitnessV2Attr: keyGenAlg=SHA-256; macAlg=SHA-256-HMAC createPopLinkWitnessV2Attr: Successfully created id_cmc_idPOPLinkRandom control. bpid = 1 createPopLinkWitnessV2Attr: Successfully created PopLinkWitnessV2 control. createPopLinkWitnessV2Attr: returning... k=0 createPKIData: format: crmf CryptoUtil: getSKIExtensionFromCertTemplate: checking extension in request:{2 5 29 14} CryptoUtil: getSKIExtensionFromCertTemplate: extension found createPKIData: SubjectKeyIdentifier extension found in self-signed request createPKIData: popLinkWitnessV2 enabled. reconstructing crmf createNewPOP: begins createNewPOP: about to create POPOSigningKey createNewPOP: creating and returning newPopOfSigningKey createPKIData: new CRMF b64encode completes. -----BEGIN CERTIFICATE REQUEST----- MIII8TCCCO0wggfRAgEBMIIBdYABAqUrMCkxFzAVBgoJkiaJk/IsZAEBEwdUZXN0 aW5nMQ4wDAYDVQQDEwVUZXN0MaaCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAJ9x4bQO76L/KdAYkoxvkhxSpww2Ylu/6dmBDOU8KOZ8L/MtnHXHlz8bSdxi dgIw8thYeSVOkRw6eMe5Fs3rsa0fCaWINaV4ozzHaBpJpVMezbj9iUHNT5j2Ltqv b1ZMScJnwh7qdF5ylwaBZopj9ZKYyPqwDusJLCN0AFE9O6pMKJhHuo3ga4HDA7dT IbdDPJOJ3kjlogWXHQ8epJ750Ajuria/XPxGVMzBQQZ1VFGbCeh8wlJhGf7jxTuE 8PsWMG42tZKMLAkCO4d8XNMdXxHTpDKbLc+3ZUTl0BLFpR/mQMTr51Mvd5m61m2E Xh4NCAK59An2ZRjOIo+LsPziITkCAwEAAakdMBsGA1UdDgQURXH0bIYsov4ohRNO QDv2DLw/i2UwggZRMIIGBAYJKwYBBQUHBQEEoIIF9TCCBfGhFQYJYIZIAWUDBAEI BAjuJJ/Y7DBLEIKCAQEAdFzwAwU/MlqE/VFyc18Jyc2hdNPfSaRb2tCje+rIh1Uf Prr/fMqNcgydYdiZnsFbLcRAd0+LmNLK3PwIc/PlWDdPGaUStKPeaAHuHN738n7g 0BgyeBYDnVsm3DwY4ksQCQMVJlTmvuTbuLPjIvmoE1f4Qe6mqLhZL4GW2wbVR8Ws 3Sjw3OmgkY33SaxSXLvoC5LsF+IQQyWwg05+1mczJxPutFSEw89d9iXPH2nV8xMl pIPK4Ew0YilNXo3uAh8Urchf7CWecFPQ9nK7xCKWHdQAD2KqkKAM8gIh7NUiwwrS /+pavHdkkeilsbAp36LRmeXsCIbBWh7xN+Rh09IcYwOCBNEAA8Dgd0KjpQC0EA84 CJQnwQXb6cKxlrkh6T4AihAD57Jm2JUE/Ep8A3Y7rIRAwekk9rLiBI2gNrGK3E1J m9A/QbRJHB5ootFJojwtQEl1Pr16ADlQDeDRavfGOUFch1hpRj2e+Oiz7fsKdmMI l+tiUS5F6i8uDDIzylh2wCcjMsuxf63qUGloSSiFCFC95x8fPOvPmZjv9Bzq7L0K DnBTekGx6vJf4LQYmAySiwN5UPkeKs2yiU9A/Y8KGkO+qchfD3zNqcffjRSyQjf/ yFcUEnJRHKeEEw+8hb175tFPN2MS1ueCVm/a6HxQPx7J/MS38MGs8FhFc/ubb8Uu LXH2iGKrbyooO9dCum5rjd6dBN10G4Be5YZhnHLGgWZ1HvDOd6JkT5h+ixfopb0Q 3tnH3MPnwLCe/xfkE6+2TUhyCfkv4xlDGv9mQJFbAVOPPl24KlVH4gW+/bZxmnZi FCzhe7+XQo9dG0pb0YBXOs07rfYJxhv74tSTgq635aEgmk+9/34l86bi6H9xX1tH diFTGQEHgzpVT2PckrH4Kpbx+m0242h+CC6jfeWVRiorKVmLvlKeFb0qhnsSaZrh Bz1pARG3qn3VQEutnIiOZMg0qpkHnxOE6gilCRR5qdsH+gB5fDnXoClbPn9pTA16 NSpkdvtF7DGp/2q6qvsxMupgjYjfQPnC4ZJHAqAACKG+E3td/fXlBaUL6Gvs1bVT Qsp3gtWXKt4iGVre+0NKCO7J1kFrHgqJ8qsvjrBHCYz7zhMw9J0xupl+tXWH7ACF 0KkuNpos0iJZgkw0ro84J78ZPNS40NAw6jTGIsvvwzRo2Crqy3a8hRKgU3gc0NRM yPx93SaKHd6tYTMCQjTh9kEZwhWwjsVJVVnjXMia1BMMc56dk2sQkJXggY2TCAm2 cm6/T0uiMaALwNFCS8g4zPviHbvIzIeuVd8JRJ7gvRTFiN8ziNv/vCWNx4m0z75L ycpNS+J63UAYxjoZvWHc2BylwcbsiVzm6+kxVxXj/tmI5X1BhkLrzDSpGcGXS33P lSzJjJMSig5H2XiYHqLnRLs95QYtH6XuFqfOvWNuN3MmznDdtTXW1PsfVXUYk4OB pjbubfF9gW9EekLBp9FHI8GKPk/MGdi6pvFsRJVsFzp3/xNnEjPDq4M6g9BIuhTi uXbt/qBg5aZTqhyG0IHjt1cYxekbKwuC4LEvEmeKXl9eOhMBRTHLOqFfXfHNdEWY ncpJffj9DEsO24RHRJmEeoAyjxCLJ43mIU/+ueFpgn2iSjX1VNYEtRluO3PzaObc etJIYBp3LUta98R5b9t/XxqYiM5DL3tDariPe5ZGoA5PglqSjjPodXU/f8YFbype Fu156lRyYMH7Xa/Lg5I+zcViHUj0fCKQNB0y9ZjOuqJ6UmBi8gY3u0SR6awMhnbv 33HevDP7kbupMl9RvbFAGwSu9IjBGokga3m3Es0CJGcLbhovvxgKsgfur8jOSM/r 6ciLozQfWJnwzvFPFYGx2zzkbRStoXRcSe0agByMCy7A+G0giT/xWMMiC/XMU0Io 8eiFMNpwmMHp3IbubVpgfnm+UZmZ0HFRTIdooTpf5OkgTsXoZ855rA6Vow9EUyTr 0zPVzSoOl1U1nMbybpHggpu2gKwwRwYIKwYBBQUHByEwOzALBglghkgBZQMEAgEw CgYIKoZIhvcNAgkEIDyKC/OPnSRGSOsAfH91nFgpeH2ceT+VZ2kY+gqpfvCCoYIB FDANBgkqhkiG9w0BAQsFAAOCAQEAb/n2HGoo6wRw1Y6kX8xiNGtbqtN3Z3IruNOi 0qzSSnThr19k3KMb+sX6G5DvTLiTeYCJSppxMAImbUxMMPGZpUjiQfZKQ8CI4tMF 1I8alJlOGBGTmP3qjoE62kVvhPopvR510aGvwhGqAhFqD05ekn8qOMEcxxnV98xe nG9tdtZjkqifzGGMks23VjzH4PQWqj9pDJ1JX+7ZvODA/GBd4Z+IaSF5RSj2BizR z+C3elnQqGyQvFjPD6O4HLlbfkt3SGSpLb0ugA1PEDMnMy3HVR0bb5R1Hoag5WMR Xn6S4/aY5JKLVJSDYBrUMCJrziQ7T2agvzbqXCinv4Ozjcs5AQ== -----END CERTIFICATE REQUEST----- identification control: identification =testuser Successfully create identification control. bpid = 1 CMCRequest: addIdentityProofV2Attr: hashAlg=SHA-512; macAlg=SHA-256-HMAC Identity Proof V2 control: Value: -56 -94 36 -100 45 39 83 -109 105 57 -72 -16 -106 8 54 33 -2 -60 -88 102 81 -104 31 -51 59 -128 80 109 28 -101 84 70 Successfully create identityProofV2 control. bpid = 2 selfSign is true... signData for selfSign: begins: createSignedData: begins getSigningAlgFromPrivate: begins. getSigningAlgFromPrivate: found signingKeyType=RSA getSigningAlgFromPrivate: using SignatureAlgorithm: RSASignatureWithSHA256Digest createSignedData: digest created for pkidata createSignedData: digest algorithm =RSA getCMCBlob: begins getCMCBlob: generating signed data The CMC enrollment request in base-64 encoded format: MIILigYJKoZIhvcNAQcCoIILezCCC3cCAQMxDzANBglghkgBZQMEAgEFADCCCc4G CCsGAQUFBwwCoIIJwASCCbwwggm4MIG8MFECAQEGCCsGAQUFBwcWMUIEQLb8ailu KjmOMyB66lgCIBVvClfuq3L7LSEyRJuEhaaICkbJ1imk8JVwASz7Bm5H2sbTJzbv tHGou2QK0Kl0p7QwGQIBAQYIKwYBBQUHBwIxCgwIdGVzdHVzZXIwTAIBAgYIKwYB BQUHByIxPTA7MAsGCWCGSAFlAwQCAzAKBggqhkiG9w0CCQQgyKIknC0nU5NpObjw lgg2If7EqGZRmB/NO4BQbRybVEYwggjxoYII7TCCB9ECAQEwggF1gAECpSswKTEX MBUGCgmSJomT8ixkAQETB1Rlc3RpbmcxDjAMBgNVBAMTBVRlc3QxpoIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn3HhtA7vov8p0BiSjG+SHFKnDDZiW7/p 2YEM5Two5nwv8y2cdceXPxtJ3GJ2AjDy2Fh5JU6RHDp4x7kWzeuxrR8JpYg1pXij PMdoGkmlUx7NuP2JQc1PmPYu2q9vVkxJwmfCHup0XnKXBoFmimP1kpjI+rAO6wks I3QAUT07qkwomEe6jeBrgcMDt1Mht0M8k4neSOWiBZcdDx6knvnQCO6uJr9c/EZU zMFBBnVUUZsJ6HzCUmEZ/uPFO4Tw+xYwbja1kowsCQI7h3xc0x1fEdOkMpstz7dl ROXQEsWlH+ZAxOvnUy93mbrWbYReHg0IArn0CfZlGM4ij4uw/OIhOQIDAQABqR0w GwYDVR0OBBRFcfRshiyi/iiFE05AO/YMvD+LZTCCBlEwggYEBgkrBgEFBQcFAQSg ggX1MIIF8aEVBglghkgBZQMEAQgECO4kn9jsMEsQgoIBAQB0XPADBT8yWoT9UXJz XwnJzaF0099JpFva0KN76siHVR8+uv98yo1yDJ1h2JmewVstxEB3T4uY0src/Ahz 8+VYN08ZpRK0o95oAe4c3vfyfuDQGDJ4FgOdWybcPBjiSxAJAxUmVOa+5Nu4s+Mi +agTV/hB7qaouFkvgZbbBtVHxazdKPDc6aCRjfdJrFJcu+gLkuwX4hBDJbCDTn7W ZzMnE+60VITDz132Jc8fadXzEyWkg8rgTDRiKU1eje4CHxStyF/sJZ5wU9D2crvE IpYd1AAPYqqQoAzyAiHs1SLDCtL/6lq8d2SR6KWxsCnfotGZ5ewIhsFaHvE35GHT 0hxjA4IE0QADwOB3QqOlALQQDzgIlCfBBdvpwrGWuSHpPgCKEAPnsmbYlQT8SnwD djushEDB6ST2suIEjaA2sYrcTUmb0D9BtEkcHmii0UmiPC1ASXU+vXoAOVAN4NFq 98Y5QVyHWGlGPZ746LPt+wp2YwiX62JRLkXqLy4MMjPKWHbAJyMyy7F/repQaWhJ KIUIUL3nHx8868+ZmO/0HOrsvQoOcFN6QbHq8l/gtBiYDJKLA3lQ+R4qzbKJT0D9 jwoaQ76pyF8PfM2px9+NFLJCN//IVxQSclEcp4QTD7yFvXvm0U83YxLW54JWb9ro fFA/Hsn8xLfwwazwWEVz+5tvxS4tcfaIYqtvKig710K6bmuN3p0E3XQbgF7lhmGc csaBZnUe8M53omRPmH6LF+ilvRDe2cfcw+fAsJ7/F+QTr7ZNSHIJ+S/jGUMa/2ZA kVsBU48+XbgqVUfiBb79tnGadmIULOF7v5dCj10bSlvRgFc6zTut9gnGG/vi1JOC rrfloSCaT73/fiXzpuLof3FfW0d2IVMZAQeDOlVPY9ySsfgqlvH6bTbjaH4ILqN9 5ZVGKispWYu+Up4VvSqGexJpmuEHPWkBEbeqfdVAS62ciI5kyDSqmQefE4TqCKUJ FHmp2wf6AHl8OdegKVs+f2lMDXo1KmR2+0XsMan/arqq+zEy6mCNiN9A+cLhkkcC oAAIob4Te1399eUFpQvoa+zVtVNCyneC1Zcq3iIZWt77Q0oI7snWQWseConyqy+O sEcJjPvOEzD0nTG6mX61dYfsAIXQqS42mizSIlmCTDSujzgnvxk81LjQ0DDqNMYi y+/DNGjYKurLdryFEqBTeBzQ1EzI/H3dJood3q1hMwJCNOH2QRnCFbCOxUlVWeNc yJrUEwxznp2TaxCQleCBjZMICbZybr9PS6IxoAvA0UJLyDjM++Idu8jMh65V3wlE nuC9FMWI3zOI2/+8JY3HibTPvkvJyk1L4nrdQBjGOhm9YdzYHKXBxuyJXObr6TFX FeP+2YjlfUGGQuvMNKkZwZdLfc+VLMmMkxKKDkfZeJgeoudEuz3lBi0fpe4Wp869 Y243cybOcN21NdbU+x9VdRiTg4GmNu5t8X2Bb0R6QsGn0UcjwYo+T8wZ2Lqm8WxE lWwXOnf/E2cSM8OrgzqD0Ei6FOK5du3+oGDlplOqHIbQgeO3VxjF6RsrC4LgsS8S Z4peX146EwFFMcs6oV9d8c10RZidykl9+P0MSw7bhEdEmYR6gDKPEIsnjeYhT/65 4WmCfaJKNfVU1gS1GW47c/No5tx60khgGnctS1r3xHlv239fGpiIzkMve0NquI97 lkagDk+CWpKOM+h1dT9/xgVvKl4W7XnqVHJgwftdr8uDkj7NxWIdSPR8IpA0HTL1 mM66onpSYGLyBje7RJHprAyGdu/fcd68M/uRu6kyX1G9sUAbBK70iMEaiSBrebcS zQIkZwtuGi+/GAqyB+6vyM5Iz+vpyIujNB9YmfDO8U8VgbHbPORtFK2hdFxJ7RqA HIwLLsD4bSCJP/FYwyIL9cxTQijx6IUw2nCYwenchu5tWmB+eb5RmZnQcVFMh2ih Ol/k6SBOxehnznmsDpWjD0RTJOvTM9XNKg6XVTWcxvJukeCCm7aArDBHBggrBgEF BQcHITA7MAsGCWCGSAFlAwQCATAKBggqhkiG9w0CCQQgPIoL84+dJEZI6wB8f3Wc WCl4fZx5P5VnaRj6Cql+8IKhggEUMA0GCSqGSIb3DQEBCwUAA4IBAQBv+fYcaijr BHDVjqRfzGI0a1uq03dnciu406LSrNJKdOGvX2Tcoxv6xfobkO9MuJN5gIlKmnEw AiZtTEww8ZmlSOJB9kpDwIji0wXUjxqUmU4YEZOY/eqOgTraRW+E+im9HnXRoa/C EaoCEWoPTl6Sfyo4wRzHGdX3zF6cb2121mOSqJ/MYYySzbdWPMfg9BaqP2kMnUlf 7tm84MD8YF3hn4hpIXlFKPYGLNHP4Ld6WdCobJC8WM8Po7gcuVt+S3dIZKktvS6A DU8QMyczLcdVHRtvlHUehqDlYxFefpLj9pjkkotUlINgGtQwImvOJDtPZqC/Nupc KKe/g7ONyzkBMAAwAKAAMYIBizCCAYcCAQOAFEVx9GyGLKL+KIUTTkA79gy8P4tl MA0GCWCGSAFlAwQCAQUAoEowFwYJKoZIhvcNAQkDMQoGCCsGAQUFBwwCMC8GCSqG SIb3DQEJBDEiBCBVu8x/aJBMv64KHCder12tXMRdGa4mx0KL7Hv2HNGo4TANBgkq hkiG9w0BAQEFAASCAQCVw6wl/aNCgRxR9t1Nc97T0iB+MWQF78yhzwYy7eP/WVk2 AVtK/JZXRvYFyZ1HqoUR7ZeCUzsUAECt1tiAB38aWawwLWhxda9m40iNeP2loie3 y88KxWOQtMufFEk2W8jUfhyvKKTLpR8Ev5w4sbD+G2y0GKI8SatmE/LTcvUnCRtz 9sHuDEmjqU+Gq8IAArJdGEJLBKZj3KazUErMBQAnOBWYoY7CxMPA9kAXT/LRmCFO jrFRpQCKGLxidh2fTp8HHmAAMSDJH6zvNh1m83uPluJ6KpIBvSKu1CLIlV+ZwckL Ybu2EGUSEauXOWGxyHFUDtLGJys0h+w5l6HvMi4O The CMC enrollment request in binary format is stored in self-signed/cmc.self.req. 4. HttpClient self-signed/HttpClient-cmc-crmf.self.cfg Total number of bytes read = 2958 after SSLSocket created, thread token is NSS FIPS 140-2 User Private Key handshake happened writing to socket handshake happened Total number of bytes read = 234 PEhUTUw+CjxCT0RZIEJHQ09MT1I9d2hpdGU+CjxQPgpUaGUgQ2VydGlmaWNhdGUg U3lzdGVtIGhhcyBlbmNvdW50ZXJlZCBhbiB1bnJlY292ZXJhYmxlIGVycm9yLgo8 UD4KRXJyb3IgTWVzc2FnZTo8QlI+CjxJPmphdmEubGFuZy5OdWxsUG9pbnRlckV4 Y2VwdGlvbjwvST4KPFA+ClBsZWFzZSBjb250YWN0IHlvdXIgbG9jYWwgYWRtaW5p c3RyYXRvciBmb3IgYXNzaXN0YW5jZS4KPC9CT0RZPgo8L0hUTUw+Cg0K The response in binary format is stored in /opt/rhqa_pki/certs_db/self-signed/cmc.self.Resp 5. CA debug logs: [24/Jun/2017:06:34:05][http-bio-25443-exec-18]: HttpConn: remote request id still pending 139 state svc_pending [24/Jun/2017:06:34:05][http-bio-25443-exec-18]: In HttpConnFactory.returnConn [24/Jun/2017:06:34:05][http-bio-25443-exec-18]: HttpreturnConn: mNumConns now 1 [24/Jun/2017:06:34:05][http-bio-25443-exec-18]: SignedAuditEventFactory: create() message created for eventType=SECURITY_DATA_ARCHIVAL_REQUEST [24/Jun/2017:06:34:05][http-bio-25443-exec-18]: LogFile: event type not selected: SECURITY_DATA_ARCHIVAL_REQUEST [24/Jun/2017:06:34:05][http-bio-25443-exec-18]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED [24/Jun/2017:06:34:11][http-bio-25443-exec-19]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED 6. KRA debug logs: [24/Jun/2017:06:34:05][http-bio-19443-exec-1]: SignedAuditEventFactory: create() message created for eventType=SECURITY_DATA_ARCHIVAL_REQUEST [24/Jun/2017:06:34:05][http-bio-19443-exec-1]: KRAService serviceRequest EBaseException:Invalid Private Key [24/Jun/2017:06:34:05][http-bio-19443-exec-1]: SignedAuditEventFactory: create() message created for eventType=CERT_REQUEST_PROCESSED Test Result: =========== Archival didn't happen.Last time to get rid of this we use -g false option in CRMFPopClient but this time we don't have that option. We have -w option .So do we need to add that.If yes what needs to be set? -w <keywrap algorithm> Algorithm to use for key wrapping - default: "AES KeyWrap/Padding" - "AES/CBC/PKCS5Padding" - "DES3/CBC/Pad" Question 1 : cmc Configuration files says "#identification works with identityProofV2" so if i set identityProofV2.enable=false , are these (identification.enable=true and identification=testuser) relevant in that case. identification.enable=true identification=testuser I believe the comment in the CMCRequest states #identification works with identityProofV2 and popLinkWitnessV2 which means, either one of them would require identification; Only if both of them are false would identification not be required. Hi, I am referring to https://pki.fedoraproject.org/wiki/Cmc-crmf-self.cfg which says #identification works with identityProofV2 identification.enable=true identification=testuser so if i set identityProofV2.enable=false, whatever values we set for identification.enable and identification it doesn't matter? Also if you could respond on comment #4. Thanks The example came from an older CMCRequest file I had. If you run CMCRequest -help now you will see the comment: #identification works with identityProofV2 and popLinkWitnessV2 So again, to answer your question. Yes and No, depending on whether popLinkWitnessV2 is true or not. Identification will only be pulled when either one is true. For comment #4, my answer is the same as last Friday, no, I do not know how -w is used. You might want to find out who reviewed Ade's "-w" option code and hopefully get some insight into that option. Test build: rpm -qa pki-ca pki-ca-10.4.1-10.el7.noarch https://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_%28RFC5272%29#Self-Signed_CMC_Request_Example_.28with_IdentityProofV2.29 -- Works as expected Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |