Hide Forgot
Created attachment 1359709 [details] test_steps Description of problem: Setup : RootCA --> ExternalCA --> ExternalCA1 Failure observed in externalCA1 when ExternalCA signed certificate for it using CMC. Installation failed with "CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: extra DER value data (constructor)". Version-Release number of selected component (if applicable): pki-ca-10.5.1-1.el7.noarch How reproducible: Tried few times and got this exception Steps to Reproduce: 1. Generate a step1 configuration file for generating csr for ExternalCA1. 2. Use this csr and proceed with "Issuing CA Signing Certificate with CMC ". Here in while sending HttpClient request i point to ExternalCA credentials. if i get my certificate signed using procedure as mentioned in Document(http://pki.fedoraproject.org/wiki/Issuing_CA_Signing_Certificate_with_CMC), I get pkcs7 certificate at the end which i have put in "pki_cert_chain_path" -- pki_ca_signing_cert_path=Ca.crt (I got this certificate from CA Agent page) This is get signed using the ExternalCA using CMC mechanism. -- pki_cert_chain_path=ca_signing.crt This is my certificate chain in pkcs7 format which has RootCA , ExternalCA, ExternalCA1 certs in it. 3. Proceed with step2 of installation. So while doing 2nd step for ExternalCA1 it fails with "Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: extra DER value data (constructor)" Note : Attached test_steps for more details ===== Actual results: Installation failed <system> 0.http-bio-31443-exec-3 - [25/Nov/2017:00:41:24 IST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Unable to initialize, java.io.IOException: extra DER value data (constructor) </system> Expected results: Installation should work and ExternalCA1 should be up. Additional info: <system> 0.http-bio-31443-exec-3 - [25/Nov/2017:00:41:24 IST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Unable to initialize, java.io.IOException: extra DER value data (constructor) </system> Detailed logs: [25/Nov/2017:00:41:25][http-bio-31443-exec-3]: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: extra DER value data (constructor) Unable to get ca certificate: Unable to initialize, java.io.IOException: extra DER value data (constructor) at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323) at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100) at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:539) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2766) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2590) at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:476) at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: Unable to initialize, java.io.IOException: extra DER value data (constructor) at com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1618) at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:315) ... 70 more Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: extra DER value data (constructor) at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:186) at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:160) at com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1610) ... 71 more [25/Nov/2017:00:41:25][http-bio-31443-exec-3]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED
Another Observation: --> RootCA certificate validity is 1 year. Version: 3 (0x2) Serial Number: 24243 (0x5eb3) Signature Algorithm: sha256WithRSAEncryption Issuer: O=ROOT, CN=Root CA Signing Certificate Validity Not Before: Nov 24 10:47:45 2017 GMT Not After : Feb 24 10:47:45 2018 GMT Subject: O=ROOT, CN=Root CA Signing Certificate --> RootCA when signed certificate for ExternalCA Version: 3 (0x2) Serial Number: 25725 (0x647d) Signature Algorithm: sha256WithRSAEncryption Issuer: O=ROOT, CN=Root CA Signing Certificate Validity Not Before: Nov 24 10:48:19 2017 GMT Not After : Feb 24 10:48:19 2018 GMT Subject: O=EXAMPLE, OU=pki-tomcat, CN=CA Signing Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) --> ExternalCA which is dogtag when signed certificate for another ExternalCA1 which is dogtag it has signed certificate where expiry is 2037. So i think Expiry of this certificate should <= expiry of it's parentCA? I suspect this could be the reason of failure that we are seeing failure. Version: 3 (0x2) Serial Number: 7 (0x7) Signature Algorithm: sha256WithRSAEncryption Issuer: O=EXAMPLE, OU=pki-tomcat, CN=CA Signing Certificate Validity Not Before: Nov 24 19:05:37 2017 GMT Not After : Nov 24 19:05:37 2037 GMT Subject: O=EXAMPLE, OU=topology-CA-EX, CN=CA Signing Certificate
If I am reading your description correctly, in step A 2, you used certutil to sign externalCA cert with root ca cert. This is not using Dogtag, so expiration (and just about everything else) is controlled by the person who runs certutil. You should make sure the expiration is correct there before you go on.
RootCA --> ExternalCA --> ExternalCA1 (nssdb) (dogtagCA) (dogtagCA1) Yes I have used nssdb(rootca) to get ExternalCA. But ExternalCA is dogtag CA which has an expiry of 1 year. Now if i use this ExternalCA which is dogtag CA to sign another ExternalCA1 so dogtagCA signs Dogtag CA so when it signed certificate for ExternalCA1 so that has an expiry after 20 years.So i think Expiry of this certificate should <= expiry of it's parentCA? So what i thought was now since signing CA is dogtagCA for ExternalCA1 ,ExternalCA1 signing certs expiry should be controlled by ExternalCA. Logs: ExternalCA logs while signing CMC certs for ExternalCA1: ======================================================== [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCFull is LDAP based, not XML {1}, use default authz mgr: {2}. [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCFull is LDAP based, not XML {1}, use default authz mgr: {2}. [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitCMCFull [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: CMSServlet::service() param name='profileId' value='caCMCcaCert' [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: CMSServlet: caProfileSubmitCMCFull start to service. [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: Start of ProfileSubmitCMCServlet Input Parameters [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet Input Parameter profileId='caCMCcaCert' [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: End of ProfileSubmitCMCServlet Input Parameters [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: start serving [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: SubId=profile [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: profileId caCMCcaCert [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: authenticator CMCAuth found [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: set Inputs into Context [29/Nov/2017:01:00:09][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: set sslClientCertProvider [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: start checking signature [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: found signing cert... verifying [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: verifySignerInfo: ssl client cert principal and cmc signer principal match [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: signing key alg=RSA [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: verifying signature with public key [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: finished checking signature [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertUserDBAuth: started [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertUserDBAuth: Retrieving client certificate [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertUserDBAuth: Got client certificate [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn() [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Authentication: client certificate found [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn() [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Authentication: mapped certificate to user [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: authenticated uid=caadmin,ou=people,dc=ca,dc=example,dc=com [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: verifySignerInfo: Principal name = CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: authenticate: numReqs not 0, assume enrollment request [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCAuth: type is PKCS10 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event CMC_SIGNED_REQUEST_SIG_VERIFY [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: authenticate: setting auditSubjectID in SessionContext:caadmin [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event AUTH [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet authToken not null [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet.authorize(DirAclAuthz) [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: in auditSubjectID [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@b2d9a2f, userid=caadmin, cmcRequestCertSubject=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE, profileContext=com.netscape.cms.profile.common.ProfileContext@14b37c4a, sslClientCert=[ [ Version: V3 Subject: CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: algorithm = RSA, unparsed keybits = 30 82 01 0A 02 82 01 01 00 9A DD 6B A3 AD 5C F2 3E F9 B1 CB 26 FC CC 90 87 2F 56 11 50 16 6A 12 64 F2 88 99 9E 6F C8 E8 8B 32 65 80 CC 09 B6 6A 09 E0 C0 4D DC A3 FC 34 EC C4 6C 08 E5 5A 75 9A 9B CA 84 0A CF 2F C0 CE DA 8F 15 A0 63 84 DB 40 F0 26 C2 B1 D4 B4 86 F6 DE 64 F5 51 A3 8E 74 62 BF AC D8 F6 34 B0 70 E9 68 5E 4E 0C 95 AB AF 31 5E 2A BA 92 40 2E 2F B7 55 37 9E 14 8A A5 AF 2F 0D C1 30 25 CD D7 BB F1 F9 68 40 36 F1 C0 D4 66 A9 6E 46 B0 3E 54 82 B7 F7 B4 9E 1D 45 FD 99 19 72 22 91 38 56 8E 38 41 D8 6C 20 18 81 CE BB 60 25 32 52 18 31 7E B0 EF ED 6B 56 E0 86 9C C7 6F 44 4D 1C E7 62 B1 CF 03 2B CA D0 19 F4 96 A1 BE E5 63 E8 59 F7 15 8C 01 F1 B5 F3 AF CC 8D 36 78 CD 0A 93 3A 65 4E 43 5D BB D7 63 1D 59 D6 FF E9 98 C6 31 89 1C 3F CE F3 39 61 DF 4D AA 68 39 56 04 5C 9F F3 3A D0 C7 A5 4B 02 03 01 00 01 Validity: [From: Tue Nov 28 17:00:48 IST 2017, To: Wed Feb 28 16:59:53 IST 2018] Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE SerialNumber: [ 05] Extension[0] = ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 30 78 31 31 30 62 39 37 62 32 32 66 37 38 65 38 35 65 30 62 33 64 65 35 38 30 61 38 39 33 61 36 65 30 31 64 64 64 66 32 63 34 37 38 39 36 37 38 35 36 34 35 33 34 32 36 37 38 39 30 31 ] ] Extension[1] = ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthInfoAccess [ (0) 1.3.6.1.5.5.7.48.1 URIName: http://pki1.example.com:8080/ca/ocsp] Extension[2] = ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment ] Extension[3] = oid=2.5.29.37 val=48 20 6 8 43 6 1 5 5 7 3 2 6 8 43 6 1 5 5 7 3 4 ] Algorithm: [SHA256withRSA] Signature: BC 52 6F 4E 1A F3 76 C3 06 06 59 20 1C 29 1B DA F4 3A A3 36 CA A7 12 95 F5 B4 CE 5D 21 1A D3 1D 82 78 E1 95 7B EB 25 51 81 A3 7B F9 A7 5D 49 75 FA 64 28 BA 07 C5 59 53 AD B2 BF D9 CE 44 C2 24 85 8F 58 88 62 5F 90 C5 31 2E 20 99 DB 0E 96 98 24 7E 74 96 07 49 3F C7 43 2C 0D 71 5B 81 0B CA 82 FC 21 7F 1B BB 63 04 04 66 DD 3B 87 09 B6 EE 2C C4 DC 7A D2 9E 40 3F F1 85 18 D9 78 85 72 73 72 10 96 43 2B B4 1C B5 E8 3F A5 D9 D6 B6 E2 A8 55 E3 DA 5E 4F CA A8 7A AB D9 21 12 8A BB EC 55 A4 F5 8F 89 46 5C 5B 68 24 20 71 DF F4 8D 94 4F 6B 84 4E 12 0D 06 06 CD 36 70 4C 70 E5 19 4E 7E CE BF 3C 45 5A C6 BB ED B3 65 D5 70 06 B4 8B 44 C1 26 D9 49 BB 32 87 8A 8E 41 75 FE 0D D0 0A F2 ED 98 8B DA 20 64 5D C4 35 EA 4B C4 B2 F8 87 1E 02 A2 FF 3D 98 EB 7A E4 02 4F D1 58 95 BB 97 E1 ], authManagerId=CMCAuth} [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet auditSubjectID: subjectID: caadmin [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: in auditGroupID [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: auditGroupID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@b2d9a2f, userid=caadmin, cmcRequestCertSubject=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE, profileContext=com.netscape.cms.profile.common.ProfileContext@14b37c4a, sslClientCert=[ [ Version: V3 Subject: CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: algorithm = RSA, unparsed keybits = 30 82 01 0A 02 82 01 01 00 9A DD 6B A3 AD 5C F2 3E F9 B1 CB 26 FC CC 90 87 2F 56 11 50 16 6A 12 64 F2 88 99 9E 6F C8 E8 8B 32 65 80 CC 09 B6 6A 09 E0 C0 4D DC A3 FC 34 EC C4 6C 08 E5 5A 75 9A 9B CA 84 0A CF 2F C0 CE DA 8F 15 A0 63 84 DB 40 F0 26 C2 B1 D4 B4 86 F6 DE 64 F5 51 A3 8E 74 62 BF AC D8 F6 34 B0 70 E9 68 5E 4E 0C 95 AB AF 31 5E 2A BA 92 40 2E 2F B7 55 37 9E 14 8A A5 AF 2F 0D C1 30 25 CD D7 BB F1 F9 68 40 36 F1 C0 D4 66 A9 6E 46 B0 3E 54 82 B7 F7 B4 9E 1D 45 FD 99 19 72 22 91 38 56 8E 38 41 D8 6C 20 18 81 CE BB 60 25 32 52 18 31 7E B0 EF ED 6B 56 E0 86 9C C7 6F 44 4D 1C E7 62 B1 CF 03 2B CA D0 19 F4 96 A1 BE E5 63 E8 59 F7 15 8C 01 F1 B5 F3 AF CC 8D 36 78 CD 0A 93 3A 65 4E 43 5D BB D7 63 1D 59 D6 FF E9 98 C6 31 89 1C 3F CE F3 39 61 DF 4D AA 68 39 56 04 5C 9F F3 3A D0 C7 A5 4B 02 03 01 00 01 Validity: [From: Tue Nov 28 17:00:48 IST 2017, To: Wed Feb 28 16:59:53 IST 2018] Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE SerialNumber: [ 05] Extension[0] = ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 30 78 31 31 30 62 39 37 62 32 32 66 37 38 65 38 35 65 30 62 33 64 65 35 38 30 61 38 39 33 61 36 65 30 31 64 64 64 66 32 63 34 37 38 39 36 37 38 35 36 34 35 33 34 32 36 37 38 39 30 31 ] ] Extension[1] = ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthInfoAccess [ (0) 1.3.6.1.5.5.7.48.1 URIName: http://pki1.example.com:8080/ca/ocsp] Extension[2] = ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment ] Extension[3] = oid=2.5.29.37 val=48 20 6 8 43 6 1 5 5 7 3 2 6 8 43 6 1 5 5 7 3 4 ] Algorithm: [SHA256withRSA] Signature: BC 52 6F 4E 1A F3 76 C3 06 06 59 20 1C 29 1B DA F4 3A A3 36 CA A7 12 95 F5 B4 CE 5D 21 1A D3 1D 82 78 E1 95 7B EB 25 51 81 A3 7B F9 A7 5D 49 75 FA 64 28 BA 07 C5 59 53 AD B2 BF D9 CE 44 C2 24 85 8F 58 88 62 5F 90 C5 31 2E 20 99 DB 0E 96 98 24 7E 74 96 07 49 3F C7 43 2C 0D 71 5B 81 0B CA 82 FC 21 7F 1B BB 63 04 04 66 DD 3B 87 09 B6 EE 2C C4 DC 7A D2 9E 40 3F F1 85 18 D9 78 85 72 73 72 10 96 43 2B B4 1C B5 E8 3F A5 D9 D6 B6 E2 A8 55 E3 DA 5E 4F CA A8 7A AB D9 21 12 8A BB EC 55 A4 F5 8F 89 46 5C 5B 68 24 20 71 DF F4 8D 94 4F 6B 84 4E 12 0D 06 06 CD 36 70 4C 70 E5 19 4E 7E CE BF 3C 45 5A C6 BB ED B3 65 D5 70 06 B4 8B 44 C1 26 D9 49 BB 32 87 8A 8E 41 75 FE 0D D0 0A F2 ED 98 8B DA 20 64 5D C4 35 EA 4B C4 B2 F8 87 1E 02 A2 FF 3D 98 EB 7A E4 02 4F D1 58 95 BB 97 E1 ], authManagerId=CMCAuth} [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet auditGroupID: groupID: null [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn() [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: AAclAuthz.checkPermission(certServer.ee.profile, submit) [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: checkPermission(): expressions: user="anybody" [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: evaluating expressions: user="anybody" [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: evaluated expression: user="anybody" to be true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DirAclAuthz: authorization passed [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event AUTHZ [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event ROLE_ASSUME [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: createRequests: begins [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: starts [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: getPKIDataFromCMCblob: starts [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: getPKIDataFromCMCblob: cmc request content is signed data [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: authManagerId =CMCAuth [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: numcontrols=0 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: found numOfOtherMsgs: 0 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: getting :cmc.popLinkWitnessRequired [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: popLinkWitness(V2) not required [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: nummsgs =1 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: parseCMC: ends [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: createRequests: parseCMC returns cmc_msgs num_requests=1 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: in getNextSerialNumber. [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn() [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: getSerialNumber() [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: getSerialNumber serial=0 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: in InitCache [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: Instance of Request Repository or CRLRepository. [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: minSerial:1 maxSerial: 10000000 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: nextMinSerial: nextMaxSerial: [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: increment:10000000 lowWaterMark: 2000000 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestRepository: in getLastSerialNumberInRange: min 1 max 10000000 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestRepository: mRequestQueue com.netscape.cmscore.request.RequestQueue@28c7e5b1 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestRepository: about to call mRequestQueue.getLastRequestIdInRange [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: getLastRequestId: low 1 high 10000000 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: getLastRequestId: filter (requeststate=*) fromId 10000000 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn() [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (requeststate=*) attrs: null pageSize -5 startFrom 0810000000 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DBVirtualList: searching for entry 0810000000 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DBVirtualList.getEntries() [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DBVirtualList: entries: 6 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DBVirtualList: top: 2 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: DBVirtualList: size: 8 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: getLastRequestId: size 8 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: getSizeBeforeJumpTo: 8 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: curReqId: 8 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: RequestQueue: getLastRequestId : returning value 8 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: mLastSerialNo: 8 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: checkRange mLastSerialNo=9 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: getNextSerialNumber: returning retSerial 9 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: setDefaultCertInfo: setting issuerDN using exact CA signing cert subjectDN encoding [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: createEnrollmentRequest 9 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: createRequests: setting cmc TaggedRequest in request [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet profileSetid=caCertSet [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: request 9 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: populating request inputs [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertReqInput: populate: begins [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertReqInput: populate: cert_request_type= REQ_TYPE_CMC [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: getPKIDataFromCMCblob: starts [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: getPKIDataFromCMCblob: cmc request content is signed data [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertReqInput: populate: pkiData.getReqSequence() called; nummsgs =1 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillTaggedRequest: begins [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillTaggedRequest: PKCS10: TaggedRequest type == pkcs10 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillTaggedRequest: PKCS10: sigver true, POP is to be verified [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event PROOF_OF_POSSESSION [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillPKCS10: begins [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillPKCS10: Found PKCS10 extension [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillPKCS10: PKCS10 found extensions [ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: undefined ] , ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_CertSign Crl_Sign ] ] [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillPKCS10: Finish parsePKCS10 - CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: fillTaggedRequest: PKCS10: done [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: populate: begins [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicProfile: populate: policy setid =caCertSet [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: UserSubjectNameDefault: start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: UserSubjectNameDefault: end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: CAValidityDefault: start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAValidityDefault: start time: 0 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAValidityDefault: not before: Wed Nov 29 01:00:10 IST 2017 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAValidityDefault: range: 7304 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAValidityDefault: range unit: day [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAValidityDefault: not after: Sat Nov 28 01:00:10 IST 2037 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: CAValidityDefault: end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: UserKeyDefault: start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: UserKeyDefault: end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: AuthorityKeyIdentifierExtDefault: start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: AuthorityKeyIdentifierExtDefault: end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: BasicConstraintsExtDefault: start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: BasicConstraintsExtDefault: end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: KeyUsageExtDefault: start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: KeyUsageExtDefault: end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: SubjectKeyIdentifierExtDefault: start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectKeyIdentifierExtDefault: getKeyIdentifier: configured hash alg: [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectKeyIdentifierExtDefault: getKeyIdentifier: generating hash with default alg: SHA-1 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: SubjectKeyIdentifierExtDefault: end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: SigningAlgDefault: start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: SigningAlgDefault: end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: AuthInfoAccessExtDefault: start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: AuthInfoAccess: createExtension i=0 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollDefault: populate: AuthInfoAccessExtDefault: end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: in auditSubjectID [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@b2d9a2f, userid=caadmin, cmcRequestCertSubject=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE, profileContext=com.netscape.cms.profile.common.ProfileContext@14b37c4a, sslClientCert=[ [ Version: V3 Subject: CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: algorithm = RSA, unparsed keybits = 30 82 01 0A 02 82 01 01 00 9A DD 6B A3 AD 5C F2 3E F9 B1 CB 26 FC CC 90 87 2F 56 11 50 16 6A 12 64 F2 88 99 9E 6F C8 E8 8B 32 65 80 CC 09 B6 6A 09 E0 C0 4D DC A3 FC 34 EC C4 6C 08 E5 5A 75 9A 9B CA 84 0A CF 2F C0 CE DA 8F 15 A0 63 84 DB 40 F0 26 C2 B1 D4 B4 86 F6 DE 64 F5 51 A3 8E 74 62 BF AC D8 F6 34 B0 70 E9 68 5E 4E 0C 95 AB AF 31 5E 2A BA 92 40 2E 2F B7 55 37 9E 14 8A A5 AF 2F 0D C1 30 25 CD D7 BB F1 F9 68 40 36 F1 C0 D4 66 A9 6E 46 B0 3E 54 82 B7 F7 B4 9E 1D 45 FD 99 19 72 22 91 38 56 8E 38 41 D8 6C 20 18 81 CE BB 60 25 32 52 18 31 7E B0 EF ED 6B 56 E0 86 9C C7 6F 44 4D 1C E7 62 B1 CF 03 2B CA D0 19 F4 96 A1 BE E5 63 E8 59 F7 15 8C 01 F1 B5 F3 AF CC 8D 36 78 CD 0A 93 3A 65 4E 43 5D BB D7 63 1D 59 D6 FF E9 98 C6 31 89 1C 3F CE F3 39 61 DF 4D AA 68 39 56 04 5C 9F F3 3A D0 C7 A5 4B 02 03 01 00 01 Validity: [From: Tue Nov 28 17:00:48 IST 2017, To: Wed Feb 28 16:59:53 IST 2018] Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE SerialNumber: [ 05] Extension[0] = ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 30 78 31 31 30 62 39 37 62 32 32 66 37 38 65 38 35 65 30 62 33 64 65 35 38 30 61 38 39 33 61 36 65 30 31 64 64 64 66 32 63 34 37 38 39 36 37 38 35 36 34 35 33 34 32 36 37 38 39 30 31 ] ] Extension[1] = ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthInfoAccess [ (0) 1.3.6.1.5.5.7.48.1 URIName: http://pki1.example.com:8080/ca/ocsp] Extension[2] = ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment ] Extension[3] = oid=2.5.29.37 val=48 20 6 8 43 6 1 5 5 7 3 2 6 8 43 6 1 5 5 7 3 4 ] Algorithm: [SHA256withRSA] Signature: BC 52 6F 4E 1A F3 76 C3 06 06 59 20 1C 29 1B DA F4 3A A3 36 CA A7 12 95 F5 B4 CE 5D 21 1A D3 1D 82 78 E1 95 7B EB 25 51 81 A3 7B F9 A7 5D 49 75 FA 64 28 BA 07 C5 59 53 AD B2 BF D9 CE 44 C2 24 85 8F 58 88 62 5F 90 C5 31 2E 20 99 DB 0E 96 98 24 7E 74 96 07 49 3F C7 43 2C 0D 71 5B 81 0B CA 82 FC 21 7F 1B BB 63 04 04 66 DD 3B 87 09 B6 EE 2C C4 DC 7A D2 9E 40 3F F1 85 18 D9 78 85 72 73 72 10 96 43 2B B4 1C B5 E8 3F A5 D9 D6 B6 E2 A8 55 E3 DA 5E 4F CA A8 7A AB D9 21 12 8A BB EC 55 A4 F5 8F 89 46 5C 5B 68 24 20 71 DF F4 8D 94 4F 6B 84 4E 12 0D 06 06 CD 36 70 4C 70 E5 19 4E 7E CE BF 3C 45 5A C6 BB ED B3 65 D5 70 06 B4 8B 44 C1 26 D9 49 BB 32 87 8A 8E 41 75 FE 0D D0 0A F2 ED 98 8B DA 20 64 5D C4 35 EA 4B C4 B2 F8 87 1E 02 A2 FF 3D 98 EB 7A E4 02 4F D1 58 95 BB 97 E1 ], numOfOtherMsgs=0, authManagerId=CMCAuth} [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet auditSubjectID: subjectID: caadmin [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profileapprovedby$ value=admin [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.authenticatedname$ value=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.cert_request$ value=oIICygIBATCCAsMwggGrAgEAMEwxEDAOBgNVBAoTB0VYQU1QTEUxFzAVBgNVBAsT DnRvcG9sb2d5LUNBLUVYMR8wHQYDVQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRl MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvm9figSADMeisYcP4bdB +ZcFoxoISXcNIimWsqvoFo8MqO44O7fWSb2roN/726mIVOarMbLu/1L5gtBQ8jZB lHyVaBltRROSUpzMXrjX2m0PJ/0ufCmtfs3XDM4e8WjvHac/+A0JVn4tNccT+xoV b5nz0yvPJvA2ZFz4u8XXg1Y5TV5z+PQiiUYU4tuMfwj2slX+P4r+VJNCg7uRpCc7 15E9nbbXKHFd/D1x24c8Fi5ioGvCFKJvrsCv5f/ybgXhGi2N/oQN9t89mLyREE6Z dqSDr1JO/8serPFSILAQliy9qwgABwmghJcAY5NS1O7zgpalnTx9eby5u2ZprDik wwIDAQABoDIwMAYJKoZIhvcNAQkOMSMwITAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud DwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEApx8JzPztkApVV0w+3ZT3Doio XEoCYCn1gn1NQ3M+dYg3Auu0JNWUeWLFVEL2yKesp0fRuHR4Z8NsNPyUhb8w8qOm DfIfYo5WzpXSip+qgVcUwYosKNSm2pHQ6UQm4avBEXTJ7D3of8RysjMe7uT2e1Kt JsP7E3oO2ze3k5ReTNyRWXYHg0wKn49HmEIP06f7GYT2SUF+UCuKcxSVBiaA/kBV Kb0duDdw52GKK30kX2D44obXP3oILkzKII3eAwF5uHl6aZMYi4eCdzwCYVWKyFEB pVT+0J/tyvdzASVW6MAILVF4aaibLjOvRzesJ7MznHtyQMbPpi4VDuZig/U/2A== [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profile$ value=true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.requestversion$ value=1.0.0 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_subject_name.cn$ value=CA Signing Certificate [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_locale$ value=en [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.dbstatus$ value=NOT_UPDATED [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.requeststatus$ value=begin [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_key$ value=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvm9figSADMeisYcP4bdB +ZcFoxoISXcNIimWsqvoFo8MqO44O7fWSb2roN/726mIVOarMbLu/1L5gtBQ8jZB lHyVaBltRROSUpzMXrjX2m0PJ/0ufCmtfs3XDM4e8WjvHac/+A0JVn4tNccT+xoV b5nz0yvPJvA2ZFz4u8XXg1Y5TV5z+PQiiUYU4tuMfwj2slX+P4r+VJNCg7uRpCc7 15E9nbbXKHFd/D1x24c8Fi5ioGvCFKJvrsCv5f/ybgXhGi2N/oQN9t89mLyREE6Z dqSDr1JO/8serPFSILAQliy9qwgABwmghJcAY5NS1O7zgpalnTx9eby5u2ZprDik wwIDAQAB [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.authmgrinstname$ value=CMCAuth [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.uid$ value=CN=PKI Administrator,E=caadmin,OU=pki-tomcat,O=EXAMPLE [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.userid$ value=caadmin [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.cert_request_type$ value=cmc-pkcs10 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profileid$ value=caCMCcaCert [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.requestid$ value=9 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.tokencertsubject$ value=CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.sslclientcert$ value=5 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.auth_token.authtime$ value=1511897409924 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_x509info$ value=MIICx6ADAgECAgEAMA0GCSqGSIb3DQEBCwUAMEgxEDAOBgNVBAoTB0VYQU1QTEUx EzARBgNVBAsTCnBraS10b21jYXQxHzAdBgNVBAMTFkNBIFNpZ25pbmcgQ2VydGlm aWNhdGUwHhcNMTcxMTI4MTkzMDEwWhcNMzcxMTI3MTkzMDEwWjBMMRAwDgYDVQQK EwdFWEFNUExFMRcwFQYDVQQLEw50b3BvbG9neS1DQS1FWDEfMB0GA1UEAxMWQ0Eg U2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAL5vX4oEgAzHorGHD+G3QfmXBaMaCEl3DSIplrKr6BaPDKjuODu31km9q6Df +9upiFTmqzGy7v9S+YLQUPI2QZR8lWgZbUUTklKczF6419ptDyf9LnwprX7N1wzO HvFo7x2nP/gNCVZ+LTXHE/saFW+Z89MrzybwNmRc+LvF14NWOU1ec/j0IolGFOLb jH8I9rJV/j+K/lSTQoO7kaQnO9eRPZ221yhxXfw9cduHPBYuYqBrwhSib67Ar+X/ 8m4F4Rotjf6EDfbfPZi8kRBOmXakg69STv/LHqzxUiCwEJYsvasIAAcJoISXAGOT UtTu84KWpZ08fXm8ubtmaaw4pMMCAwEAAaOBzzCBzDBIBgNVHSMEQTA/gD0weDEx MGI5N2IyMmY3OGU4NWUwYjNkZTU4MGE4OTNhNmUwMWRkZGYyYzQ3ODk2Nzg1NjQ1 MzQyNjc4OTAxMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1Ud DgQWBBTDS0Gk93o5FbqHxYgI1nOozyicuzBABggrBgEFBQcBAQQ0MDIwMAYIKwYB BQUHMAGGJGh0dHA6Ly9wa2kxLmV4YW1wbGUuY29tOjgwODAvY2Evb2NzcA== [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_seq_num$ value=0 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profilesetid$ value=caCertSet [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_subject_name.uid$ value= [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profileremoteaddr$ value=10.65.207.97 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.requesttype$ value=enrollment [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_extensions$ value=oyMwITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxg== [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.req_subject_name$ value=MEwxEDAOBgNVBAoTB0VYQU1QTEUxFzAVBgNVBAsTDnRvcG9sb2d5LUNBLUVYMR8w HQYDVQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRl [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.bodypartid$ value=1 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: key=$request.profileremotehost$ value=10.65.207.97 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: submit: begins [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: submit: popChallengeRequired =false [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn() [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile: submit: auth token is not null [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile.validate: start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile.validate: cert subject name:CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event PROFILE_CERT_REQUEST [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicProfile: validate start on setId=caCertSet [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectNameConstraint: validate start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectNameConstraint: validate start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectNameConstraint: validate cert subject =CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectNameConstraint: validate() - sn500 dname = CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SubjectNameConstraint: validate end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: validate start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: not before: Wed Nov 29 01:00:10 IST 2017 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: not after: Sat Nov 28 01:00:10 IST 2037 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: range: 7304 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: range unit: day [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: limit: Sat Nov 28 01:00:10 IST 2037 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ValidityConstraint: validate end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: KeyConstraint: validate start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: KeyConstraint.validate: RSA key contraints passed. [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: KeyConstraint: validate end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicConstraintsExtConstraint: validate start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicConstraintsExtConstraint: validate end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: KeyUsageExtConstraint: validate start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: KeyUsageExtConstraint: validate end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SigningAlgConstraint: validate start [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SigningAlgConstraint: validate end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicProfile: change to pending state [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: BasicProfile: validate end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: EnrollProfile.validate: end [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAEnrollProfile: execute request ID 9 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: issueX509Cert [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: dnUTF8Encoding false [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAService: issueX509Cert: CA cert issuance past CA's NOT_AFTER. [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CertificateRepository: getNextSerialNumber mEnableRandomSerialNumbers=false [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: in getNextSerialNumber. [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: checkRange mLastSerialNo=9 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Repository: getNextSerialNumber: returning retSerial 9 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CAService: issueX509Cert: setting issuerDN using exact CA signing cert subjectDN encoding [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: About to ca.sign cert. [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: sign cert get algorithm [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: sign cert encoding cert [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: sign cert encoding algorithm [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CA cert signing: signing cert [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: Signing Certificate [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: storeX509Cert 9 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In storeX509Cert [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn() [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: done storeX509Cert [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event CERT_REQUEST_PROCESSED [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: In LdapBoundConnFactory::getConn() [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: masterConn is connected: true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: conn is connected true [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: getConn: mNumConns now 2 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: returnConn: mNumConns now 3 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ARequestNotifier notify mIsPublishingQueueEnabled=false mMaxThreads=1 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: done serving [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: createFullResponse: begins with cert_request_type=cmc [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: createFullResponse: processing cmc [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: createFullResponse: error_codes[0]=0 [29/Nov/2017:01:00:10][Thread-13]: RunListeners:: noQueue SingleRequest [29/Nov/2017:01:00:10][Thread-13]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateIssuedListener [29/Nov/2017:01:00:10][Thread-13]: CertificateIssuedListener: accept 9 [29/Nov/2017:01:00:10][Thread-13]: RunListeners: IRequestListener = com.netscape.ca.CRLIssuingPoint$RevocationRequestListener [29/Nov/2017:01:00:10][Thread-13]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateRevokedListener [29/Nov/2017:01:00:10][Thread-13]: RunListeners: noQueue SingleRequest [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: createFullResponse: after new ResponseBody, respBody not null [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: getContentInfo: begins [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: getContentInfo: - done [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMCOutputTemplate: createFullResponse: ends [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: CMSServlet: curDate=Wed Nov 29 01:00:10 IST 2017 id=caProfileSubmitCMCFull time=860 [29/Nov/2017:01:00:10][http-bio-8443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED ==================================================== CMC Response output: [root@pki1 test]# CMCResponse -i ca_signing-cmc-response.bin -o ca_signing.crty Certificates: Certificate: Data: Version: v3 Serial Number: 0x35B0 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Root CA Signing Certificate,O=ROOT Validity: Not Before: Tuesday, November 28, 2017 4:59:52 PM IST Asia/Kolkata Not After: Wednesday, February 28, 2018 4:59:52 PM IST Asia/Kolkata Subject: CN=Root CA Signing Certificate,O=ROOT Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (2048 bits) : B2:FB:61:3C:E2:9E:CA:A3:42:B6:CE:FF:08:10:42:A4: D2:B1:DE:5E:6D:3F:DE:8D:18:65:AE:AE:F3:D8:46:69: BF:4D:13:1F:78:B6:F6:88:8D:45:E1:6E:76:1E:A0:5A: 55:E0:33:4D:2C:A2:A3:2E:8A:A5:DC:16:A9:01:66:D7: 0E:92:95:34:CC:1F:97:00:B8:6B:A6:5B:E0:F1:03:28: 8A:22:51:51:16:86:62:92:CA:FC:04:89:D7:AB:48:88: BB:24:10:39:F4:76:E9:20:1E:D6:A5:5B:49:41:47:D8: 66:5A:3B:1C:E2:24:51:8C:4C:71:D3:8C:D1:68:B2:DE: 70:C8:6B:9F:48:EE:96:3F:32:DD:4C:97:38:5A:47:61: F7:73:32:F4:4E:E9:7E:C8:22:EC:99:99:B9:49:C1:67: A9:06:6F:69:CC:83:01:B4:45:B7:76:D6:84:A7:9D:7B: 77:FA:AF:EB:81:68:F6:01:FB:DC:FA:37:AB:17:43:C8: F4:8E:2B:2B:0A:1D:6C:30:12:4D:CD:34:24:39:B5:62: 62:CA:49:B3:CF:45:4A:BD:A3:AA:A6:09:80:2D:F7:7E: F0:BD:75:03:1D:88:FF:54:CA:FE:EE:38:DD:5E:4C:C8: 5D:81:9D:FE:1F:4A:C4:AF:D6:6F:1C:29:33:77:A5:39 Extensions: Identifier: 1.3.6.1.5.5.7.1.1 Critical: no Value: 30:2B:30:29:06:08:2B:06:01:05:05:07:30:01:86:1D: 68:74:74:70:3A:2F:2F:6C:6F:63:61:6C:68:6F:73:74: 3A:38:30:38:30:2F:63:61:2F:6F:63:73:70 Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2: BA:39:70:72 Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2: BA:39:70:72 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Signature: Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Signature: 6B:BE:A5:87:D7:25:3E:9B:6D:83:41:70:47:8E:BB:36: 3B:44:AF:98:38:EF:4C:49:1D:8A:A8:CF:DB:9F:43:B6: 82:D4:3B:B9:E3:F3:62:F1:95:39:D1:01:0C:D0:6A:07: 6E:6E:86:75:10:F4:BC:DE:D8:C0:74:DE:C9:88:DB:20: 43:49:51:8E:93:40:3F:B8:19:8E:1F:D7:EE:9F:FB:63: 2E:C8:24:5A:14:C0:62:41:FE:F1:44:E3:5B:5A:17:5F: 3B:59:BC:9F:C2:33:F1:11:32:2F:E2:F4:2C:03:15:D4: F4:BF:2F:90:F7:75:DD:D8:DB:3B:48:DB:93:24:0A:A2: 83:75:8B:D3:C2:42:C5:78:C8:04:33:9E:56:AE:F0:8E: 64:A5:CA:49:4B:7B:B2:DD:33:83:E5:F4:A6:3D:62:6B: 43:4D:4E:2D:96:88:76:8C:85:AC:85:38:44:63:3B:C4: F1:B3:A4:2B:02:8F:40:17:EC:C4:1C:5F:9E:66:1B:A9: 58:AF:79:5F:5B:1A:E8:08:07:1D:8B:9A:F5:73:BE:98: 4F:A8:A3:78:B9:C8:A6:40:81:C6:18:3F:6C:AD:4C:35: B8:09:93:70:CE:40:B4:E2:20:3E:AE:20:4D:43:D8:7D: F4:DB:CC:E5:18:AE:46:6A:A3:34:6D:7B:32:2E:6E:5B FingerPrint MD2: E2:C9:97:BB:6D:83:42:DE:06:ED:0E:65:1E:15:89:CC MD5: 66:A4:E0:BB:DA:9E:06:E5:07:E6:45:82:BB:F6:6F:6E SHA-1: FA:97:4F:FB:FF:24:CE:69:41:69:79:FC:E5:2C:AF:C6: 9A:47:66:B9 SHA-256: C1:7A:B7:6E:7F:A3:C1:63:7A:C0:42:62:A8:6E:BE:84: A3:C5:7B:19:49:FB:12:95:60:63:4F:2F:7B:2D:1C:D0 SHA-512: 59:1E:AA:15:C6:0F:C2:F8:20:34:4F:FF:F8:C7:07:0E: 9E:65:A2:A9:BF:52:4F:97:FB:BE:7D:97:17:D1:55:37: E4:A9:FD:27:76:18:6A:26:D4:63:89:67:B5:4B:F3:67: D5:12:EE:B4:04:6F:0C:E2:60:3C:13:E9:A3:B5:D8:EA Certificate: Data: Version: v3 Serial Number: 0x5E08 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Root CA Signing Certificate,O=ROOT Validity: Not Before: Tuesday, November 28, 2017 4:59:53 PM IST Asia/Kolkata Not After: Wednesday, February 28, 2018 4:59:53 PM IST Asia/Kolkata Subject: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (2048 bits) : D2:72:AA:90:79:54:DF:C8:0E:F2:CD:D6:A3:25:2E:15: BA:FB:AF:8A:D9:A6:9B:0B:E5:3D:41:76:3C:75:84:ED: 06:67:F9:AE:C9:B8:69:AF:7F:0C:2F:D8:5F:03:19:22: 48:16:6F:68:AB:5E:0E:CA:3E:21:F1:1C:18:CF:5F:F0: 87:6C:61:A0:5D:8F:A5:37:EB:0A:87:1C:53:07:0D:25: 49:76:14:D0:04:00:17:A2:2C:94:E2:96:8F:8C:16:9C: A0:E7:78:51:76:3B:DC:F0:CF:D0:BF:28:4D:7B:2F:1D: 3C:F6:9B:5A:FB:4A:40:01:6F:3E:67:25:D0:2A:5C:A7: 56:D9:9C:4F:DC:D0:E8:A7:72:20:5A:83:B5:3C:E5:EC: 53:5F:BA:55:22:23:7F:B4:1D:E9:02:26:0E:3D:16:B1: 17:90:DF:BB:04:E1:60:9F:CC:E2:5E:85:AE:E7:61:33: 1B:60:7A:F9:CD:FC:9C:37:37:60:2A:45:E6:0B:08:22: B9:F2:25:1A:71:13:18:2F:F4:B5:89:A9:C2:BA:6B:EC: 51:42:26:45:0D:CB:99:45:51:9C:3D:76:86:74:CE:84: 88:B3:DF:2A:D6:90:39:CE:FD:A1:88:7C:26:5C:47:3C: D7:A8:F4:07:8C:64:09:F4:18:70:F1:9C:DF:85:0D:05 Extensions: Identifier: 1.3.6.1.5.5.7.1.1 Critical: no Value: 30:2B:30:29:06:08:2B:06:01:05:05:07:30:01:86:1D: 68:74:74:70:3A:2F:2F:6C:6F:63:61:6C:68:6F:73:74: 3A:38:30:38:30:2F:63:61:2F:6F:63:73:70 Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 30:78:31:31:30:62:39:37:62:32:32:66:37:38:65:38: 35:65:30:62:33:64:65:35:38:30:61:38:39:33:61:36: 65:30:31:64:64:64:66:32:63:34:37:38:39:36:37:38: 35:36:34:35:33:34:32:36:37:38:39:30:31 Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2: BA:39:70:72 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Signature: Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Signature: 02:22:BB:5B:E2:F2:BD:C6:8F:43:BF:56:F8:02:72:D1: 50:EF:50:16:C3:F0:2A:6A:AA:4D:33:0C:95:72:EE:6C: 28:F5:BF:80:BF:CC:8D:84:BC:70:CC:43:2A:AA:74:23: 3F:F1:A7:1C:42:AA:DE:8E:D4:A2:81:8B:66:92:2B:65: FF:2D:5C:16:92:67:5E:C5:A9:61:29:E2:C9:A2:24:38: 8F:4D:61:8C:FD:BF:51:9D:2A:43:D4:94:D7:A6:C1:3F: A3:57:43:A6:DD:AE:A8:A9:D2:C9:F1:E7:0D:18:B3:01: 8F:F2:FC:E6:51:16:EA:82:64:1A:C1:34:74:90:1A:49: 64:D3:A3:76:8C:2A:71:E6:89:35:1D:7D:1E:5F:2F:03: 14:08:EB:72:F7:21:60:E1:2C:0C:76:84:45:F1:62:37: 56:6D:65:B3:3F:84:F6:0F:A1:E7:AA:E4:D4:A1:57:55: 78:2F:09:D6:17:D7:AA:9E:FD:34:90:46:41:7D:32:EC: 01:41:3A:D6:4D:8B:FC:37:A1:04:93:B4:9C:B6:85:D5: 31:EF:6B:52:D0:A5:6F:50:31:03:D3:D1:D0:CD:3F:20: F6:28:87:30:73:42:90:E8:9A:68:44:DB:9E:76:EA:5E: DC:BC:A6:1B:85:97:96:F1:9C:97:2D:E6:18:F9:94:51 FingerPrint MD2: 54:F5:66:00:69:4D:B1:6C:4E:6D:87:30:A3:75:E2:74 MD5: 28:F8:D7:EC:A1:A6:B0:7C:54:EE:B7:60:5F:93:CD:C8 SHA-1: F0:FF:AF:CD:52:59:00:14:80:9E:23:0F:AE:E2:D9:1F: 63:95:FE:F3 SHA-256: 6A:2A:91:FD:61:E9:A0:EC:3C:90:D2:39:FC:57:75:0F: 1F:13:42:C3:02:10:44:FC:10:15:20:7C:50:54:1C:5D SHA-512: 8E:9A:89:45:07:AD:1D:85:1B:EB:E8:49:39:58:7B:EB: 91:26:6E:07:4F:9E:A2:93:66:55:7A:7A:E3:25:0C:56: F6:CB:26:36:4D:7D:B3:89:14:0D:AE:60:CF:7B:97:1B: 68:DE:31:27:3D:6A:62:DC:F7:DA:25:83:87:74:15:74 Certificate: Data: Version: v3 Serial Number: 0x9 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Validity: Not Before: Wednesday, November 29, 2017 1:00:10 AM IST Asia/Kolkata Not After: Saturday, November 28, 2037 1:00:10 AM IST Asia/Kolkata Subject: CN=CA Signing Certificate,OU=topology-CA-EX,O=EXAMPLE Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (2048 bits) : BE:6F:5F:8A:04:80:0C:C7:A2:B1:87:0F:E1:B7:41:F9: 97:05:A3:1A:08:49:77:0D:22:29:96:B2:AB:E8:16:8F: 0C:A8:EE:38:3B:B7:D6:49:BD:AB:A0:DF:FB:DB:A9:88: 54:E6:AB:31:B2:EE:FF:52:F9:82:D0:50:F2:36:41:94: 7C:95:68:19:6D:45:13:92:52:9C:CC:5E:B8:D7:DA:6D: 0F:27:FD:2E:7C:29:AD:7E:CD:D7:0C:CE:1E:F1:68:EF: 1D:A7:3F:F8:0D:09:56:7E:2D:35:C7:13:FB:1A:15:6F: 99:F3:D3:2B:CF:26:F0:36:64:5C:F8:BB:C5:D7:83:56: 39:4D:5E:73:F8:F4:22:89:46:14:E2:DB:8C:7F:08:F6: B2:55:FE:3F:8A:FE:54:93:42:83:BB:91:A4:27:3B:D7: 91:3D:9D:B6:D7:28:71:5D:FC:3D:71:DB:87:3C:16:2E: 62:A0:6B:C2:14:A2:6F:AE:C0:AF:E5:FF:F2:6E:05:E1: 1A:2D:8D:FE:84:0D:F6:DF:3D:98:BC:91:10:4E:99:76: A4:83:AF:52:4E:FF:CB:1E:AC:F1:52:20:B0:10:96:2C: BD:AB:08:00:07:09:A0:84:97:00:63:93:52:D4:EE:F3: 82:96:A5:9D:3C:7D:79:BC:B9:BB:66:69:AC:38:A4:C3 Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 30:78:31:31:30:62:39:37:62:32:32:66:37:38:65:38: 35:65:30:62:33:64:65:35:38:30:61:38:39:33:61:36: 65:30:31:64:64:64:66:32:63:34:37:38:39:36:37:38: 35:36:34:35:33:34:32:36:37:38:39:30:31 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: C3:4B:41:A4:F7:7A:39:15:BA:87:C5:88:08:D6:73:A8: CF:28:9C:BB Identifier: 1.3.6.1.5.5.7.1.1 Critical: no Value: 30:32:30:30:06:08:2B:06:01:05:05:07:30:01:86:24: 68:74:74:70:3A:2F:2F:70:6B:69:31:2E:65:78:61:6D: 70:6C:65:2E:63:6F:6D:3A:38:30:38:30:2F:63:61:2F: 6F:63:73:70 Signature: Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Signature: 6D:6D:FB:D2:FD:FC:B0:0B:95:38:31:5D:20:6E:4B:85: A6:C8:92:4F:AC:71:9A:AC:42:9C:62:11:68:49:CF:FF: 7C:28:C6:10:17:0D:DF:82:B4:E5:69:E9:CC:E8:F7:B2: 69:4F:09:2A:4F:97:D6:B4:D1:64:49:30:0D:42:65:1C: 84:25:E2:2A:42:9F:38:44:CC:01:DA:18:E2:7A:25:15: 14:A2:28:EC:1C:F2:C9:85:E8:6E:EB:90:7C:62:44:72: 3D:0B:6F:0A:BE:21:97:20:B6:A2:E6:8F:58:F0:45:AD: F8:07:0A:80:7C:FD:FB:33:AC:72:E7:CC:49:72:AF:0E: FE:4F:1E:EF:2E:71:76:6D:3F:96:A6:6A:C7:82:BC:27: 00:E6:05:B1:52:39:C3:E7:79:33:47:92:F1:6A:64:1A: 4E:AB:7C:18:BA:EB:91:E1:91:09:9E:BC:8D:15:B7:E3: F1:6C:9E:8D:5D:9D:2D:29:DE:11:F7:78:E5:77:DE:11: 55:86:C4:FC:2D:87:C7:45:43:9E:39:87:4D:CF:B0:78: F5:13:5C:E2:70:A7:89:74:CF:19:DE:DC:BD:ED:20:2D: 4C:4E:3F:23:A2:92:FD:F7:9E:C3:BE:81:24:C0:A0:DC: 51:E9:FA:90:5D:D4:4D:E8:02:D9:1B:62:6B:6B:EF:0F FingerPrint MD2: 0E:3E:0E:83:C2:84:9A:B5:B9:31:91:E0:77:7F:19:25 MD5: 4D:19:40:98:37:2F:BB:AD:96:05:32:FE:6A:81:80:C4 SHA-1: 27:19:AB:29:5C:1D:47:19:70:DF:DF:CF:64:EE:28:18: F1:10:A4:56 SHA-256: 55:29:03:74:46:9B:90:8F:93:C7:5A:65:5D:58:65:E2: D9:E8:C3:B8:00:52:56:FC:CE:5C:8E:C1:E9:B6:D4:E8 SHA-512: 12:3C:A3:57:50:23:3B:CB:8F:2E:25:F6:35:49:72:B0: A6:04:7B:52:AA:36:0B:ED:19:31:54:87:F5:EE:25:65: 8B:7F:60:F5:FA:53:54:B3:6D:D0:74:EF:BB:F3:0F:66: BE:EF:C9:86:6A:45:40:30:C4:80:8A:97:E9:3B:C1:02 Number of controls is 1 Control #0: CMCStatusInfoV2 OID: {1 3 6 1 5 5 7 7 25} BodyList: 1 Status: SUCCESS
quick observation is that CAValidityConstraint doesn't seem to kick in. I just looked into the profile caCMCcaCert.cfg. Geetika, could you try changing caCMCcaCert.cfg so that the following is caValidityDefaultImpl instead? policyset.caCertSet.2.constraint.class_id=validityConstraintImpl policyset.caCertSet.2.constraint.name=Validity Constraint policyset.caCertSet.2.constraint.params.range=7305 policyset.caCertSet.2.constraint.params.notBeforeCheck=false policyset.caCertSet.2.constraint.params.notAfterCheck=false If that works, then it could be a potential quick fix.
I tried the suggested steps: 1. I opened caCMCcaCert.cfg of ExternalCA. 2. I did below change: #policyset.caCertSet.2.constraint.class_id=validityConstraintImpl policyset.caCertSet.2.constraint.class_id=caValidityDefaultImpl 3. Restart the ExternalCA instance. 4. Now i did step1 installation for ExternalCA1. 5. perform the cmc request. 6. Send HttpClient cert request to ExternalCA. 7. Check the CMC response. CMCResponse: [root@pki1 test]# CMCResponse -i ca_signing-cmc-response.bin -o ca_signing.crty Certificates: Certificate: Data: Version: v3 Serial Number: 0x35B0 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Root CA Signing Certificate,O=ROOT Validity: Not Before: Tuesday, November 28, 2017 4:59:52 PM IST Asia/Kolkata Not After: Wednesday, February 28, 2018 4:59:52 PM IST Asia/Kolkata Subject: CN=Root CA Signing Certificate,O=ROOT Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (2048 bits) : B2:FB:61:3C:E2:9E:CA:A3:42:B6:CE:FF:08:10:42:A4: D2:B1:DE:5E:6D:3F:DE:8D:18:65:AE:AE:F3:D8:46:69: BF:4D:13:1F:78:B6:F6:88:8D:45:E1:6E:76:1E:A0:5A: 55:E0:33:4D:2C:A2:A3:2E:8A:A5:DC:16:A9:01:66:D7: 0E:92:95:34:CC:1F:97:00:B8:6B:A6:5B:E0:F1:03:28: 8A:22:51:51:16:86:62:92:CA:FC:04:89:D7:AB:48:88: BB:24:10:39:F4:76:E9:20:1E:D6:A5:5B:49:41:47:D8: 66:5A:3B:1C:E2:24:51:8C:4C:71:D3:8C:D1:68:B2:DE: 70:C8:6B:9F:48:EE:96:3F:32:DD:4C:97:38:5A:47:61: F7:73:32:F4:4E:E9:7E:C8:22:EC:99:99:B9:49:C1:67: A9:06:6F:69:CC:83:01:B4:45:B7:76:D6:84:A7:9D:7B: 77:FA:AF:EB:81:68:F6:01:FB:DC:FA:37:AB:17:43:C8: F4:8E:2B:2B:0A:1D:6C:30:12:4D:CD:34:24:39:B5:62: 62:CA:49:B3:CF:45:4A:BD:A3:AA:A6:09:80:2D:F7:7E: F0:BD:75:03:1D:88:FF:54:CA:FE:EE:38:DD:5E:4C:C8: 5D:81:9D:FE:1F:4A:C4:AF:D6:6F:1C:29:33:77:A5:39 Extensions: Identifier: 1.3.6.1.5.5.7.1.1 Critical: no Value: 30:2B:30:29:06:08:2B:06:01:05:05:07:30:01:86:1D: 68:74:74:70:3A:2F:2F:6C:6F:63:61:6C:68:6F:73:74: 3A:38:30:38:30:2F:63:61:2F:6F:63:73:70 Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2: BA:39:70:72 Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2: BA:39:70:72 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Signature: Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Signature: 6B:BE:A5:87:D7:25:3E:9B:6D:83:41:70:47:8E:BB:36: 3B:44:AF:98:38:EF:4C:49:1D:8A:A8:CF:DB:9F:43:B6: 82:D4:3B:B9:E3:F3:62:F1:95:39:D1:01:0C:D0:6A:07: 6E:6E:86:75:10:F4:BC:DE:D8:C0:74:DE:C9:88:DB:20: 43:49:51:8E:93:40:3F:B8:19:8E:1F:D7:EE:9F:FB:63: 2E:C8:24:5A:14:C0:62:41:FE:F1:44:E3:5B:5A:17:5F: 3B:59:BC:9F:C2:33:F1:11:32:2F:E2:F4:2C:03:15:D4: F4:BF:2F:90:F7:75:DD:D8:DB:3B:48:DB:93:24:0A:A2: 83:75:8B:D3:C2:42:C5:78:C8:04:33:9E:56:AE:F0:8E: 64:A5:CA:49:4B:7B:B2:DD:33:83:E5:F4:A6:3D:62:6B: 43:4D:4E:2D:96:88:76:8C:85:AC:85:38:44:63:3B:C4: F1:B3:A4:2B:02:8F:40:17:EC:C4:1C:5F:9E:66:1B:A9: 58:AF:79:5F:5B:1A:E8:08:07:1D:8B:9A:F5:73:BE:98: 4F:A8:A3:78:B9:C8:A6:40:81:C6:18:3F:6C:AD:4C:35: B8:09:93:70:CE:40:B4:E2:20:3E:AE:20:4D:43:D8:7D: F4:DB:CC:E5:18:AE:46:6A:A3:34:6D:7B:32:2E:6E:5B FingerPrint MD2: E2:C9:97:BB:6D:83:42:DE:06:ED:0E:65:1E:15:89:CC MD5: 66:A4:E0:BB:DA:9E:06:E5:07:E6:45:82:BB:F6:6F:6E SHA-1: FA:97:4F:FB:FF:24:CE:69:41:69:79:FC:E5:2C:AF:C6: 9A:47:66:B9 SHA-256: C1:7A:B7:6E:7F:A3:C1:63:7A:C0:42:62:A8:6E:BE:84: A3:C5:7B:19:49:FB:12:95:60:63:4F:2F:7B:2D:1C:D0 SHA-512: 59:1E:AA:15:C6:0F:C2:F8:20:34:4F:FF:F8:C7:07:0E: 9E:65:A2:A9:BF:52:4F:97:FB:BE:7D:97:17:D1:55:37: E4:A9:FD:27:76:18:6A:26:D4:63:89:67:B5:4B:F3:67: D5:12:EE:B4:04:6F:0C:E2:60:3C:13:E9:A3:B5:D8:EA Certificate: Data: Version: v3 Serial Number: 0x5E08 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Root CA Signing Certificate,O=ROOT Validity: Not Before: Tuesday, November 28, 2017 4:59:53 PM IST Asia/Kolkata Not After: Wednesday, February 28, 2018 4:59:53 PM IST Asia/Kolkata Subject: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (2048 bits) : D2:72:AA:90:79:54:DF:C8:0E:F2:CD:D6:A3:25:2E:15: BA:FB:AF:8A:D9:A6:9B:0B:E5:3D:41:76:3C:75:84:ED: 06:67:F9:AE:C9:B8:69:AF:7F:0C:2F:D8:5F:03:19:22: 48:16:6F:68:AB:5E:0E:CA:3E:21:F1:1C:18:CF:5F:F0: 87:6C:61:A0:5D:8F:A5:37:EB:0A:87:1C:53:07:0D:25: 49:76:14:D0:04:00:17:A2:2C:94:E2:96:8F:8C:16:9C: A0:E7:78:51:76:3B:DC:F0:CF:D0:BF:28:4D:7B:2F:1D: 3C:F6:9B:5A:FB:4A:40:01:6F:3E:67:25:D0:2A:5C:A7: 56:D9:9C:4F:DC:D0:E8:A7:72:20:5A:83:B5:3C:E5:EC: 53:5F:BA:55:22:23:7F:B4:1D:E9:02:26:0E:3D:16:B1: 17:90:DF:BB:04:E1:60:9F:CC:E2:5E:85:AE:E7:61:33: 1B:60:7A:F9:CD:FC:9C:37:37:60:2A:45:E6:0B:08:22: B9:F2:25:1A:71:13:18:2F:F4:B5:89:A9:C2:BA:6B:EC: 51:42:26:45:0D:CB:99:45:51:9C:3D:76:86:74:CE:84: 88:B3:DF:2A:D6:90:39:CE:FD:A1:88:7C:26:5C:47:3C: D7:A8:F4:07:8C:64:09:F4:18:70:F1:9C:DF:85:0D:05 Extensions: Identifier: 1.3.6.1.5.5.7.1.1 Critical: no Value: 30:2B:30:29:06:08:2B:06:01:05:05:07:30:01:86:1D: 68:74:74:70:3A:2F:2F:6C:6F:63:61:6C:68:6F:73:74: 3A:38:30:38:30:2F:63:61:2F:6F:63:73:70 Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 30:78:31:31:30:62:39:37:62:32:32:66:37:38:65:38: 35:65:30:62:33:64:65:35:38:30:61:38:39:33:61:36: 65:30:31:64:64:64:66:32:63:34:37:38:39:36:37:38: 35:36:34:35:33:34:32:36:37:38:39:30:31 Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: F7:38:A0:50:E0:FF:8E:10:78:C8:FD:7A:C7:5F:F0:A2: BA:39:70:72 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Signature: Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Signature: 02:22:BB:5B:E2:F2:BD:C6:8F:43:BF:56:F8:02:72:D1: 50:EF:50:16:C3:F0:2A:6A:AA:4D:33:0C:95:72:EE:6C: 28:F5:BF:80:BF:CC:8D:84:BC:70:CC:43:2A:AA:74:23: 3F:F1:A7:1C:42:AA:DE:8E:D4:A2:81:8B:66:92:2B:65: FF:2D:5C:16:92:67:5E:C5:A9:61:29:E2:C9:A2:24:38: 8F:4D:61:8C:FD:BF:51:9D:2A:43:D4:94:D7:A6:C1:3F: A3:57:43:A6:DD:AE:A8:A9:D2:C9:F1:E7:0D:18:B3:01: 8F:F2:FC:E6:51:16:EA:82:64:1A:C1:34:74:90:1A:49: 64:D3:A3:76:8C:2A:71:E6:89:35:1D:7D:1E:5F:2F:03: 14:08:EB:72:F7:21:60:E1:2C:0C:76:84:45:F1:62:37: 56:6D:65:B3:3F:84:F6:0F:A1:E7:AA:E4:D4:A1:57:55: 78:2F:09:D6:17:D7:AA:9E:FD:34:90:46:41:7D:32:EC: 01:41:3A:D6:4D:8B:FC:37:A1:04:93:B4:9C:B6:85:D5: 31:EF:6B:52:D0:A5:6F:50:31:03:D3:D1:D0:CD:3F:20: F6:28:87:30:73:42:90:E8:9A:68:44:DB:9E:76:EA:5E: DC:BC:A6:1B:85:97:96:F1:9C:97:2D:E6:18:F9:94:51 FingerPrint MD2: 54:F5:66:00:69:4D:B1:6C:4E:6D:87:30:A3:75:E2:74 MD5: 28:F8:D7:EC:A1:A6:B0:7C:54:EE:B7:60:5F:93:CD:C8 SHA-1: F0:FF:AF:CD:52:59:00:14:80:9E:23:0F:AE:E2:D9:1F: 63:95:FE:F3 SHA-256: 6A:2A:91:FD:61:E9:A0:EC:3C:90:D2:39:FC:57:75:0F: 1F:13:42:C3:02:10:44:FC:10:15:20:7C:50:54:1C:5D SHA-512: 8E:9A:89:45:07:AD:1D:85:1B:EB:E8:49:39:58:7B:EB: 91:26:6E:07:4F:9E:A2:93:66:55:7A:7A:E3:25:0C:56: F6:CB:26:36:4D:7D:B3:89:14:0D:AE:60:CF:7B:97:1B: 68:DE:31:27:3D:6A:62:DC:F7:DA:25:83:87:74:15:74 Number of controls is 1 Control #0: CMCStatusInfoV2 OID: {1 3 6 1 5 5 7 7 25} BodyList: 0 Status String: Profile caCMCcaCert Not Found OtherInfo type: FAIL failInfo=internal ca error ERROR: CMC status for [0]: failed ============================================= Debug logs when cmc request input is sent to ExternalCA: ------------------------------------------------------- [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCFull is LDAP based, not XML {1}, use default authz mgr: {2}. [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCFull is LDAP based, not XML {1}, use default authz mgr: {2}. [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitCMCFull [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: CMSServlet::service() param name='profileId' value='caCMCcaCert' [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: CMSServlet: caProfileSubmitCMCFull start to service. [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: Start of ProfileSubmitCMCServlet Input Parameters [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: ProfileSubmitCMCServlet Input Parameter profileId='caCMCcaCert' [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: End of ProfileSubmitCMCServlet Input Parameters [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: start serving [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: SubId=profile [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: ProfileSubmitCMCServlet: profileId caCMCcaCert [29/Nov/2017:09:49:58][http-bio-8443-exec-1]: CMCOutputTemplate: getContentInfo: begins [29/Nov/2017:09:49:59][http-bio-8443-exec-1]: CMCOutputTemplate: getContentInfo: - done [29/Nov/2017:09:49:59][http-bio-8443-exec-1]: CMSServlet: curDate=Wed Nov 29 09:49:59 IST 2017 id=caProfileSubmitCMCFull time=102 [29/Nov/2017:09:49:59][http-bio-8443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED 8. So looks like it could not get the profile for caCMCcaCert. 9. I check the CS.cfg but i could see that profile in list. [root@pki1 test]# grep -i "caCMCcaCert" /etc/pki/pki-tomcat/ca/CS.cfg profile.caCMCcaCert.class_id=caEnrollImpl profile.caCMCcaCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caCMCcaCert.cfg profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
List of packages that are installed in machine: [root@pki1 ~]# rpm -qa pki-ca pki-ca-10.5.1-1.el7.noarch [root@pki1 ~]# rpm -qa pki-* pki-core-debuginfo-10.4.1-17.el7_4.x86_64 pki-tools-10.5.1-1.el7.x86_64 pki-ocsp-10.5.1-1.el7pki.noarch pki-kra-10.5.1-1.el7.noarch pki-console-10.5.1-1.el7pki.noarch pki-tps-10.5.1-1.el7pki.x86_64 pki-javadoc-10.4.1-17.el7_4.noarch pki-base-java-10.5.1-1.el7.noarch pki-ca-10.5.1-1.el7.noarch pki-base-10.5.1-1.el7.noarch pki-symkey-10.5.1-1.el7.x86_64 pki-server-10.5.1-1.el7.noarch pki-tks-10.5.1-1.el7pki.noarch
It appears that CAValidityConstraint is not in the config by default. Lets try the following to see if it's still supported: in registry.cfg, add: constraintPolicy.caValidityConstraintImpl.class=com.netscape.cms.profile.constraint.CAValidityConstraint constraintPolicy.caValidityConstraintImpl.desc=CA Validity Constraint constraintPolicy.caValidityConstraintImpl.name=CA Validity Constraint find constraintPolicy.ids= and add to the list: caValidityConstraintImpl in caCMCcaCert.cfg replace the line: policyset.caCertSet.2.constraint.class_id=validityConstraintImpl with policyset.caCertSet.2.constraint.class_id=caValidityConstraintImpl restart the server
Pushed to Dogtag master https://pagure.io/dogtagpki/issue/2861#comment-482371
Test Env: ======== pki-ca-10.5.1-7.el7.noarch Test Steps: =========== 1. Make sure we have a CA installed. 2. Use CMC profile for certificate signing.Make sure it should not create a certificate >= parent CA expiry date. 3. This needs to be set manually in the caCMCcaCert profile. 4. Make sure profile has policyset.caCertSet.2.default.class_id=caValidityDefaultImpl. Note: ==== I was thinking of a practical scenario. 1. I have a rootCA installed. (expiry 7305 days) -- so it will expire say on 20 jan 2038 2. After 10 days i thought of installing another CA signed by RootCA. 3. I choose CMC way of getting my certs signed. 4. Installation will fail because because of profile expiry will be 30 jan 2038. 5.This will fail because its expiry > Rootca expiry which is correct. Question: In this case user have to change everytime in profile before they signs a SubCA or ExternalCA certificate? --- Already ticket exist for it https://pagure.io/dogtagpki/issue/2912
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925