I will enable CERT_STATUS_CHANGE_REQUEST_PROCESSED by default.
patch cherry-picked from DOGTAG_10_5_BRANCH
commit 2609383417755d81419cc6f53d1d9853fdc906df (HEAD -> master, origin/master, origin/HEAD, bug-1601071-CMCSelfSigned-master)
Author: Christina Fu <firstname.lastname@example.org>
Date: Mon Jul 30 17:15:09 2018 -0700
Bug 1601071 Certificate generation happens with partial attributes in CMCRequest file
This patch addresses the issue where when a cmcSelfSisnged profile is used
in a cmcUserSigned case, the certificate is issued.
A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has
been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case.
A new constraint CMCSelfSignedSubjectNameConstraint has been introduced
In additional, all profiles that authenticate through CMCUserSignedAuth are
turned off by default to allow site administrators to make conscious decision
on their own for these features.
Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default.
I saw that you have changed enable=true to enable=false so bydefault it is disabled and when i try to use this profile i need to enable it before using it with httpclient. Not sure if it is expected?
refer : https://review.gerrithub.io/c/dogtagpki/pki/+/421026/1/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
Marking this bug verified.I will ask/raise a new bug if Christina feels Comment7 looks like an issue and customer might need it.
(In reply to Geetika Kapoor from comment #7)
> Hi Christina,
> I saw that you have changed enable=true to enable=false so bydefault it is
> disabled and when i try to use this profile i need to enable it before using
> it with httpclient. Not sure if it is expected?
The answer is in comment #4. I'll make sure the install guide mentions to enable this before using. thanks.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.