cmp.properties parameters to enable cmp RA mode

Help
2013-07-29
2013-07-30
  • Enrico Lacaria

    Enrico Lacaria - 2013-07-29

    HI

    I set the following parameters in cmp.properties:

    cmp.operationmode=ra
    cmp.allowraverifypopo=true
    cmp.responseprotection=pbe
    cmp.ra.authenticationsecret=password
    cmp.ra.namegenerationscheme=DN
    cmp.ra.namegenerationparameters=CN

    cmp.ra.namegenerationprefix=cmp
    cmp.ra.namegenerationpostfix=

    cmp.ra.endentityprofile=ServerWeb
    cmp.ra.certificateprofile=ServerWeb
    cmp.ra.caname=Example Server CA

    • After modifying parameters in cmp.properties
      I rebuilt all with the command "ant build deploy", successfully ended.
    • My (sub)CA is named "Example Server CA"
    • I've got an end-entity profile named "ServerWeb"
    • I've got a certificate profile also named "ServerWeb"
    • The CA correctly produces certificates from .CSR,
      before and after I modified the above parameters.

    My goal is:

    • allow certificate from CSR to be producted
      without the need to specify a previously existent user and password .

    • a new end entity is automatically created for each new certificate, identified
      by the CN extracted from the DN of the CSR.

    I expected, (after setting parameters in cmp.properties),
    that both or at least the second of the above conditions
    would be verified, or, in other words:

    • I CAN CREATE CERTIFICATE FROM CSR
      WITHOUT HAVE TO SPECIFY AN EXISTENT USER AND PASSWORD

    or, at least that

    • SPECIFYING ALWAYS THE SAME EXISTENT USER AND PASSWORD,
      A NEW USER BE CREATED IDENTIFIED BY the CN EXTRACTED from
      the DN of the CSR.

    If I try to submit CSR without an existent user and password,
    the following message is issued:
    "Non existent username. To generate a certificate a valid username and password must be supplied"

    This sounds to be obvious but, when I supply a valid username and password,
    and the certificate is correctly generated, anyway
    NO NEW END ENTITY IS CREATED.

    My question is:

    Have I misunderstood the functionality of modifyied parameters ?

    Or else

    What is my mystake ?

    Thank you very much

    Enrico Lacaria

     
    • Aveen Ismail

      Aveen Ismail - 2013-07-30

      Hi Erico,

      Your configuration of CMP is correct. However, the request does not seem to be coming through CMP but through the public web browser. How do you do exactly to submit the CSR?

       
  • Enrico Lacaria

    Enrico Lacaria - 2013-07-30

    You are right, I submitted request through public web interface.
    I copy and paste the request or select the csr files in

    Enroll --> Create Certificate from CSR.

    I suspected that I didn't understand something important .
    Can you please tell me how to submit request correctly or just
    give me a link to an example procedure to use CMP ?

    Thank you wery much

     
    • Aveen Ismail

      Aveen Ismail - 2013-07-30

      In www.ejbca.org/adminguide.html you can find a section about CMP. There you can find some more detailed information about how CMP works and what is supported/implemented in Ejbca, If you scroll down within this section, you can also find java-code samples of how to construct and send a CMP request and also a list of third-party software that can be used to send CMP requests to Ejbca.

      The documentation in www.ejbca.org concerns the latest available version of Ejbca. To get the documentation specific to your version of Ejbca, run "ant doc" from the Ejbca catalog.

      Let me know how it goes!

       
      Last edit: Aveen Ismail 2013-07-30

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks