981330
From 53eec401f222178ff2ac34fd6223b121f485969d Mon Sep 17 00:00:00 2001
981330
From: "Endi S. Dewata" <edewata@redhat.com>
981330
Date: Fri, 12 Aug 2016 02:23:18 +0200
981330
Subject: [PATCH 01/10] Removed PKCS #7 from add user cert dialog in TPS UI.
981330
981330
The dialog box for adding user certificate in TPS UI has been
981330
modified to no longer mention PKCS #7. The REST service itself
981330
still accepts PKCS #7, but it should be cleaned up in the future.
981330
981330
https://fedorahosted.org/pki/ticket/2437
981330
(cherry picked from commit d27d4600784acb49c42764d02835dedf3ee87227)
981330
(cherry picked from commit 2dae5f18fa5c68f7923b6b6691395790fb14791f)
981330
---
981330
 base/server/cms/src/org/dogtagpki/server/rest/UserService.java | 2 ++
981330
 base/tps/shared/webapps/tps/ui/user-certs.html                 | 2 +-
981330
 2 files changed, 3 insertions(+), 1 deletion(-)
981330
981330
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
981330
index 0893c4b..1f8e9fa 100644
981330
--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
981330
+++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
981330
@@ -863,6 +863,8 @@ public class UserService extends PKIService implements UserResource {
981330
             }
981330
 
981330
             if (cert == null) {
981330
+                // TODO: Remove this code. Importing PKCS #7 is not supported.
981330
+
981330
                 // cert chain direction
981330
                 boolean assending = true;
981330
 
981330
diff --git a/base/tps/shared/webapps/tps/ui/user-certs.html b/base/tps/shared/webapps/tps/ui/user-certs.html
981330
index 049583e..04593f3 100644
981330
--- a/base/tps/shared/webapps/tps/ui/user-certs.html
981330
+++ b/base/tps/shared/webapps/tps/ui/user-certs.html
981330
@@ -93,7 +93,7 @@
981330
                     <input name="userID" readonly="readonly">
981330
                     <label>Certificate</label>
981330
                     <textarea name="encoded" rows="20" cols="80"></textarea>
981330
-                    Enter a PEM certificate or PKCS #7 data.
981330
+                    Enter a PEM certificate.
981330
                 </fieldset>
981330
             
981330
             
981330
-- 
981330
1.8.3.1
981330
981330
981330
From 3bfd5acb075751e429eeb8b46f17c624a5178a41 Mon Sep 17 00:00:00 2001
981330
From: "Endi S. Dewata" <edewata@redhat.com>
981330
Date: Fri, 12 Aug 2016 04:42:25 +0200
981330
Subject: [PATCH 02/10] Added cert validation error message in selftest log.
981330
981330
To help troubleshooting the selftest log has been modified to
981330
include the cert validation error message returned by JSS.
981330
981330
https://fedorahosted.org/pki/ticket/2436
981330
(cherry picked from commit 0fd31368d871c513c9833ca02bc08d15a48d6aa5)
981330
(cherry picked from commit 488303542161103cbbac6814dffd8818fccf455d)
981330
---
981330
 .../src/com/netscape/cms/selftests/common/SystemCertsVerification.java  | 2 +-
981330
 base/server/cmsbundle/src/LogMessages.properties                        | 2 +-
981330
 2 files changed, 2 insertions(+), 2 deletions(-)
981330
981330
diff --git a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
981330
index e4fc1cb..cc52f83 100644
981330
--- a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
981330
+++ b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
981330
@@ -200,7 +200,7 @@ public class SystemCertsVerification
981330
         } catch (Exception e) {
981330
             String logMessage = CMS.getLogMessage(
981330
                     "SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE",
981330
-                    getSelfTestName());
981330
+                    getSelfTestName(), e.getMessage());
981330
             mSelfTestSubsystem.log(logger, logMessage);
981330
             throw e;
981330
         }
981330
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
981330
index 12c580a..0bcbcc5 100644
981330
--- a/base/server/cmsbundle/src/LogMessages.properties
981330
+++ b/base/server/cmsbundle/src/LogMessages.properties
981330
@@ -2766,7 +2766,7 @@ SELFTESTS_PARAMETER_WAS_NULL={0}:  a self test parameter was null
981330
 SELFTESTS_MISSING_NAME={0}:  the self test property name {1} does not exist
981330
 SELFTESTS_MISSING_VALUES={0}:  the self test property name {1} contained no value(s)
981330
 SELFTESTS_INVALID_VALUES={0}:  the self test property name {1} contained invalid value(s)
981330
-SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE={0}: system certs verification failure
981330
+SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE={0}: system certs verification failure: {1}
981330
 SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_SUCCESS={0}: system certs verification success
981330
 SELFTESTS_CA_IS_NOT_PRESENT={0}:  CA is NOT present
981330
 SELFTESTS_CA_IS_NOT_INITIALIZED={0}:  CA is NOT yet initialized
981330
-- 
981330
1.8.3.1
981330
981330
981330
From 6431cac7c8f6a4874249bf1ea8b287e1a9a9f0c3 Mon Sep 17 00:00:00 2001
981330
From: "Endi S. Dewata" <edewata@redhat.com>
981330
Date: Fri, 12 Aug 2016 23:06:24 +0200
981330
Subject: [PATCH 03/10] Added exception wrapper for invalid LDAP attribute
981330
 syntax.
981330
981330
The LDAPExceptionConverter has been modified to wrap LDAPException
981330
for invalid attribute syntax with BadRequestException.
981330
981330
https://fedorahosted.org/pki/ticket/833
981330
(cherry picked from commit 71acaed02642c618a729fbebbf7a7025684967a3)
981330
(cherry picked from commit 26aa8bd616148b5318b87817aafae926d1c375d2)
981330
---
981330
 .../src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java       | 6 ++++--
981330
 1 file changed, 4 insertions(+), 2 deletions(-)
981330
981330
diff --git a/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java b/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
981330
index 88b1263..51a1109 100644
981330
--- a/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
981330
+++ b/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
981330
@@ -17,13 +17,13 @@
981330
 // --- END COPYRIGHT BLOCK ---
981330
 package com.netscape.certsrv.ldap;
981330
 
981330
-import netscape.ldap.LDAPException;
981330
-
981330
 import com.netscape.certsrv.base.BadRequestException;
981330
 import com.netscape.certsrv.base.ConflictingOperationException;
981330
 import com.netscape.certsrv.base.PKIException;
981330
 import com.netscape.certsrv.base.ResourceNotFoundException;
981330
 
981330
+import netscape.ldap.LDAPException;
981330
+
981330
 /**
981330
  * @author Endi S. Dewata
981330
  */
981330
@@ -39,6 +39,8 @@ public class LDAPExceptionConverter {
981330
             return new ResourceNotFoundException("No such attribute.", e);
981330
         case LDAPException.INVALID_DN_SYNTAX:
981330
             return new BadRequestException("Invalid DN syntax.", e);
981330
+        case LDAPException.INVALID_ATTRIBUTE_SYNTAX:
981330
+            return new BadRequestException("Invalid attribute syntax.", e);
981330
         case LDAPException.ENTRY_ALREADY_EXISTS:
981330
             return new ConflictingOperationException("Entry already exists.", e);
981330
         default:
981330
-- 
981330
1.8.3.1
981330
981330
981330
From 90c6537038caa9a241d1c4123e1a642860a0aa5a Mon Sep 17 00:00:00 2001
981330
From: "Endi S. Dewata" <edewata@redhat.com>
981330
Date: Tue, 16 Aug 2016 00:15:15 +0200
981330
Subject: [PATCH 04/10] Removed misleading log in SelfTestSubsystem.
981330
981330
To avoid confusion, the isSelfTestCriticalAtStartup() and
981330
isSelfTestCriticalOnDemand() in SelfTestSubsystem have been
981330
modified to no longer log an error message if the selftest
981330
being checked does not exist in the corresponding property
981330
in CS.cfg.
981330
981330
https://fedorahosted.org/pki/ticket/2432
981330
(cherry picked from commit 6bfee0e46aee93e1255ecb5652d46348557664d5)
981330
(cherry picked from commit 422fc92597d80aa115efa59a592fbaf8851b243e)
981330
---
981330
 .../com/netscape/cmscore/selftests/SelfTestSubsystem.java  | 14 ++------------
981330
 1 file changed, 2 insertions(+), 12 deletions(-)
981330
981330
diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
981330
index ff938dd..8dc95cc 100644
981330
--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
981330
+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
981330
@@ -473,12 +473,7 @@ public class SelfTestSubsystem
981330
             }
981330
         }
981330
 
981330
-        // self test plugin instance property name is not present
981330
-        log(mLogger,
981330
-                CMS.getLogMessage(
981330
-                        "CMSCORE_SELFTESTS_PROPERTY_MISSING_NAME",
981330
-                        instanceFullName));
981330
-
981330
+        // self test undefined in selftests.container.order.onDemand
981330
         throw new EMissingSelfTestException(instanceFullName);
981330
     }
981330
 
981330
@@ -799,12 +794,7 @@ public class SelfTestSubsystem
981330
             }
981330
         }
981330
 
981330
-        // self test plugin instance property name is not present
981330
-        log(mLogger,
981330
-                CMS.getLogMessage(
981330
-                        "CMSCORE_SELFTESTS_PROPERTY_MISSING_NAME",
981330
-                        instanceFullName));
981330
-
981330
+        // self test undefined in selftests.container.order.startup
981330
         throw new EMissingSelfTestException(instanceFullName);
981330
     }
981330
 
981330
-- 
981330
1.8.3.1
981330
981330
981330
From 561191eacd168ed3b75de0c502ee82a6517f4348 Mon Sep 17 00:00:00 2001
981330
From: "Endi S. Dewata" <edewata@redhat.com>
981330
Date: Tue, 16 Aug 2016 01:43:36 +0200
981330
Subject: [PATCH 05/10] Fixed SelfTestService.findSelfTests().
981330
981330
The SelfTestService.findSelfTests() has been modified to return
981330
all selftests defined in the CS.cfg.
981330
981330
https://fedorahosted.org/pki/ticket/2432
981330
(cherry picked from commit 4001335ed5105112c64c433a26272286ecf66196)
981330
(cherry picked from commit e860276fc5889aae40beda33ea523358fbe76911)
981330
---
981330
 .../common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java | 4 ++++
981330
 base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java    | 2 +-
981330
 .../cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 4 ++++
981330
 3 files changed, 9 insertions(+), 1 deletion(-)
981330
981330
diff --git a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
981330
index c07b96a..a55c651 100644
981330
--- a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
981330
+++ b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
981330
@@ -20,6 +20,8 @@
981330
 
981330
 package com.netscape.certsrv.selftests;
981330
 
981330
+import java.util.Collection;
981330
+
981330
 ///////////////////////
981330
 // import statements //
981330
 ///////////////////////
981330
@@ -68,6 +70,8 @@ public interface ISelfTestSubsystem
981330
     // ISelfTestSubsystem methods //
981330
     ////////////////////////////////
981330
 
981330
+    public Collection<String> getSelfTestNames();
981330
+
981330
     //
981330
     // methods associated with the list of on demand self tests
981330
     //
981330
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
981330
index e662ba9..9108a45 100644
981330
--- a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
981330
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
981330
@@ -113,7 +113,7 @@ public class SelfTestService extends PKIService implements SelfTestResource {
981330
 
981330
             // filter self tests
981330
             Collection<String> results = new ArrayList<String>();
981330
-            for (String name : subsystem.listSelfTestsEnabledOnDemand()) {
981330
+            for (String name : subsystem.getSelfTestNames()) {
981330
                 if (filter != null && !name.contains(filter)) continue;
981330
                 results.add(name);
981330
             }
981330
diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
981330
index 8dc95cc..d7d7a3a 100644
981330
--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
981330
+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
981330
@@ -243,6 +243,10 @@ public class SelfTestSubsystem
981330
     // SelfTestSubsystem methods //
981330
     ///////////////////////////////
981330
 
981330
+    public Collection<String> getSelfTestNames() {
981330
+        return mSelfTestInstances.keySet();
981330
+    }
981330
+
981330
     //
981330
     // methods associated with the list of on demand self tests
981330
     //
981330
-- 
981330
1.8.3.1
981330
981330
981330
From 15a6f83a651949af7ba7bfe8fc1b3626d064fa87 Mon Sep 17 00:00:00 2001
981330
From: "Endi S. Dewata" <edewata@redhat.com>
981330
Date: Thu, 18 Aug 2016 05:40:25 +0200
981330
Subject: [PATCH 06/10] Added debug messages for
981330
 ConfigurationUtils.handleCerts().
981330
981330
To help troubleshooting some debug messages have been added into
981330
ConfigurationUtils.handleCerts().
981330
981330
https://fedorahosted.org/pki/ticket/2436
981330
(cherry picked from commit 9aa6640e7e94a591343478ee806a6e6d4c9f81e8)
981330
(cherry picked from commit 4e5c8e53345d500bfa620267a8ae35df0e2973b6)
981330
---
981330
 .../cms/servlet/csadmin/ConfigurationUtils.java     | 21 ++++++++++++++++++++-
981330
 1 file changed, 20 insertions(+), 1 deletion(-)
981330
981330
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
981330
index 7723665..3bd6d87 100644
981330
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
981330
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
981330
@@ -3153,6 +3153,9 @@ public class ConfigurationUtils {
981330
         String tokenname = config.getString("preop.module.token", "");
981330
 
981330
         if (cert.getType().equals("local") && b64.equals("...certificate be generated internally...")) {
981330
+
981330
+            CMS.debug("handleCerts(): processing local cert");
981330
+
981330
             String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype");
981330
             X509Key x509key = null;
981330
             if (pubKeyType.equals("rsa")) {
981330
@@ -3177,24 +3180,33 @@ public class ConfigurationUtils {
981330
                 CMS.debug("handleCerts(): nickname=" + nickname);
981330
 
981330
                 try {
981330
+                    CMS.debug("handleCerts(): deleting existing cert");
981330
                     if (certTag.equals("sslserver") && findBootstrapServerCert())
981330
                         deleteBootstrapServerCert();
981330
                     if (findCertificate(tokenname, nickname))
981330
                         deleteCert(tokenname, nickname);
981330
+
981330
+                    CMS.debug("handleCerts(): importing new cert");
981330
                     if (certTag.equals("signing") && subsystem.equals("ca"))
981330
                         CryptoUtil.importUserCertificate(impl, nickname);
981330
                     else
981330
                         CryptoUtil.importUserCertificate(impl, nickname, false);
981330
                     CMS.debug("handleCerts(): cert imported for certTag '" + certTag + "'");
981330
+
981330
                 } catch (Exception ee) {
981330
                     CMS.debug(ee);
981330
                     CMS.debug("handleCerts(): import certificate for certTag=" + certTag + " Exception: "
981330
                             + ee.toString());
981330
                 }
981330
             }
981330
+
981330
         } else if (cert.getType().equals("remote")) {
981330
+
981330
+            CMS.debug("handleCerts(): processing remote cert");
981330
+
981330
             if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) {
981330
-                CMS.debug("handleCerts(): process remote...import cert");
981330
+
981330
+                CMS.debug("handleCerts(): deleting existing cert");
981330
                 String b64chain = cert.getCertChain();
981330
 
981330
                 try {
981330
@@ -3207,6 +3219,7 @@ public class ConfigurationUtils {
981330
                     CMS.debug("ConfigurationUtils: update (remote): deleteCert Exception=" + e.toString());
981330
                 }
981330
 
981330
+                CMS.debug("handleCerts(): importing new cert");
981330
                 b64 = CryptoUtil.stripCertBrackets(b64.trim());
981330
                 String certs = CryptoUtil.normalizeCertStr(b64);
981330
                 byte[] certb = CryptoUtil.base64Decode(certs);
981330
@@ -3256,11 +3269,16 @@ public class ConfigurationUtils {
981330
                 CMS.debug("handleCerts(): b64 not set");
981330
                 return 1;
981330
             }
981330
+
981330
         } else {
981330
+            CMS.debug("handleCerts(): processing " + cert.getType() + " cert");
981330
+
981330
             b64 = CryptoUtil.stripCertBrackets(b64.trim());
981330
             String certs = CryptoUtil.normalizeCertStr(b64);
981330
             byte[] certb = CryptoUtil.base64Decode(certs);
981330
             X509CertImpl impl = new X509CertImpl(certb);
981330
+
981330
+            CMS.debug("handleCerts(): deleting existing cert");
981330
             try {
981330
                 if (certTag.equals("sslserver") && findBootstrapServerCert())
981330
                     deleteBootstrapServerCert();
981330
@@ -3271,6 +3289,7 @@ public class ConfigurationUtils {
981330
                 CMS.debug("handleCerts(): deleteCert Exception=" + ee.toString());
981330
             }
981330
 
981330
+            CMS.debug("handleCerts(): importing new cert");
981330
             try {
981330
                 if (certTag.equals("signing") && subsystem.equals("ca"))
981330
                     CryptoUtil.importUserCertificate(impl, nickname);
981330
-- 
981330
1.8.3.1
981330
981330
981330
From 361eb16c8558f5be6cdb65ab412ab4f703a10bdc Mon Sep 17 00:00:00 2001
981330
From: Matthew Harmsen <mharmsen@redhat.com>
981330
Date: Fri, 19 Aug 2016 15:58:12 -0600
981330
Subject: [PATCH 07/10] pki-tools HEADER/FOOTER changes
981330
981330
* PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
981330
981330
(cherry picked from commit 534633885ae28db230786c25374fba66120ed933)
981330
(cherry picked from commit 94e009a03036194f4ee09a9a159acd906179ec9d)
981330
---
981330
 base/java-tools/src/com/netscape/cmstools/CMCEnroll.java    | 13 ++++++++-----
981330
 base/java-tools/src/com/netscape/cmstools/CMCRequest.java   |  4 ++--
981330
 base/java-tools/src/com/netscape/cmstools/CMCRevoke.java    | 11 ++++++-----
981330
 .../java-tools/src/com/netscape/cmstools/CRMFPopClient.java |  8 ++++++--
981330
 base/java-tools/src/com/netscape/cmstools/PKCS10Client.java | 11 +++++++----
981330
 5 files changed, 29 insertions(+), 18 deletions(-)
981330
981330
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java b/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java
981330
index d13ed13..dc4b191 100644
981330
--- a/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java
981330
+++ b/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java
981330
@@ -79,8 +79,11 @@ public class CMCEnroll {
981330
     public static final String PR_REQUEST_PKCS10 = "PKCS10";
981330
 
981330
     public static final int ARGC = 4;
981330
-    public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
981330
-    public static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
981330
+    public static final String HEADER = "-----BEGIN";
981330
+    public static final String TRAILER = "-----END";
981330
+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
981330
+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
981330
+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
981330
 
981330
     void cleanArgs(String[] s) {
981330
 
981330
@@ -434,10 +437,10 @@ public class CMCEnroll {
981330
                     return;
981330
                 }
981330
 
981330
-                System.out.println(HEADER);
981330
-                System.out.println(asciiBASE64Blob.toString() + TRAILER);
981330
+                System.out.println(RFC7468_HEADER);
981330
+                System.out.println(asciiBASE64Blob.toString() + RFC7468_TRAILER);
981330
                 try {
981330
-                    asciiBASE64Blob_str = HEADER + "\n" + asciiBASE64Blob_str.toString() + TRAILER;
981330
+                    asciiBASE64Blob_str = RFC7468_HEADER + "\n" + asciiBASE64Blob_str.toString() + RFC7468_TRAILER;
981330
                     outputBlob.write(asciiBASE64Blob_str.getBytes());
981330
                 } catch (IOException e) {
981330
                     System.out.println("CMCEnroll:  I/O error " +
981330
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
981330
index 167c461..1f508c3 100644
981330
--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
981330
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
981330
@@ -97,8 +97,8 @@ public class CMCRequest {
981330
     public static final String PR_INTERNAL_TOKEN_NAME = "internal";
981330
 
981330
     public static final int ARGC = 1;
981330
-    public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
981330
-    public static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
981330
+    public static final String HEADER = "-----BEGIN";
981330
+    public static final String TRAILER = "-----END";
981330
 
981330
     void cleanArgs(String[] s) {
981330
 
981330
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
981330
index 3f9d811..45c3f07 100644
981330
--- a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
981330
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
981330
@@ -69,8 +69,9 @@ import com.netscape.cmsutil.util.Utils;
981330
  */
981330
 public class CMCRevoke {
981330
     public static final int ARGC = 8;
981330
-    public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
981330
-    public static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
981330
+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
981330
+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
981330
+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
981330
     static String dValue = null, nValue = null, iValue = null, sValue = null, mValue = null, hValue = null,
981330
             pValue = null, cValue = null;
981330
 
981330
@@ -224,10 +225,10 @@ public class CMCRevoke {
981330
             return;
981330
         }
981330
 
981330
-        System.out.println(HEADER);
981330
-        System.out.println(asciiBASE64Blob + TRAILER);
981330
+        System.out.println(RFC7468_HEADER);
981330
+        System.out.println(asciiBASE64Blob + RFC7468_TRAILER);
981330
         try {
981330
-            asciiBASE64Blob = HEADER + "\n" + asciiBASE64Blob + TRAILER;
981330
+            asciiBASE64Blob = RFC7468_HEADER + "\n" + asciiBASE64Blob + RFC7468_TRAILER;
981330
             outputBlob.write(asciiBASE64Blob.getBytes());
981330
         } catch (IOException e) {
981330
             System.out.println("CMCSigning:  I/O error " +
981330
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
981330
index 76d8f51..450f950 100644
981330
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
981330
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
981330
@@ -101,6 +101,10 @@ public class CRMFPopClient {
981330
 
981330
     public boolean verbose;
981330
 
981330
+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
981330
+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
981330
+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
981330
+
981330
     public static Options createOptions() {
981330
 
981330
         Options options = new Options();
981330
@@ -472,9 +476,9 @@ public class CRMFPopClient {
981330
 
981330
             StringWriter sw = new StringWriter();
981330
             try (PrintWriter out = new PrintWriter(sw)) {
981330
-                out.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
981330
+                out.println(RFC7468_HEADER);
981330
                 out.println(request);
981330
-                out.println("-----END NEW CERTIFICATE REQUEST-----");
981330
+                out.println(RFC7468_TRAILER);
981330
             }
981330
             String csr = sw.toString();
981330
 
981330
diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
981330
index d1c787e..0a35827 100644
981330
--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
981330
+++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
981330
@@ -71,6 +71,9 @@ import com.netscape.cmsutil.util.Utils;
981330
  * @version $Revision$, $Date$
981330
  */
981330
 public class PKCS10Client {
981330
+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
981330
+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
981330
+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
981330
 
981330
     private static void printUsage() {
981330
         System.out.println(
981330
@@ -323,15 +326,15 @@ public class PKCS10Client {
981330
                 b64E = CryptoUtil.base64Encode(certReqb);
981330
             }
981330
 
981330
-            System.out.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
981330
+            System.out.println(RFC7468_HEADER);
981330
             System.out.println(b64E);
981330
-            System.out.println("-----END NEW CERTIFICATE REQUEST-----");
981330
+            System.out.println(RFC7468_TRAILER);
981330
 
981330
             PrintStream ps = null;
981330
             ps = new PrintStream(new FileOutputStream(ofilename));
981330
-            ps.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
981330
+            ps.println(RFC7468_HEADER);
981330
             ps.println(b64E);
981330
-            ps.println("-----END NEW CERTIFICATE REQUEST-----");
981330
+            ps.println(RFC7468_TRAILER);
981330
             ps.flush();
981330
             ps.close();
981330
             System.out.println("PKCS10Client: done. Request written to file: "+ ofilename);
981330
-- 
981330
1.8.3.1
981330
981330
981330
From f11b2d72f710e4a8a25e3779b2e57eb6b66742b7 Mon Sep 17 00:00:00 2001
981330
From: Matthew Harmsen <mharmsen@redhat.com>
981330
Date: Fri, 19 Aug 2016 16:08:56 -0600
981330
Subject: [PATCH 08/10] pki-tools CMCEnroll man page
981330
981330
* PKI TRAC Ticket #690 - [MAN] pki-tools man pages
981330
      - CMCEnroll
981330
981330
(cherry picked from commit fb8cff8cef10580ff5c14c5d5df535613779f9c5)
981330
(cherry picked from commit 44046589bc9ed15d591d863056698232c25514bd)
981330
---
981330
 base/java-tools/man/man1/CMCEnroll.1 | 570 +++++++++++++++++++++++++++++++++++
981330
 1 file changed, 570 insertions(+)
981330
 create mode 100644 base/java-tools/man/man1/CMCEnroll.1
981330
981330
diff --git a/base/java-tools/man/man1/CMCEnroll.1 b/base/java-tools/man/man1/CMCEnroll.1
981330
new file mode 100644
981330
index 0000000..4cc861f
981330
--- /dev/null
981330
+++ b/base/java-tools/man/man1/CMCEnroll.1
981330
@@ -0,0 +1,570 @@
981330
+.\" First parameter, NAME, should be all caps
981330
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
981330
+.\" other parameters are allowed: see man(7), man(1)
981330
+.TH CMCEnroll 1 "July 20, 2016" "version 10.3" "PKI CMC Enrollment Tool" Dogtag Team
981330
+.\" Please adjust this date whenever revising the man page.
981330
+.\"
981330
+.\" Some roff macros, for reference:
981330
+.\" .nh        disable hyphenation
981330
+.\" .hy        enable hyphenation
981330
+.\" .ad l      left justify
981330
+.\" .ad b      justify to both left and right margins
981330
+.\" .nf        disable filling
981330
+.\" .fi        enable filling
981330
+.\" .br        insert line break
981330
+.\" .sp <n>    insert n+1 empty lines
981330
+.\" for man page specific macros, see man(7)
981330
+.SH NAME
981330
+CMCEnroll \- Used to sign a certificate request with an agent's certificate.
981330
+
981330
+.SH SYNOPSIS
981330
+.PP
981330
+\fBCMCEnroll -d <directory_of_NSS_security_database_containing_agent_cert> -n <certificate_nickname> -r <certificate_request_file> -p <certificate_DB_passwd>\fP
981330
+
981330
+.SH DESCRIPTION
981330
+.PP
981330
+The Certificate Management over Cryptographic Message Syntax (CMC) Enrollment utility, \fBCMCEnroll\fP, provides a command-line utility used to sign a certificate request with an agent's certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users.
981330
+.PP
981330
+\fBCMCEnroll\fP takes a standard PKCS #10 certificate request and signs it with an agent certificate. The output is also a certificate request which can be submitted through the appropriate profile.
981330
+
981330
+.SH OPTIONS
981330
+.PP
981330
+The following parameters are mandatory:
981330
+.PP
981330
+\fBNote:\fP
981330
+Surround values that include spaces with quotation marks.
981330
+.TP
981330
+.B -d <directory_of_NSS_security_database_containing_agent_cert>
981330
+The directory containing the \fBcert8.db\fP, \fBkey3.db\fP, and \fBsecmod.db\fP files associated with the agent certificate. This is usually the agent's personal directory, such as their browser certificate database in the home directory.
981330
+
981330
+.TP
981330
+.B -n <certificate_nickname>
981330
+The nickname of the agent certificate that is used to sign the request.
981330
+
981330
+.TP
981330
+.B -r <certificate_request_file>
981330
+The filename of the certificate request.
981330
+
981330
+.TP
981330
+.B -p <certificate_DB_passwd>
981330
+The password to the NSS certificate database which contains the agent certificate, given in \fB-d <directory_of_NSS_security_database_containing_agent_cert>\fP.
981330
+
981330
+.SH EXAMPLES
981330
+.PP
981330
+Signed requests must be submitted to the CA to be processed.
981330
+.PP
981330
+\fBNote:\fP For this example to work automatically, the \fBCMCAuth\fP plug-in must be enabled on the CA server (which it is by default).
981330
+.TP
981330
+(1) Create a PKCS #10 certificate request using a tool like \fBcertutil\fP:
981330
+.IP
981330
+.nf
981330
+# cd ~/.mozilla/firefox/<browser profile>
981330
+
981330
+# certutil -d . -L
981330
+Certificate Nickname                                         Trust Attributes
981330
+                                                             SSL,S/MIME,JAR/XPI
981330
+
981330
+Google Internet Authority G2                                 ,,
981330
+COMODO RSA Domain Validation Secure Server CA                ,,
981330
+pki.example.com                                              ,,
981330
+DigiCert SHA2 Secure Server CA                               ,,
981330
+DigiCert SHA2 Extended Validation Server CA                  ,,
981330
+COMODO RSA Extended Validation Secure Server CA 2            ,,
981330
+Symantec Class 3 Secure Server CA - G4                       ,,
981330
+Go Daddy Secure Certificate Authority - G2                   ,,
981330
+Oracle SSL CA - G2                                           ,,
981330
+GeoTrust EV SSL CA - G4                                      ,,
981330
+Symantec Class 3 Secure Server SHA256 SSL CA                 ,,
981330
+GeoTrust SSL CA - G3                                         ,,
981330
+PKI Administrator for example.com                            u,u,u
981330
+DigiCert SHA2 High Assurance Server CA                       ,,
981330
+COMODO RSA Organization Validation Secure Server CA          ,,
981330
+CA Signing Certificate - example.com Security Domain         CT,C,C
981330
+
981330
+# certutil -d . -R -s "CN=CMCEnroll Test Certificate" -a
981330
+
981330
+A random seed must be generated that will be used in the
981330
+creation of your key.  One of the easiest ways to create a
981330
+random seed is to use the timing of keystrokes on a keyboard.
981330
+
981330
+To begin, type keys on the keyboard until this progress meter
981330
+is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
981330
+
981330
+
981330
+Continue typing until the progress meter is full:
981330
+
981330
+|************************************************************|
981330
+
981330
+Finished.  Press enter to continue:
981330
+
981330
+
981330
+Generating key.  This may take a few moments...
981330
+
981330
+
981330
+Certificate request generated by Netscape certutil
981330
+Phone: (not specified)
981330
+
981330
+Common Name: CMCEnroll Test Certificate
981330
+Email: (not specified)
981330
+Organization: (not specified)
981330
+State: (not specified)
981330
+Country: (not specified)
981330
+
981330
+-----BEGIN CERTIFICATE REQUEST-----
981330
+MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
981330
+dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
981330
+IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
981330
+6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
981330
+QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
981330
+WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
981330
+rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
981330
+68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
981330
+YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
981330
+sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
981330
+FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
981330
+ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
981330
+TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
981330
+-----END CERTIFICATE REQUEST-----
981330
+.if
981330
+
981330
+.TP
981330
+(2) Copy the PKCS #10 ASCII output to a text file.
981330
+.IP
981330
+.nf
981330
+# vi cert.req
981330
+-----BEGIN CERTIFICATE REQUEST-----
981330
+MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
981330
+dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
981330
+IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
981330
+6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
981330
+QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
981330
+WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
981330
+rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
981330
+68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
981330
+YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
981330
+sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
981330
+FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
981330
+ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
981330
+TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
981330
+-----END CERTIFICATE REQUEST-----
981330
+.if
981330
+
981330
+.TP
981330
+(3) Run the \fBCMCEnroll\fP command to sign the certificate request. If the input file is "\fB~/.mozilla/firefox/<profile>/cert.req\fP", the agent's certificate is stored in the "\fB~/.mozilla/firefox\<profile>fP" directory, the certificate common name for this CA is "\fBPKI Administrator for example.com\fP", and the password for the certificate database is "\fBSecret123\fP", the command is as follows:
981330
+.IP
981330
+.nf
981330
+# CMCEnroll -d "~/.mozilla/firefox/<profile>/" -n "PKI Administrator for example.com" -r "~/.mozilla/firefox/<profile>/cert.req" -p "Secret123"
981330
+cert/key prefix =
981330
+path = ~/.mozilla/firefox/<profile>/
981330
+-----BEGIN CERTIFICATE REQUEST-----
981330
+MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJpYtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHLFsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+UbucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTLTAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==-----END CERTIFICATE REQUEST-----
981330
+.if
981330
+The output of this command is stored in a file with the same filename as the request with a \fB.out\fP appended to the filename (e. g. - cert.req.out):
981330
+.IP
981330
+.nf
981330
+# cat cert.req.out
981330
+-----BEGIN CERTIFICATE REQUEST-----
981330
+MIIMhwYJKoZIhvcNAQcCoIIMeDCCDHQCAQMxCzAJBgUrDgMCGgUAMIIC6QYIKwYB
981330
+BQUHDAKgggLbBIIC1zCCAtMwVDAvAgECBggrBgEFBQcHBjEgBB5Da2UvQ1V6VEZF
981330
+Rzgwa1Ryb1dsNjVuTUZhMEU9DQowIQIBAwYIKwYBBQUHBwUxEgIQU05oqk+q+FdR
981330
+go/eIzsjGTCCAnWgggJxAgEBMIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5y
981330
+b2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
981330
+AoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA
981330
++Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5
981330
+tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1
981330
+A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiu
981330
+qv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUy
981330
+UkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA
981330
+Q9aHQvPDcDuOJOL62pQeoDJpYtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2
981330
+fpfdrHB5901TdehlghQVOkN6sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9w
981330
+Xz5ZY/QwSx6C97SodF0cuDHLFsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ
981330
++FGfQvmAqc9xHu5jvnBXX+UbucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SB
981330
+Sa/Zxjy2iVMrQBeOiLcu8bTLTAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9D
981330
+RJd1FJoocw0eGhw31I5rJDAAMACggge1MIIDzDCCArSgAwIBAgIBATANBgkqhkiG
981330
+9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20gU2VjdXJpdHkg
981330
+RG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE2MDcy
981330
+MTIzNDAyNVoXDTM2MDcyMTIzNDAyNVowTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
981330
+YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
981330
+aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmWoikqOPpH
981330
+0JLW3SZ1SPojvndjdILqDuGuRmqtcLuzZtmNuY7ZVwrXt61G1SCCBoEiy/OcUCKM
981330
+GVpw0M15Dn3sjJmd9F2R5lrGT2eMWWfVTr15RyEwK9Pn0mxTDN+0eZ4WDY9U4Zg4
981330
+2qZYIhkfGSTR5jhA4rs3uNOFm0ElLqDumGw3EXjJOy+RURvNbY4Pjlz89+Q2o6M0
981330
+/XMmMYzxVtXusKu1bvTKIiWoWCXR5ge78GoT/8reer+zxuSXiKSeVV2myvCQhmMH
981330
+AD2rik/7hazuY2ztC8h9HF09PMSeK2ev6PlzSV/PEqj9u5bgOcbqeiQkzR6IOcSi
981330
+JCn9o7B+AUMCAwEAAaOBtDCBsTAfBgNVHSMEGDAWgBS7NphdZcuI4IcjN29b96+L
981330
+iuu6tTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU
981330
+uzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUFBzAB
981330
+hjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRoYXQuY29tOjgwODAvY2Ev
981330
+b2NzcDANBgkqhkiG9w0BAQsFAAOCAQEANUYLK65kV0na9zmtNGFje4akz4FBRAOh
981330
+f/RYvtH4/0z38vW/E6fZkfb6CHrC4pNPfL6c0q/8H0mIrAft4kkQlTyJB9tdF5qY
981330
+vCfUMmZ+zM664U/97nf7NSUu9PIFcNfh+/O9IoVUd7gEerRISJzbsmHAcCcfIiKX
981330
+FsM+6HbEt+lH47flb/eSA2cUS84bC+XlZmKpse1R8PL/rKzngReZmMhNx73pYlEN
981330
+0qOpJILEMC1FVUExp6XnnP/m1+gY3T2FrIcUU7Jm1mCnln3VcLxkRU2c9tGj4xYr
981330
+H8teMoQHLZTiqe/54h+3/pUEDgSATAHnex/uG33TXNDbpeNeq720eDCCA+EwggLJ
981330
+oAMCAQICAQYwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
981330
+YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
981330
+aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMzBaFw0xODA3MTEyMzQwMzBaMHQxKzApBgNV
981330
+BAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xKTAnBgkqhkiG
981330
+9w0BCQEWGmNhYWRtaW5AdXNlcnN5cy5yZWRoYXQuY29tMRowGAYDVQQDDBFQS0kg
981330
+QWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPQ
981330
+fOUyTIkdDnPzBrFRBknHqjYMrRpUDBR+JlarT/Sr6PqNQPMcM7JvgBNmXG32H+5w
981330
+QH/sfVjOmKEJOMsh71vKiTM0wb5rIo08B34i9E5Cf2Wzx2/ht4qfWvSmb5ZBxy22
981330
+YpasKLdv7SwSDQr0U7h+Q/96Hgq85ONxWWN6XubgZxSfbs7QVcA0jVq+2inhT67B
981330
+0u4DO6MTxFJNCfDcWiA/M6xzKbjEqDUEh46Rk19krGPYsbfW2BMuOi7pyfTDJVJ5
981330
+CAUbo4bpR3eeo5KMbUvgF3WUxA1whOF2Oc6t0hdINW6Xeq3vpnwn3RyX2TRQ0zqi
981330
+n3K3uPdahteQNcRb/Q8CAwEAAaOBozCBoDAfBgNVHSMEGDAWgBS7NphdZcuI4Icj
981330
+N29b96+Liuu6tTBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0dHA6Ly9w
981330
+a2ktZGVza3RvcC51c2Vyc3lzLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1Ud
981330
+DwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI
981330
+hvcNAQELBQADggEBAADJNrg4qAZ1LxSz2Nn1k1SEmbugxrh8o1jpBAaSvLlv+blL
981330
++6wNq0D7c1GPzRO5TObyXgpbtHgofpKLSxw8cB3y8ugZMp7qJeCYxgzxQKEVMANW
981330
+6eZgAxvEe1J5Vyk/ELNiCtQmY7Mi+BtwvCF0xkCwYtOGlgeLV5t6GjBdG+jpZSIb
981330
+B0En0+t/JOwvqUAhzVStz/j9LgBza0P8ACd/s2Z/zjpot2JTXDofF0mbiGwMz4Em
981330
+/dOT3QhUr3QqFY/Q6T7c/wW7KbUXpNjwvLAV86A9Oojq32Z3ppJPnnDoLxLWvn8f
981330
+4rBdhhKrFhRZBYd91r3OExUIAEkFH9cmgPusjMsxggG6MIIBtgIBAzBTME4xKzAp
981330
+BgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xHzAdBgNV
981330
+BAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUCAQYwCQYFKw4DAhoFAKA+MBcGCSqG
981330
+SIb3DQEJAzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUeIRBuSA10uyZK8LB
981330
+yc5Abz4f74AwDQYJKoZIhvcNAQEBBQAEggEAC1DFoKDcAzJUdIIucV61TqQtbBJT
981330
+H8hhnln3+TwAO+u3X55o74xZMgawy/3Hkt3CjYxYmWIYY9MZILb2UeD0VZz63yzq
981330
+F9tEZu2IhlvaOgP6NLcu8SxDImQ/GuvPIvGkGg0m/X3cwCHKymH7ZXAUfxQXgqbw
981330
+CAMc+DH99xx0yotaAr5HE9tauNJejo4CDVYwUn/5syTcw3molt2Ely2FIFEyI3HD
981330
+yPmP2OHw/xqlBhFvnoecbtpTq2DiWGPWJHSnzcdInuXudHHaIsribXK8HGw2MnCD
981330
+8Sq7UsrvBe50v0YebYzQdXYrsnluNc+Cwm2PdDQDfPT39e7iwGSLGi4KrQ==
981330
+-----END CERTIFICATE REQUEST-----
981330
+.if
981330
+
981330
+.TP
981330
+(4) Submit the signed certificate request through the CA end-entities page:
981330
+.IP
981330
+.nf
981330
+(a) Open the end-entities page.
981330
+
981330
+(b) Select the "Signed CMC-Authenticated User Certificate Enrollment" profile.
981330
+
981330
+(c) Paste the content of the output file into the first text area of this form.
981330
+
981330
+(d) Remove the "-----BEGIN CERTIFICATE REQUEST-----" header and the "-----END CERTIFICATE REQUEST-----" footer from the pasted content.
981330
+
981330
+(e) Fill in the contact information, and submit the form.
981330
+.if
981330
+
981330
+.TP
981330
+(5) The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled:
981330
+.IP
981330
+.nf
981330
+Congratulations, your request has been processed successfully
981330
+
981330
+Your request ID is \fB7\fP.
981330
+
981330
+\fBOutputs\fP
981330
+
981330
+* Certificate Pretty Print
981330
+
981330
+    Certificate:
981330
+        Data:
981330
+            Version:  v3
981330
+            Serial Number: 0x7
981330
+            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
981330
+            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
981330
+            Validity:
981330
+                Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
981330
+                Not  After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
981330
+            Subject: CN=CMCEnroll Test Certificate
981330
+            Subject Public Key Info:
981330
+                Algorithm: RSA - 1.2.840.113549.1.1.1
981330
+                Public Key:
981330
+                    Exponent: 65537
981330
+                    Public Key Modulus: (2048 bits) :
981330
+                        DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
981330
+                        0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
981330
+                        D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
981330
+                        69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
981330
+                        93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
981330
+                        0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
981330
+                        B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
981330
+                        ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
981330
+                        A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
981330
+                        97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
981330
+                        B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
981330
+                        33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
981330
+                        A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
981330
+                        2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
981330
+                        31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
981330
+                        6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
981330
+            Extensions:
981330
+                Identifier: Authority Key Identifier - 2.5.29.35
981330
+                    Critical: no
981330
+                    Key Identifier:
981330
+                        BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
981330
+                        8A:EB:BA:B5
981330
+                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
981330
+                    Critical: no
981330
+                    Access Description:
981330
+                        Method #0: ocsp
981330
+                        Location #0: URIName: http://pki.example.com:8080/ca/ocsp
981330
+                Identifier: Key Usage: - 2.5.29.15
981330
+                    Critical: yes
981330
+                    Key Usage:
981330
+                        Digital Signature
981330
+                        Non Repudiation
981330
+                        Key Encipherment
981330
+                Identifier: Extended Key Usage: - 2.5.29.37
981330
+                    Critical: no
981330
+                    Extended Key Usage:
981330
+                        1.3.6.1.5.5.7.3.2
981330
+                        1.3.6.1.5.5.7.3.4
981330
+        Signature:
981330
+            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
981330
+            Signature:
981330
+                6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
981330
+                30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
981330
+                11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
981330
+                D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
981330
+                69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
981330
+                2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
981330
+                76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
981330
+                2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
981330
+                E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
981330
+                3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
981330
+                2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
981330
+                05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
981330
+                BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
981330
+                F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
981330
+                08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
981330
+                39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
981330
+        FingerPrint
981330
+            MD2:
981330
+                C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
981330
+            MD5:
981330
+                5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
981330
+            SHA-1:
981330
+                F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
981330
+                5C:A9:71:27
981330
+            SHA-256:
981330
+                66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
981330
+                8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
981330
+            SHA-512:
981330
+                E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
981330
+                9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
981330
+                F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
981330
+                D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49
981330
+
981330
+* Certificate Base-64 Encoded
981330
+
981330
+-----BEGIN CERTIFICATE-----
981330
+MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
981330
+c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
981330
+aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow
981330
+JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG
981330
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ
981330
+SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad
981330
+7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s
981330
+rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s
981330
+UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x
981330
+/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw
981330
+gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE
981330
+QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo
981330
+YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI
981330
+KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug
981330
+pn+ADHK0MMVPy9SsV4XX0sp1kPcvVxHLZxYIDEwj0qWnLk4hOfXVx20L3K1I4pL/
981330
+mcX8zw6JabkJup8OhKuBMqeLmTDfdS9sYVqch3faLOpAhSDy3pV2a9cLjIglYgAt
981330
+BDDwJEtkKkrnNwSivK23f7qqdEEsVenlS5IYvBjc/EvqFRjOsHo6hGTiMRxkCnk+
981330
+gG5DEjCKKmdvVktWVcdWhocn5MMoygXSvQtdEKJOlp1bKqALm7a7jxUf06954DjT
981330
+8e3V8fDr+GZWPy9PSpMOLhHz9xs3YQjkSpJMYOMeCg1h8q+y40g5dKpeMlur81U7
981330
+axszSMsh
981330
+-----END CERTIFICATE-----
981330
+
981330
+* Certificate Imports
981330
+----------------------
981330
+| Import Certificate |
981330
+----------------------
981330
+.if
981330
+
981330
+.TP
981330
+(6) Use the agent page to search for the new certificate:
981330
+.IP
981330
+.nf
981330
+Certificate   0x07
981330
+
981330
+Certificate contents
981330
+
981330
+    Certificate:
981330
+        Data:
981330
+            Version:  v3
981330
+            Serial Number: 0x7
981330
+            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
981330
+            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
981330
+            Validity:
981330
+                Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
981330
+                Not  After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
981330
+            Subject: CN=CMCEnroll Test Certificate
981330
+            Subject Public Key Info:
981330
+                Algorithm: RSA - 1.2.840.113549.1.1.1
981330
+                Public Key:
981330
+                    Exponent: 65537
981330
+                    Public Key Modulus: (2048 bits) :
981330
+                        DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
981330
+                        0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
981330
+                        D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
981330
+                        69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
981330
+                        93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
981330
+                        0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
981330
+                        B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
981330
+                        ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
981330
+                        A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
981330
+                        97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
981330
+                        B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
981330
+                        33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
981330
+                        A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
981330
+                        2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
981330
+                        31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
981330
+                        6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
981330
+            Extensions:
981330
+                Identifier: Authority Key Identifier - 2.5.29.35
981330
+                    Critical: no
981330
+                    Key Identifier:
981330
+                        BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
981330
+                        8A:EB:BA:B5
981330
+                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
981330
+                    Critical: no
981330
+                    Access Description:
981330
+                        Method #0: ocsp
981330
+                        Location #0: URIName: http://pki.example.com:8080/ca/ocsp
981330
+                Identifier: Key Usage: - 2.5.29.15
981330
+                    Critical: yes
981330
+                    Key Usage:
981330
+                        Digital Signature
981330
+                        Non Repudiation
981330
+                        Key Encipherment
981330
+                Identifier: Extended Key Usage: - 2.5.29.37
981330
+                    Critical: no
981330
+                    Extended Key Usage:
981330
+                        1.3.6.1.5.5.7.3.2
981330
+                        1.3.6.1.5.5.7.3.4
981330
+        Signature:
981330
+            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
981330
+            Signature:
981330
+                6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
981330
+                30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
981330
+                11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
981330
+                D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
981330
+                69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
981330
+                2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
981330
+                76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
981330
+                2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
981330
+                E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
981330
+                3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
981330
+                2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
981330
+                05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
981330
+                BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
981330
+                F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
981330
+                08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
981330
+                39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
981330
+        FingerPrint
981330
+            MD2:
981330
+                C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
981330
+            MD5:
981330
+                5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
981330
+            SHA-1:
981330
+                F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
981330
+                5C:A9:71:27
981330
+            SHA-256:
981330
+                66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
981330
+                8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
981330
+            SHA-512:
981330
+                E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
981330
+                9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
981330
+                F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
981330
+                D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49
981330
+
981330
+Certificate request info
981330
+
981330
+Request ID: 7
981330
+
981330
+Installing this certificate in a server
981330
+
981330
+The following format can be used to install this certificate into a server.
981330
+
981330
+Base 64 encoded certificate
981330
+
981330
+-----BEGIN CERTIFICATE-----
981330
+MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
981330
+c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
981330
+aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow
981330
+JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG
981330
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ
981330
+SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad
981330
+7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s
981330
+rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s
981330
+UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x
981330
+/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw
981330
+gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE
981330
+QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo
981330
+YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI
981330
+KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug
981330
+pn+ADHK0MMVPy9SsV4XX0sp1kPcvVxHLZxYIDEwj0qWnLk4hOfXVx20L3K1I4pL/
981330
+mcX8zw6JabkJup8OhKuBMqeLmTDfdS9sYVqch3faLOpAhSDy3pV2a9cLjIglYgAt
981330
+BDDwJEtkKkrnNwSivK23f7qqdEEsVenlS5IYvBjc/EvqFRjOsHo6hGTiMRxkCnk+
981330
+gG5DEjCKKmdvVktWVcdWhocn5MMoygXSvQtdEKJOlp1bKqALm7a7jxUf06954DjT
981330
+8e3V8fDr+GZWPy9PSpMOLhHz9xs3YQjkSpJMYOMeCg1h8q+y40g5dKpeMlur81U7
981330
+axszSMsh
981330
+-----END CERTIFICATE-----
981330
+
981330
+Base 64 encoded certificate with CA certificate chain in pkcs7 format
981330
+
981330
+-----BEGIN PKCS7-----
981330
+MIIHlQYJKoZIhvcNAQcCoIIHhjCCB4ICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIH
981330
+ZjCCA5IwggJ6oAMCAQICAQcwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNl
981330
+cnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln
981330
+bmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA3MjIwMDI4MjBaFw0xNzAxMTgwMTI4MjBa
981330
+MCUxIzAhBgNVBAMTGkNNQ0Vucm9sbCBUZXN0IENlcnRpZmljYXRlMIIBIjANBgkq
981330
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2pkAOqbCu054nNwwLSMgDApOxStz7krH
981330
+iUq0fwu1tObT765aeb1CsaZnAPj4NwADaeYFTEDqbOq4gL6Cu+jSk5MODHtPQqMG
981330
+ne2svSAQWOEKqgZkZ309zJulObSVnqr6tXCJMKMcx5ZYLBgRjEHbiO1EY4UGMd6f
981330
+rKxkntHzO26ivgFOmiYeK9I3NQOqQr/9lzDmNSFM5oyBJzatkVjqZ7FkOFA5mta/
981330
+LFMyoDYZLoYz1OVOWBrfftI4rqr9eHWyou1CTdwz7ZBF2TTqxaxoKioXVKi4a3Zv
981330
+sfx4MP2maEgxWFzjfYxUxcjFMlJFl2aubH8IIVlAtquA7G37x+vIdQIDAQABo4Gj
981330
+MIGgMB8GA1UdIwQYMBaAFLs2mF1ly4jghyM3b1v3r4uK67q1ME4GCCsGAQUFBwEB
981330
+BEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3BraS1kZXNrdG9wLnVzZXJzeXMucmVk
981330
+aGF0LmNvbTo4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQG
981330
+CCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAbYuZ0unTTn9V
981330
+IKZ/gAxytDDFT8vUrFeF19LKdZD3L1cRy2cWCAxMI9Klpy5OITn11cdtC9ytSOKS
981330
+/5nF/M8OiWm5CbqfDoSrgTKni5kw33UvbGFanId32izqQIUg8t6VdmvXC4yIJWIA
981330
+LQQw8CRLZCpK5zcEorytt3+6qnRBLFXp5UuSGLwY3PxL6hUYzrB6OoRk4jEcZAp5
981330
+PoBuQxIwiipnb1ZLVlXHVoaHJ+TDKMoF0r0LXRCiTpadWyqgC5u2u48VH9OveeA4
981330
+0/Ht1fHw6/hmVj8vT0qTDi4R8/cbN2EI5EqSTGDjHgoNYfKvsuNIOXSqXjJbq/NV
981330
+O2sbM0jLITCCA8wwggK0oAMCAQICAQEwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UE
981330
+CgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwW
981330
+Q0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMjVaFw0zNjA3MjEy
981330
+MzQwMjVaME4xKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBE
981330
+b21haW4xHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqG
981330
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCplqIpKjj6R9CS1t0mdUj6I753Y3SC6g7h
981330
+rkZqrXC7s2bZjbmO2VcK17etRtUgggaBIsvznFAijBlacNDNeQ597IyZnfRdkeZa
981330
+xk9njFln1U69eUchMCvT59JsUwzftHmeFg2PVOGYONqmWCIZHxkk0eY4QOK7N7jT
981330
+hZtBJS6g7phsNxF4yTsvkVEbzW2OD45c/PfkNqOjNP1zJjGM8VbV7rCrtW70yiIl
981330
+qFgl0eYHu/BqE//K3nq/s8bkl4iknlVdpsrwkIZjBwA9q4pP+4Ws7mNs7QvIfRxd
981330
+PTzEnitnr+j5c0lfzxKo/buW4DnG6nokJM0eiDnEoiQp/aOwfgFDAgMBAAGjgbQw
981330
+gbEwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwDwYDVR0TAQH/BAUw
981330
+AwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFLs2mF1ly4jghyM3b1v3r4uK
981330
+67q1ME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3BraS1kZXNr
981330
+dG9wLnVzZXJzeXMucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQEL
981330
+BQADggEBADVGCyuuZFdJ2vc5rTRhY3uGpM+BQUQDoX/0WL7R+P9M9/L1vxOn2ZH2
981330
++gh6wuKTT3y+nNKv/B9JiKwH7eJJEJU8iQfbXReamLwn1DJmfszOuuFP/e53+zUl
981330
+LvTyBXDX4fvzvSKFVHe4BHq0SEic27JhwHAnHyIilxbDPuh2xLfpR+O35W/3kgNn
981330
+FEvOGwvl5WZiqbHtUfDy/6ys54EXmZjITce96WJRDdKjqSSCxDAtRVVBMael55z/
981330
+5tfoGN09hayHFFOyZtZgp5Z91XC8ZEVNnPbRo+MWKx/LXjKEBy2U4qnv+eIft/6V
981330
+BA4EgEwB53sf7ht901zQ26XjXqu9tHgxAA==
981330
+-----END PKCS7-----
981330
+.if
981330
+
981330
+.SH AUTHORS
981330
+Matthew Harmsen <mharmsen@redhat.com>.
981330
+
981330
+.SH COPYRIGHT
981330
+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
981330
+License, version 2 (GPLv2). A copy of this license is available at
981330
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
981330
+
981330
+.SH SEE ALSO
981330
+.BR CMCRequest(1), CMCResponse(1), CMCRevoke(1), pki(1)
981330
-- 
981330
1.8.3.1
981330
981330
981330
From eeaf6c2ec45415b2e32c46a0949539bef5e770a7 Mon Sep 17 00:00:00 2001
981330
From: "Endi S. Dewata" <edewata@redhat.com>
981330
Date: Wed, 17 Aug 2016 16:44:48 +0200
981330
Subject: [PATCH 09/10] Allowing optional CA signing CSR.
981330
981330
The CA signing CSR is already stored in request record which will
981330
be imported as part of migration process, so it's not necessary to
981330
export and reimport the CSR file again for migration.
981330
981330
To allow optional CSR, the pki-server subsystem-cert-validate
981330
CLI has been modified to no longer check the CSR in CS.cfg. The
981330
ConfigurationUtils.loadCertRequest() has been modified to ignore
981330
the missing CSR in CS.cfg.
981330
981330
https://fedorahosted.org/pki/ticket/2440
981330
(cherry picked from commit bde2cd1d3e65850c82a6ea7a6cebcae46a4408f2)
981330
(cherry picked from commit f422b219ec989bc7a5be9569643d4cb598b2887c)
981330
---
981330
 .../netscape/cms/servlet/csadmin/ConfigurationUtils.java    | 13 ++++++++++---
981330
 base/server/python/pki/server/cli/subsystem.py              |  4 ----
981330
 2 files changed, 10 insertions(+), 7 deletions(-)
981330
981330
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
981330
index 3bd6d87..34500d0 100644
981330
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
981330
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
981330
@@ -2947,10 +2947,17 @@ public class ConfigurationUtils {
981330
         cert.setDN(subjectDN);
981330
 
981330
         String subsystem = config.getString(PCERT_PREFIX + tag + ".subsystem");
981330
-        String certreq = config.getString(subsystem + "." + tag + ".certreq");
981330
-        String formattedCertreq = CryptoUtil.reqFormat(certreq);
981330
 
981330
-        cert.setRequest(formattedCertreq);
981330
+        try {
981330
+            String certreq = config.getString(subsystem + "." + tag + ".certreq");
981330
+            String formattedCertreq = CryptoUtil.reqFormat(certreq);
981330
+
981330
+            cert.setRequest(formattedCertreq);
981330
+
981330
+        } catch (EPropertyNotFound e) {
981330
+            // The CSR is optional for existing CA case.
981330
+            CMS.debug("ConfigurationUtils.loadCertRequest: " + tag + " cert has no CSR");
981330
+        }
981330
     }
981330
 
981330
     public static void generateCertRequest(IConfigStore config, String certTag, Cert cert) throws Exception {
981330
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
981330
index 4651d74..c173ea2 100644
981330
--- a/base/server/python/pki/server/cli/subsystem.py
981330
+++ b/base/server/python/pki/server/cli/subsystem.py
981330
@@ -917,10 +917,6 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
981330
 
981330
         print('  Cert ID: %s' % cert['id'])
981330
 
981330
-        if not cert['request']:
981330
-            print('  Status: ERROR: missing certificate request')
981330
-            return False
981330
-
981330
         if not cert['data']:
981330
             print('  Status: ERROR: missing certificate data')
981330
             return False
981330
-- 
981330
1.8.3.1
981330
981330
981330
From 5117e59121048db4c172caf322d803e26c3644fb Mon Sep 17 00:00:00 2001
981330
From: "Endi S. Dewata" <edewata@redhat.com>
981330
Date: Sat, 20 Aug 2016 10:47:15 +0200
981330
Subject: [PATCH 10/10] Updated pki-server subsystem-cert-update CLI.
981330
981330
The pki-server subsystem-cert-update CLI has been updated to
981330
use certutil to retrieve the certificate data from the proper
981330
token. It will also show a warning if the certificate request
981330
cannot be found.
981330
981330
The NSSDatabase constructor has been modified to normalize the
981330
name of internal NSS token to None. If the token name is None,
981330
the certutil will be executed without the -h option.
981330
981330
The NSSDatabase.get_cert() has been modified to prepend the token
981330
name to the certificate nickname.
981330
981330
https://fedorahosted.org/pki/ticket/2440
981330
(cherry picked from commit eb28cf05cfad246383dbda054c8cd477bc7acc73)
981330
(cherry picked from commit e0db19f831159689e9fd63b988799ee16b618dc6)
981330
---
981330
 base/common/python/pki/nssdb.py                | 11 ++++--
981330
 base/server/python/pki/server/cli/subsystem.py | 49 +++++++++++++++-----------
981330
 2 files changed, 38 insertions(+), 22 deletions(-)
981330
981330
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
981330
index ed45654..736efca 100644
981330
--- a/base/common/python/pki/nssdb.py
981330
+++ b/base/common/python/pki/nssdb.py
981330
@@ -105,7 +105,11 @@ class NSSDatabase(object):
981330
             directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb')
981330
 
981330
         self.directory = directory
981330
-        self.token = token
981330
+
981330
+        if token == 'internal' or token == 'Internal Key Storage Token':
981330
+            self.token = None
981330
+        else:
981330
+            self.token = token
981330
 
981330
         self.tmpdir = tempfile.mkdtemp()
981330
 
981330
@@ -425,12 +429,15 @@ class NSSDatabase(object):
981330
             '-d', self.directory
981330
         ]
981330
 
981330
+        fullname = nickname
981330
+
981330
         if self.token:
981330
             cmd.extend(['-h', self.token])
981330
+            fullname = self.token + ':' + fullname
981330
 
981330
         cmd.extend([
981330
             '-f', self.password_file,
981330
-            '-n', nickname,
981330
+            '-n', fullname,
981330
             output_format_option
981330
         ])
981330
 
981330
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
981330
index c173ea2..42da26e 100644
981330
--- a/base/server/python/pki/server/cli/subsystem.py
981330
+++ b/base/server/python/pki/server/cli/subsystem.py
981330
@@ -21,10 +21,8 @@
981330
 
981330
 from __future__ import absolute_import
981330
 from __future__ import print_function
981330
-import base64
981330
 import getopt
981330
 import getpass
981330
-import nss.nss as nss
981330
 import os
981330
 import string
981330
 import subprocess
981330
@@ -778,36 +776,47 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
981330
             sys.exit(1)
981330
         subsystem_cert = subsystem.get_subsystem_cert(cert_id)
981330
 
981330
-        # get cert data from NSS database
981330
-        nss.nss_init(instance.nssdb_dir)
981330
-        nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname'])
981330
-        data = base64.b64encode(nss_cert.der_data)
981330
-        del nss_cert
981330
-        nss.nss_shutdown()
981330
+        if self.verbose:
981330
+            print('Retrieving certificate %s from %s' %
981330
+                  (subsystem_cert['nickname'], subsystem_cert['token']))
981330
+
981330
+        token = subsystem_cert['token']
981330
+        nssdb = instance.open_nssdb(token)
981330
+        data = nssdb.get_cert(
981330
+            nickname=subsystem_cert['nickname'],
981330
+            output_format='base64')
981330
         subsystem_cert['data'] = data
981330
 
981330
         # format cert data for LDAP database
981330
         lines = [data[i:i + 64] for i in range(0, len(data), 64)]
981330
         data = string.join(lines, '\r\n') + '\r\n'
981330
 
981330
-        # get cert request from local CA
981330
+        if self.verbose:
981330
+            print('Retrieving certificate request from CA database')
981330
+
981330
         # TODO: add support for remote CA
981330
         ca = instance.get_subsystem('ca')
981330
         if not ca:
981330
             print('ERROR: No CA subsystem in instance %s.' % instance_name)
981330
             sys.exit(1)
981330
+
981330
         results = ca.find_cert_requests(cert=data)
981330
-        cert_request = results[-1]
981330
-        request = cert_request['request']
981330
-
981330
-        # format cert request for CS.cfg
981330
-        lines = request.splitlines()
981330
-        if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
981330
-            lines = lines[1:]
981330
-        if lines[-1] == '-----END CERTIFICATE REQUEST-----':
981330
-            lines = lines[:-1]
981330
-        request = string.join(lines, '')
981330
-        subsystem_cert['request'] = request
981330
+
981330
+        if results:
981330
+            cert_request = results[-1]
981330
+            request = cert_request['request']
981330
+
981330
+            # format cert request for CS.cfg
981330
+            lines = request.splitlines()
981330
+            if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
981330
+                lines = lines[1:]
981330
+            if lines[-1] == '-----END CERTIFICATE REQUEST-----':
981330
+                lines = lines[:-1]
981330
+            request = string.join(lines, '')
981330
+            subsystem_cert['request'] = request
981330
+
981330
+        else:
981330
+            print('WARNING: Certificate request not found')
981330
 
981330
         # store cert data and request in CS.cfg
981330
         subsystem.update_subsystem_cert(subsystem_cert)
981330
-- 
981330
1.8.3.1
981330