Blob Blame History Raw
From 53eec401f222178ff2ac34fd6223b121f485969d Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 12 Aug 2016 02:23:18 +0200
Subject: [PATCH 01/10] Removed PKCS #7 from add user cert dialog in TPS UI.

The dialog box for adding user certificate in TPS UI has been
modified to no longer mention PKCS #7. The REST service itself
still accepts PKCS #7, but it should be cleaned up in the future.

https://fedorahosted.org/pki/ticket/2437
(cherry picked from commit d27d4600784acb49c42764d02835dedf3ee87227)
(cherry picked from commit 2dae5f18fa5c68f7923b6b6691395790fb14791f)
---
 base/server/cms/src/org/dogtagpki/server/rest/UserService.java | 2 ++
 base/tps/shared/webapps/tps/ui/user-certs.html                 | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
index 0893c4b..1f8e9fa 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
@@ -863,6 +863,8 @@ public class UserService extends PKIService implements UserResource {
             }
 
             if (cert == null) {
+                // TODO: Remove this code. Importing PKCS #7 is not supported.
+
                 // cert chain direction
                 boolean assending = true;
 
diff --git a/base/tps/shared/webapps/tps/ui/user-certs.html b/base/tps/shared/webapps/tps/ui/user-certs.html
index 049583e..04593f3 100644
--- a/base/tps/shared/webapps/tps/ui/user-certs.html
+++ b/base/tps/shared/webapps/tps/ui/user-certs.html
@@ -93,7 +93,7 @@
                     <input name="userID" readonly="readonly"><br>
                     <label>Certificate</label>
                     <textarea name="encoded" rows="20" cols="80"></textarea><br>
-                    Enter a PEM certificate or PKCS #7 data.
+                    Enter a PEM certificate.
                 </fieldset>
             </div>
             <div class="modal-footer">
-- 
1.8.3.1


From 3bfd5acb075751e429eeb8b46f17c624a5178a41 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 12 Aug 2016 04:42:25 +0200
Subject: [PATCH 02/10] Added cert validation error message in selftest log.

To help troubleshooting the selftest log has been modified to
include the cert validation error message returned by JSS.

https://fedorahosted.org/pki/ticket/2436
(cherry picked from commit 0fd31368d871c513c9833ca02bc08d15a48d6aa5)
(cherry picked from commit 488303542161103cbbac6814dffd8818fccf455d)
---
 .../src/com/netscape/cms/selftests/common/SystemCertsVerification.java  | 2 +-
 base/server/cmsbundle/src/LogMessages.properties                        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
index e4fc1cb..cc52f83 100644
--- a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
+++ b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
@@ -200,7 +200,7 @@ public class SystemCertsVerification
         } catch (Exception e) {
             String logMessage = CMS.getLogMessage(
                     "SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE",
-                    getSelfTestName());
+                    getSelfTestName(), e.getMessage());
             mSelfTestSubsystem.log(logger, logMessage);
             throw e;
         }
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 12c580a..0bcbcc5 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2766,7 +2766,7 @@ SELFTESTS_PARAMETER_WAS_NULL={0}:  a self test parameter was null
 SELFTESTS_MISSING_NAME={0}:  the self test property name {1} does not exist
 SELFTESTS_MISSING_VALUES={0}:  the self test property name {1} contained no value(s)
 SELFTESTS_INVALID_VALUES={0}:  the self test property name {1} contained invalid value(s)
-SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE={0}: system certs verification failure
+SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE={0}: system certs verification failure: {1}
 SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_SUCCESS={0}: system certs verification success
 SELFTESTS_CA_IS_NOT_PRESENT={0}:  CA is NOT present
 SELFTESTS_CA_IS_NOT_INITIALIZED={0}:  CA is NOT yet initialized
-- 
1.8.3.1


From 6431cac7c8f6a4874249bf1ea8b287e1a9a9f0c3 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 12 Aug 2016 23:06:24 +0200
Subject: [PATCH 03/10] Added exception wrapper for invalid LDAP attribute
 syntax.

The LDAPExceptionConverter has been modified to wrap LDAPException
for invalid attribute syntax with BadRequestException.

https://fedorahosted.org/pki/ticket/833
(cherry picked from commit 71acaed02642c618a729fbebbf7a7025684967a3)
(cherry picked from commit 26aa8bd616148b5318b87817aafae926d1c375d2)
---
 .../src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java       | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java b/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
index 88b1263..51a1109 100644
--- a/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
+++ b/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
@@ -17,13 +17,13 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.certsrv.ldap;
 
-import netscape.ldap.LDAPException;
-
 import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.ConflictingOperationException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
 
+import netscape.ldap.LDAPException;
+
 /**
  * @author Endi S. Dewata
  */
@@ -39,6 +39,8 @@ public class LDAPExceptionConverter {
             return new ResourceNotFoundException("No such attribute.", e);
         case LDAPException.INVALID_DN_SYNTAX:
             return new BadRequestException("Invalid DN syntax.", e);
+        case LDAPException.INVALID_ATTRIBUTE_SYNTAX:
+            return new BadRequestException("Invalid attribute syntax.", e);
         case LDAPException.ENTRY_ALREADY_EXISTS:
             return new ConflictingOperationException("Entry already exists.", e);
         default:
-- 
1.8.3.1


From 90c6537038caa9a241d1c4123e1a642860a0aa5a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 16 Aug 2016 00:15:15 +0200
Subject: [PATCH 04/10] Removed misleading log in SelfTestSubsystem.

To avoid confusion, the isSelfTestCriticalAtStartup() and
isSelfTestCriticalOnDemand() in SelfTestSubsystem have been
modified to no longer log an error message if the selftest
being checked does not exist in the corresponding property
in CS.cfg.

https://fedorahosted.org/pki/ticket/2432
(cherry picked from commit 6bfee0e46aee93e1255ecb5652d46348557664d5)
(cherry picked from commit 422fc92597d80aa115efa59a592fbaf8851b243e)
---
 .../com/netscape/cmscore/selftests/SelfTestSubsystem.java  | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
index ff938dd..8dc95cc 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
@@ -473,12 +473,7 @@ public class SelfTestSubsystem
             }
         }
 
-        // self test plugin instance property name is not present
-        log(mLogger,
-                CMS.getLogMessage(
-                        "CMSCORE_SELFTESTS_PROPERTY_MISSING_NAME",
-                        instanceFullName));
-
+        // self test undefined in selftests.container.order.onDemand
         throw new EMissingSelfTestException(instanceFullName);
     }
 
@@ -799,12 +794,7 @@ public class SelfTestSubsystem
             }
         }
 
-        // self test plugin instance property name is not present
-        log(mLogger,
-                CMS.getLogMessage(
-                        "CMSCORE_SELFTESTS_PROPERTY_MISSING_NAME",
-                        instanceFullName));
-
+        // self test undefined in selftests.container.order.startup
         throw new EMissingSelfTestException(instanceFullName);
     }
 
-- 
1.8.3.1


From 561191eacd168ed3b75de0c502ee82a6517f4348 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 16 Aug 2016 01:43:36 +0200
Subject: [PATCH 05/10] Fixed SelfTestService.findSelfTests().

The SelfTestService.findSelfTests() has been modified to return
all selftests defined in the CS.cfg.

https://fedorahosted.org/pki/ticket/2432
(cherry picked from commit 4001335ed5105112c64c433a26272286ecf66196)
(cherry picked from commit e860276fc5889aae40beda33ea523358fbe76911)
---
 .../common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java | 4 ++++
 base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java    | 2 +-
 .../cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 4 ++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
index c07b96a..a55c651 100644
--- a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
+++ b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
@@ -20,6 +20,8 @@
 
 package com.netscape.certsrv.selftests;
 
+import java.util.Collection;
+
 ///////////////////////
 // import statements //
 ///////////////////////
@@ -68,6 +70,8 @@ public interface ISelfTestSubsystem
     // ISelfTestSubsystem methods //
     ////////////////////////////////
 
+    public Collection<String> getSelfTestNames();
+
     //
     // methods associated with the list of on demand self tests
     //
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
index e662ba9..9108a45 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
@@ -113,7 +113,7 @@ public class SelfTestService extends PKIService implements SelfTestResource {
 
             // filter self tests
             Collection<String> results = new ArrayList<String>();
-            for (String name : subsystem.listSelfTestsEnabledOnDemand()) {
+            for (String name : subsystem.getSelfTestNames()) {
                 if (filter != null && !name.contains(filter)) continue;
                 results.add(name);
             }
diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
index 8dc95cc..d7d7a3a 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
@@ -243,6 +243,10 @@ public class SelfTestSubsystem
     // SelfTestSubsystem methods //
     ///////////////////////////////
 
+    public Collection<String> getSelfTestNames() {
+        return mSelfTestInstances.keySet();
+    }
+
     //
     // methods associated with the list of on demand self tests
     //
-- 
1.8.3.1


From 15a6f83a651949af7ba7bfe8fc1b3626d064fa87 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 18 Aug 2016 05:40:25 +0200
Subject: [PATCH 06/10] Added debug messages for
 ConfigurationUtils.handleCerts().

To help troubleshooting some debug messages have been added into
ConfigurationUtils.handleCerts().

https://fedorahosted.org/pki/ticket/2436
(cherry picked from commit 9aa6640e7e94a591343478ee806a6e6d4c9f81e8)
(cherry picked from commit 4e5c8e53345d500bfa620267a8ae35df0e2973b6)
---
 .../cms/servlet/csadmin/ConfigurationUtils.java     | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 7723665..3bd6d87 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -3153,6 +3153,9 @@ public class ConfigurationUtils {
         String tokenname = config.getString("preop.module.token", "");
 
         if (cert.getType().equals("local") && b64.equals("...certificate be generated internally...")) {
+
+            CMS.debug("handleCerts(): processing local cert");
+
             String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype");
             X509Key x509key = null;
             if (pubKeyType.equals("rsa")) {
@@ -3177,24 +3180,33 @@ public class ConfigurationUtils {
                 CMS.debug("handleCerts(): nickname=" + nickname);
 
                 try {
+                    CMS.debug("handleCerts(): deleting existing cert");
                     if (certTag.equals("sslserver") && findBootstrapServerCert())
                         deleteBootstrapServerCert();
                     if (findCertificate(tokenname, nickname))
                         deleteCert(tokenname, nickname);
+
+                    CMS.debug("handleCerts(): importing new cert");
                     if (certTag.equals("signing") && subsystem.equals("ca"))
                         CryptoUtil.importUserCertificate(impl, nickname);
                     else
                         CryptoUtil.importUserCertificate(impl, nickname, false);
                     CMS.debug("handleCerts(): cert imported for certTag '" + certTag + "'");
+
                 } catch (Exception ee) {
                     CMS.debug(ee);
                     CMS.debug("handleCerts(): import certificate for certTag=" + certTag + " Exception: "
                             + ee.toString());
                 }
             }
+
         } else if (cert.getType().equals("remote")) {
+
+            CMS.debug("handleCerts(): processing remote cert");
+
             if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) {
-                CMS.debug("handleCerts(): process remote...import cert");
+
+                CMS.debug("handleCerts(): deleting existing cert");
                 String b64chain = cert.getCertChain();
 
                 try {
@@ -3207,6 +3219,7 @@ public class ConfigurationUtils {
                     CMS.debug("ConfigurationUtils: update (remote): deleteCert Exception=" + e.toString());
                 }
 
+                CMS.debug("handleCerts(): importing new cert");
                 b64 = CryptoUtil.stripCertBrackets(b64.trim());
                 String certs = CryptoUtil.normalizeCertStr(b64);
                 byte[] certb = CryptoUtil.base64Decode(certs);
@@ -3256,11 +3269,16 @@ public class ConfigurationUtils {
                 CMS.debug("handleCerts(): b64 not set");
                 return 1;
             }
+
         } else {
+            CMS.debug("handleCerts(): processing " + cert.getType() + " cert");
+
             b64 = CryptoUtil.stripCertBrackets(b64.trim());
             String certs = CryptoUtil.normalizeCertStr(b64);
             byte[] certb = CryptoUtil.base64Decode(certs);
             X509CertImpl impl = new X509CertImpl(certb);
+
+            CMS.debug("handleCerts(): deleting existing cert");
             try {
                 if (certTag.equals("sslserver") && findBootstrapServerCert())
                     deleteBootstrapServerCert();
@@ -3271,6 +3289,7 @@ public class ConfigurationUtils {
                 CMS.debug("handleCerts(): deleteCert Exception=" + ee.toString());
             }
 
+            CMS.debug("handleCerts(): importing new cert");
             try {
                 if (certTag.equals("signing") && subsystem.equals("ca"))
                     CryptoUtil.importUserCertificate(impl, nickname);
-- 
1.8.3.1


From 361eb16c8558f5be6cdb65ab412ab4f703a10bdc Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Fri, 19 Aug 2016 15:58:12 -0600
Subject: [PATCH 07/10] pki-tools HEADER/FOOTER changes

* PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements

(cherry picked from commit 534633885ae28db230786c25374fba66120ed933)
(cherry picked from commit 94e009a03036194f4ee09a9a159acd906179ec9d)
---
 base/java-tools/src/com/netscape/cmstools/CMCEnroll.java    | 13 ++++++++-----
 base/java-tools/src/com/netscape/cmstools/CMCRequest.java   |  4 ++--
 base/java-tools/src/com/netscape/cmstools/CMCRevoke.java    | 11 ++++++-----
 .../java-tools/src/com/netscape/cmstools/CRMFPopClient.java |  8 ++++++--
 base/java-tools/src/com/netscape/cmstools/PKCS10Client.java | 11 +++++++----
 5 files changed, 29 insertions(+), 18 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java b/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java
index d13ed13..dc4b191 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java
@@ -79,8 +79,11 @@ public class CMCEnroll {
     public static final String PR_REQUEST_PKCS10 = "PKCS10";
 
     public static final int ARGC = 4;
-    public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
-    public static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
+    public static final String HEADER = "-----BEGIN";
+    public static final String TRAILER = "-----END";
+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
 
     void cleanArgs(String[] s) {
 
@@ -434,10 +437,10 @@ public class CMCEnroll {
                     return;
                 }
 
-                System.out.println(HEADER);
-                System.out.println(asciiBASE64Blob.toString() + TRAILER);
+                System.out.println(RFC7468_HEADER);
+                System.out.println(asciiBASE64Blob.toString() + RFC7468_TRAILER);
                 try {
-                    asciiBASE64Blob_str = HEADER + "\n" + asciiBASE64Blob_str.toString() + TRAILER;
+                    asciiBASE64Blob_str = RFC7468_HEADER + "\n" + asciiBASE64Blob_str.toString() + RFC7468_TRAILER;
                     outputBlob.write(asciiBASE64Blob_str.getBytes());
                 } catch (IOException e) {
                     System.out.println("CMCEnroll:  I/O error " +
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
index 167c461..1f508c3 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
@@ -97,8 +97,8 @@ public class CMCRequest {
     public static final String PR_INTERNAL_TOKEN_NAME = "internal";
 
     public static final int ARGC = 1;
-    public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
-    public static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
+    public static final String HEADER = "-----BEGIN";
+    public static final String TRAILER = "-----END";
 
     void cleanArgs(String[] s) {
 
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
index 3f9d811..45c3f07 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
@@ -69,8 +69,9 @@ import com.netscape.cmsutil.util.Utils;
  */
 public class CMCRevoke {
     public static final int ARGC = 8;
-    public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
-    public static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
     static String dValue = null, nValue = null, iValue = null, sValue = null, mValue = null, hValue = null,
             pValue = null, cValue = null;
 
@@ -224,10 +225,10 @@ public class CMCRevoke {
             return;
         }
 
-        System.out.println(HEADER);
-        System.out.println(asciiBASE64Blob + TRAILER);
+        System.out.println(RFC7468_HEADER);
+        System.out.println(asciiBASE64Blob + RFC7468_TRAILER);
         try {
-            asciiBASE64Blob = HEADER + "\n" + asciiBASE64Blob + TRAILER;
+            asciiBASE64Blob = RFC7468_HEADER + "\n" + asciiBASE64Blob + RFC7468_TRAILER;
             outputBlob.write(asciiBASE64Blob.getBytes());
         } catch (IOException e) {
             System.out.println("CMCSigning:  I/O error " +
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 76d8f51..450f950 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -101,6 +101,10 @@ public class CRMFPopClient {
 
     public boolean verbose;
 
+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
+
     public static Options createOptions() {
 
         Options options = new Options();
@@ -472,9 +476,9 @@ public class CRMFPopClient {
 
             StringWriter sw = new StringWriter();
             try (PrintWriter out = new PrintWriter(sw)) {
-                out.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
+                out.println(RFC7468_HEADER);
                 out.println(request);
-                out.println("-----END NEW CERTIFICATE REQUEST-----");
+                out.println(RFC7468_TRAILER);
             }
             String csr = sw.toString();
 
diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
index d1c787e..0a35827 100644
--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
+++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
@@ -71,6 +71,9 @@ import com.netscape.cmsutil.util.Utils;
  * @version $Revision$, $Date$
  */
 public class PKCS10Client {
+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
 
     private static void printUsage() {
         System.out.println(
@@ -323,15 +326,15 @@ public class PKCS10Client {
                 b64E = CryptoUtil.base64Encode(certReqb);
             }
 
-            System.out.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
+            System.out.println(RFC7468_HEADER);
             System.out.println(b64E);
-            System.out.println("-----END NEW CERTIFICATE REQUEST-----");
+            System.out.println(RFC7468_TRAILER);
 
             PrintStream ps = null;
             ps = new PrintStream(new FileOutputStream(ofilename));
-            ps.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
+            ps.println(RFC7468_HEADER);
             ps.println(b64E);
-            ps.println("-----END NEW CERTIFICATE REQUEST-----");
+            ps.println(RFC7468_TRAILER);
             ps.flush();
             ps.close();
             System.out.println("PKCS10Client: done. Request written to file: "+ ofilename);
-- 
1.8.3.1


From f11b2d72f710e4a8a25e3779b2e57eb6b66742b7 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Fri, 19 Aug 2016 16:08:56 -0600
Subject: [PATCH 08/10] pki-tools CMCEnroll man page

* PKI TRAC Ticket #690 - [MAN] pki-tools man pages
      - CMCEnroll

(cherry picked from commit fb8cff8cef10580ff5c14c5d5df535613779f9c5)
(cherry picked from commit 44046589bc9ed15d591d863056698232c25514bd)
---
 base/java-tools/man/man1/CMCEnroll.1 | 570 +++++++++++++++++++++++++++++++++++
 1 file changed, 570 insertions(+)
 create mode 100644 base/java-tools/man/man1/CMCEnroll.1

diff --git a/base/java-tools/man/man1/CMCEnroll.1 b/base/java-tools/man/man1/CMCEnroll.1
new file mode 100644
index 0000000..4cc861f
--- /dev/null
+++ b/base/java-tools/man/man1/CMCEnroll.1
@@ -0,0 +1,570 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH CMCEnroll 1 "July 20, 2016" "version 10.3" "PKI CMC Enrollment Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh        disable hyphenation
+.\" .hy        enable hyphenation
+.\" .ad l      left justify
+.\" .ad b      justify to both left and right margins
+.\" .nf        disable filling
+.\" .fi        enable filling
+.\" .br        insert line break
+.\" .sp <n>    insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+CMCEnroll \- Used to sign a certificate request with an agent's certificate.
+
+.SH SYNOPSIS
+.PP
+\fBCMCEnroll -d <directory_of_NSS_security_database_containing_agent_cert> -n <certificate_nickname> -r <certificate_request_file> -p <certificate_DB_passwd>\fP
+
+.SH DESCRIPTION
+.PP
+The Certificate Management over Cryptographic Message Syntax (CMC) Enrollment utility, \fBCMCEnroll\fP, provides a command-line utility used to sign a certificate request with an agent's certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users.
+.PP
+\fBCMCEnroll\fP takes a standard PKCS #10 certificate request and signs it with an agent certificate. The output is also a certificate request which can be submitted through the appropriate profile.
+
+.SH OPTIONS
+.PP
+The following parameters are mandatory:
+.PP
+\fBNote:\fP
+Surround values that include spaces with quotation marks.
+.TP
+.B -d <directory_of_NSS_security_database_containing_agent_cert>
+The directory containing the \fBcert8.db\fP, \fBkey3.db\fP, and \fBsecmod.db\fP files associated with the agent certificate. This is usually the agent's personal directory, such as their browser certificate database in the home directory.
+
+.TP
+.B -n <certificate_nickname>
+The nickname of the agent certificate that is used to sign the request.
+
+.TP
+.B -r <certificate_request_file>
+The filename of the certificate request.
+
+.TP
+.B -p <certificate_DB_passwd>
+The password to the NSS certificate database which contains the agent certificate, given in \fB-d <directory_of_NSS_security_database_containing_agent_cert>\fP.
+
+.SH EXAMPLES
+.PP
+Signed requests must be submitted to the CA to be processed.
+.PP
+\fBNote:\fP For this example to work automatically, the \fBCMCAuth\fP plug-in must be enabled on the CA server (which it is by default).
+.TP
+(1) Create a PKCS #10 certificate request using a tool like \fBcertutil\fP:
+.IP
+.nf
+# cd ~/.mozilla/firefox/<browser profile>
+
+# certutil -d . -L
+Certificate Nickname                                         Trust Attributes
+                                                             SSL,S/MIME,JAR/XPI
+
+Google Internet Authority G2                                 ,,
+COMODO RSA Domain Validation Secure Server CA                ,,
+pki.example.com                                              ,,
+DigiCert SHA2 Secure Server CA                               ,,
+DigiCert SHA2 Extended Validation Server CA                  ,,
+COMODO RSA Extended Validation Secure Server CA 2            ,,
+Symantec Class 3 Secure Server CA - G4                       ,,
+Go Daddy Secure Certificate Authority - G2                   ,,
+Oracle SSL CA - G2                                           ,,
+GeoTrust EV SSL CA - G4                                      ,,
+Symantec Class 3 Secure Server SHA256 SSL CA                 ,,
+GeoTrust SSL CA - G3                                         ,,
+PKI Administrator for example.com                            u,u,u
+DigiCert SHA2 High Assurance Server CA                       ,,
+COMODO RSA Organization Validation Secure Server CA          ,,
+CA Signing Certificate - example.com Security Domain         CT,C,C
+
+# certutil -d . -R -s "CN=CMCEnroll Test Certificate" -a
+
+A random seed must be generated that will be used in the
+creation of your key.  One of the easiest ways to create a
+random seed is to use the timing of keystrokes on a keyboard.
+
+To begin, type keys on the keyboard until this progress meter
+is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
+
+
+Continue typing until the progress meter is full:
+
+|************************************************************|
+
+Finished.  Press enter to continue:
+
+
+Generating key.  This may take a few moments...
+
+
+Certificate request generated by Netscape certutil
+Phone: (not specified)
+
+Common Name: CMCEnroll Test Certificate
+Email: (not specified)
+Organization: (not specified)
+State: (not specified)
+Country: (not specified)
+
+-----BEGIN CERTIFICATE REQUEST-----
+MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
+dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
+IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
+6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
+QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
+WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
+rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
+68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
+YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
+sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
+FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
+ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
+TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
+-----END CERTIFICATE REQUEST-----
+.if
+
+.TP
+(2) Copy the PKCS #10 ASCII output to a text file.
+.IP
+.nf
+# vi cert.req
+-----BEGIN CERTIFICATE REQUEST-----
+MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
+dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
+IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
+6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
+QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
+WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
+rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
+68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
+YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
+sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
+FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
+ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
+TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
+-----END CERTIFICATE REQUEST-----
+.if
+
+.TP
+(3) Run the \fBCMCEnroll\fP command to sign the certificate request. If the input file is "\fB~/.mozilla/firefox/<profile>/cert.req\fP", the agent's certificate is stored in the "\fB~/.mozilla/firefox\<profile>fP" directory, the certificate common name for this CA is "\fBPKI Administrator for example.com\fP", and the password for the certificate database is "\fBSecret123\fP", the command is as follows:
+.IP
+.nf
+# CMCEnroll -d "~/.mozilla/firefox/<profile>/" -n "PKI Administrator for example.com" -r "~/.mozilla/firefox/<profile>/cert.req" -p "Secret123"
+cert/key prefix =
+path = ~/.mozilla/firefox/<profile>/
+-----BEGIN CERTIFICATE REQUEST-----
+MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJpYtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHLFsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+UbucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTLTAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==-----END CERTIFICATE REQUEST-----
+.if
+The output of this command is stored in a file with the same filename as the request with a \fB.out\fP appended to the filename (e. g. - cert.req.out):
+.IP
+.nf
+# cat cert.req.out
+-----BEGIN CERTIFICATE REQUEST-----
+MIIMhwYJKoZIhvcNAQcCoIIMeDCCDHQCAQMxCzAJBgUrDgMCGgUAMIIC6QYIKwYB
+BQUHDAKgggLbBIIC1zCCAtMwVDAvAgECBggrBgEFBQcHBjEgBB5Da2UvQ1V6VEZF
+Rzgwa1Ryb1dsNjVuTUZhMEU9DQowIQIBAwYIKwYBBQUHBwUxEgIQU05oqk+q+FdR
+go/eIzsjGTCCAnWgggJxAgEBMIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5y
+b2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA
++Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5
+tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1
+A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiu
+qv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUy
+UkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA
+Q9aHQvPDcDuOJOL62pQeoDJpYtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2
+fpfdrHB5901TdehlghQVOkN6sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9w
+Xz5ZY/QwSx6C97SodF0cuDHLFsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ
++FGfQvmAqc9xHu5jvnBXX+UbucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SB
+Sa/Zxjy2iVMrQBeOiLcu8bTLTAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9D
+RJd1FJoocw0eGhw31I5rJDAAMACggge1MIIDzDCCArSgAwIBAgIBATANBgkqhkiG
+9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20gU2VjdXJpdHkg
+RG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE2MDcy
+MTIzNDAyNVoXDTM2MDcyMTIzNDAyNVowTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
+YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
+aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmWoikqOPpH
+0JLW3SZ1SPojvndjdILqDuGuRmqtcLuzZtmNuY7ZVwrXt61G1SCCBoEiy/OcUCKM
+GVpw0M15Dn3sjJmd9F2R5lrGT2eMWWfVTr15RyEwK9Pn0mxTDN+0eZ4WDY9U4Zg4
+2qZYIhkfGSTR5jhA4rs3uNOFm0ElLqDumGw3EXjJOy+RURvNbY4Pjlz89+Q2o6M0
+/XMmMYzxVtXusKu1bvTKIiWoWCXR5ge78GoT/8reer+zxuSXiKSeVV2myvCQhmMH
+AD2rik/7hazuY2ztC8h9HF09PMSeK2ev6PlzSV/PEqj9u5bgOcbqeiQkzR6IOcSi
+JCn9o7B+AUMCAwEAAaOBtDCBsTAfBgNVHSMEGDAWgBS7NphdZcuI4IcjN29b96+L
+iuu6tTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU
+uzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUFBzAB
+hjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRoYXQuY29tOjgwODAvY2Ev
+b2NzcDANBgkqhkiG9w0BAQsFAAOCAQEANUYLK65kV0na9zmtNGFje4akz4FBRAOh
+f/RYvtH4/0z38vW/E6fZkfb6CHrC4pNPfL6c0q/8H0mIrAft4kkQlTyJB9tdF5qY
+vCfUMmZ+zM664U/97nf7NSUu9PIFcNfh+/O9IoVUd7gEerRISJzbsmHAcCcfIiKX
+FsM+6HbEt+lH47flb/eSA2cUS84bC+XlZmKpse1R8PL/rKzngReZmMhNx73pYlEN
+0qOpJILEMC1FVUExp6XnnP/m1+gY3T2FrIcUU7Jm1mCnln3VcLxkRU2c9tGj4xYr
+H8teMoQHLZTiqe/54h+3/pUEDgSATAHnex/uG33TXNDbpeNeq720eDCCA+EwggLJ
+oAMCAQICAQYwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
+YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
+aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMzBaFw0xODA3MTEyMzQwMzBaMHQxKzApBgNV
+BAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xKTAnBgkqhkiG
+9w0BCQEWGmNhYWRtaW5AdXNlcnN5cy5yZWRoYXQuY29tMRowGAYDVQQDDBFQS0kg
+QWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPQ
+fOUyTIkdDnPzBrFRBknHqjYMrRpUDBR+JlarT/Sr6PqNQPMcM7JvgBNmXG32H+5w
+QH/sfVjOmKEJOMsh71vKiTM0wb5rIo08B34i9E5Cf2Wzx2/ht4qfWvSmb5ZBxy22
+YpasKLdv7SwSDQr0U7h+Q/96Hgq85ONxWWN6XubgZxSfbs7QVcA0jVq+2inhT67B
+0u4DO6MTxFJNCfDcWiA/M6xzKbjEqDUEh46Rk19krGPYsbfW2BMuOi7pyfTDJVJ5
+CAUbo4bpR3eeo5KMbUvgF3WUxA1whOF2Oc6t0hdINW6Xeq3vpnwn3RyX2TRQ0zqi
+n3K3uPdahteQNcRb/Q8CAwEAAaOBozCBoDAfBgNVHSMEGDAWgBS7NphdZcuI4Icj
+N29b96+Liuu6tTBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0dHA6Ly9w
+a2ktZGVza3RvcC51c2Vyc3lzLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1Ud
+DwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI
+hvcNAQELBQADggEBAADJNrg4qAZ1LxSz2Nn1k1SEmbugxrh8o1jpBAaSvLlv+blL
++6wNq0D7c1GPzRO5TObyXgpbtHgofpKLSxw8cB3y8ugZMp7qJeCYxgzxQKEVMANW
+6eZgAxvEe1J5Vyk/ELNiCtQmY7Mi+BtwvCF0xkCwYtOGlgeLV5t6GjBdG+jpZSIb
+B0En0+t/JOwvqUAhzVStz/j9LgBza0P8ACd/s2Z/zjpot2JTXDofF0mbiGwMz4Em
+/dOT3QhUr3QqFY/Q6T7c/wW7KbUXpNjwvLAV86A9Oojq32Z3ppJPnnDoLxLWvn8f
+4rBdhhKrFhRZBYd91r3OExUIAEkFH9cmgPusjMsxggG6MIIBtgIBAzBTME4xKzAp
+BgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xHzAdBgNV
+BAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUCAQYwCQYFKw4DAhoFAKA+MBcGCSqG
+SIb3DQEJAzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUeIRBuSA10uyZK8LB
+yc5Abz4f74AwDQYJKoZIhvcNAQEBBQAEggEAC1DFoKDcAzJUdIIucV61TqQtbBJT
+H8hhnln3+TwAO+u3X55o74xZMgawy/3Hkt3CjYxYmWIYY9MZILb2UeD0VZz63yzq
+F9tEZu2IhlvaOgP6NLcu8SxDImQ/GuvPIvGkGg0m/X3cwCHKymH7ZXAUfxQXgqbw
+CAMc+DH99xx0yotaAr5HE9tauNJejo4CDVYwUn/5syTcw3molt2Ely2FIFEyI3HD
+yPmP2OHw/xqlBhFvnoecbtpTq2DiWGPWJHSnzcdInuXudHHaIsribXK8HGw2MnCD
+8Sq7UsrvBe50v0YebYzQdXYrsnluNc+Cwm2PdDQDfPT39e7iwGSLGi4KrQ==
+-----END CERTIFICATE REQUEST-----
+.if
+
+.TP
+(4) Submit the signed certificate request through the CA end-entities page:
+.IP
+.nf
+(a) Open the end-entities page.
+
+(b) Select the "Signed CMC-Authenticated User Certificate Enrollment" profile.
+
+(c) Paste the content of the output file into the first text area of this form.
+
+(d) Remove the "-----BEGIN CERTIFICATE REQUEST-----" header and the "-----END CERTIFICATE REQUEST-----" footer from the pasted content.
+
+(e) Fill in the contact information, and submit the form.
+.if
+
+.TP
+(5) The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled:
+.IP
+.nf
+Congratulations, your request has been processed successfully
+
+Your request ID is \fB7\fP.
+
+\fBOutputs\fP
+
+* Certificate Pretty Print
+
+    Certificate:
+        Data:
+            Version:  v3
+            Serial Number: 0x7
+            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
+            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
+            Validity:
+                Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
+                Not  After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
+            Subject: CN=CMCEnroll Test Certificate
+            Subject Public Key Info:
+                Algorithm: RSA - 1.2.840.113549.1.1.1
+                Public Key:
+                    Exponent: 65537
+                    Public Key Modulus: (2048 bits) :
+                        DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
+                        0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
+                        D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
+                        69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
+                        93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
+                        0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
+                        B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
+                        ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
+                        A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
+                        97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
+                        B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
+                        33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
+                        A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
+                        2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
+                        31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
+                        6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
+            Extensions:
+                Identifier: Authority Key Identifier - 2.5.29.35
+                    Critical: no
+                    Key Identifier:
+                        BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
+                        8A:EB:BA:B5
+                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
+                    Critical: no
+                    Access Description:
+                        Method #0: ocsp
+                        Location #0: URIName: http://pki.example.com:8080/ca/ocsp
+                Identifier: Key Usage: - 2.5.29.15
+                    Critical: yes
+                    Key Usage:
+                        Digital Signature
+                        Non Repudiation
+                        Key Encipherment
+                Identifier: Extended Key Usage: - 2.5.29.37
+                    Critical: no
+                    Extended Key Usage:
+                        1.3.6.1.5.5.7.3.2
+                        1.3.6.1.5.5.7.3.4
+        Signature:
+            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
+            Signature:
+                6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
+                30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
+                11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
+                D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
+                69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
+                2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
+                76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
+                2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
+                E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
+                3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
+                2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
+                05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
+                BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
+                F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
+                08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
+                39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
+        FingerPrint
+            MD2:
+                C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
+            MD5:
+                5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
+            SHA-1:
+                F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
+                5C:A9:71:27
+            SHA-256:
+                66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
+                8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
+            SHA-512:
+                E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
+                9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
+                F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
+                D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49
+
+* Certificate Base-64 Encoded
+
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
+c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
+aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow
+JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ
+SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad
+7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s
+rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s
+UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x
+/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw
+gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE
+QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo
+YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI
+KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug
+pn+ADHK0MMVPy9SsV4XX0sp1kPcvVxHLZxYIDEwj0qWnLk4hOfXVx20L3K1I4pL/
+mcX8zw6JabkJup8OhKuBMqeLmTDfdS9sYVqch3faLOpAhSDy3pV2a9cLjIglYgAt
+BDDwJEtkKkrnNwSivK23f7qqdEEsVenlS5IYvBjc/EvqFRjOsHo6hGTiMRxkCnk+
+gG5DEjCKKmdvVktWVcdWhocn5MMoygXSvQtdEKJOlp1bKqALm7a7jxUf06954DjT
+8e3V8fDr+GZWPy9PSpMOLhHz9xs3YQjkSpJMYOMeCg1h8q+y40g5dKpeMlur81U7
+axszSMsh
+-----END CERTIFICATE-----
+
+* Certificate Imports
+----------------------
+| Import Certificate |
+----------------------
+.if
+
+.TP
+(6) Use the agent page to search for the new certificate:
+.IP
+.nf
+Certificate   0x07
+
+Certificate contents
+
+    Certificate:
+        Data:
+            Version:  v3
+            Serial Number: 0x7
+            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
+            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
+            Validity:
+                Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
+                Not  After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
+            Subject: CN=CMCEnroll Test Certificate
+            Subject Public Key Info:
+                Algorithm: RSA - 1.2.840.113549.1.1.1
+                Public Key:
+                    Exponent: 65537
+                    Public Key Modulus: (2048 bits) :
+                        DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
+                        0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
+                        D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
+                        69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
+                        93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
+                        0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
+                        B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
+                        ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
+                        A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
+                        97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
+                        B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
+                        33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
+                        A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
+                        2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
+                        31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
+                        6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
+            Extensions:
+                Identifier: Authority Key Identifier - 2.5.29.35
+                    Critical: no
+                    Key Identifier:
+                        BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
+                        8A:EB:BA:B5
+                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
+                    Critical: no
+                    Access Description:
+                        Method #0: ocsp
+                        Location #0: URIName: http://pki.example.com:8080/ca/ocsp
+                Identifier: Key Usage: - 2.5.29.15
+                    Critical: yes
+                    Key Usage:
+                        Digital Signature
+                        Non Repudiation
+                        Key Encipherment
+                Identifier: Extended Key Usage: - 2.5.29.37
+                    Critical: no
+                    Extended Key Usage:
+                        1.3.6.1.5.5.7.3.2
+                        1.3.6.1.5.5.7.3.4
+        Signature:
+            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
+            Signature:
+                6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
+                30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
+                11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
+                D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
+                69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
+                2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
+                76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
+                2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
+                E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
+                3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
+                2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
+                05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
+                BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
+                F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
+                08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
+                39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
+        FingerPrint
+            MD2:
+                C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
+            MD5:
+                5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
+            SHA-1:
+                F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
+                5C:A9:71:27
+            SHA-256:
+                66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
+                8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
+            SHA-512:
+                E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
+                9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
+                F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
+                D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49
+
+Certificate request info
+
+Request ID: 7
+
+Installing this certificate in a server
+
+The following format can be used to install this certificate into a server.
+
+Base 64 encoded certificate
+
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
+c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
+aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow
+JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ
+SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad
+7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s
+rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s
+UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x
+/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw
+gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE
+QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo
+YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI
+KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug
+pn+ADHK0MMVPy9SsV4XX0sp1kPcvVxHLZxYIDEwj0qWnLk4hOfXVx20L3K1I4pL/
+mcX8zw6JabkJup8OhKuBMqeLmTDfdS9sYVqch3faLOpAhSDy3pV2a9cLjIglYgAt
+BDDwJEtkKkrnNwSivK23f7qqdEEsVenlS5IYvBjc/EvqFRjOsHo6hGTiMRxkCnk+
+gG5DEjCKKmdvVktWVcdWhocn5MMoygXSvQtdEKJOlp1bKqALm7a7jxUf06954DjT
+8e3V8fDr+GZWPy9PSpMOLhHz9xs3YQjkSpJMYOMeCg1h8q+y40g5dKpeMlur81U7
+axszSMsh
+-----END CERTIFICATE-----
+
+Base 64 encoded certificate with CA certificate chain in pkcs7 format
+
+-----BEGIN PKCS7-----
+MIIHlQYJKoZIhvcNAQcCoIIHhjCCB4ICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIH
+ZjCCA5IwggJ6oAMCAQICAQcwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNl
+cnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln
+bmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA3MjIwMDI4MjBaFw0xNzAxMTgwMTI4MjBa
+MCUxIzAhBgNVBAMTGkNNQ0Vucm9sbCBUZXN0IENlcnRpZmljYXRlMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2pkAOqbCu054nNwwLSMgDApOxStz7krH
+iUq0fwu1tObT765aeb1CsaZnAPj4NwADaeYFTEDqbOq4gL6Cu+jSk5MODHtPQqMG
+ne2svSAQWOEKqgZkZ309zJulObSVnqr6tXCJMKMcx5ZYLBgRjEHbiO1EY4UGMd6f
+rKxkntHzO26ivgFOmiYeK9I3NQOqQr/9lzDmNSFM5oyBJzatkVjqZ7FkOFA5mta/
+LFMyoDYZLoYz1OVOWBrfftI4rqr9eHWyou1CTdwz7ZBF2TTqxaxoKioXVKi4a3Zv
+sfx4MP2maEgxWFzjfYxUxcjFMlJFl2aubH8IIVlAtquA7G37x+vIdQIDAQABo4Gj
+MIGgMB8GA1UdIwQYMBaAFLs2mF1ly4jghyM3b1v3r4uK67q1ME4GCCsGAQUFBwEB
+BEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3BraS1kZXNrdG9wLnVzZXJzeXMucmVk
+aGF0LmNvbTo4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAbYuZ0unTTn9V
+IKZ/gAxytDDFT8vUrFeF19LKdZD3L1cRy2cWCAxMI9Klpy5OITn11cdtC9ytSOKS
+/5nF/M8OiWm5CbqfDoSrgTKni5kw33UvbGFanId32izqQIUg8t6VdmvXC4yIJWIA
+LQQw8CRLZCpK5zcEorytt3+6qnRBLFXp5UuSGLwY3PxL6hUYzrB6OoRk4jEcZAp5
+PoBuQxIwiipnb1ZLVlXHVoaHJ+TDKMoF0r0LXRCiTpadWyqgC5u2u48VH9OveeA4
+0/Ht1fHw6/hmVj8vT0qTDi4R8/cbN2EI5EqSTGDjHgoNYfKvsuNIOXSqXjJbq/NV
+O2sbM0jLITCCA8wwggK0oAMCAQICAQEwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UE
+CgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwW
+Q0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMjVaFw0zNjA3MjEy
+MzQwMjVaME4xKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBE
+b21haW4xHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCplqIpKjj6R9CS1t0mdUj6I753Y3SC6g7h
+rkZqrXC7s2bZjbmO2VcK17etRtUgggaBIsvznFAijBlacNDNeQ597IyZnfRdkeZa
+xk9njFln1U69eUchMCvT59JsUwzftHmeFg2PVOGYONqmWCIZHxkk0eY4QOK7N7jT
+hZtBJS6g7phsNxF4yTsvkVEbzW2OD45c/PfkNqOjNP1zJjGM8VbV7rCrtW70yiIl
+qFgl0eYHu/BqE//K3nq/s8bkl4iknlVdpsrwkIZjBwA9q4pP+4Ws7mNs7QvIfRxd
+PTzEnitnr+j5c0lfzxKo/buW4DnG6nokJM0eiDnEoiQp/aOwfgFDAgMBAAGjgbQw
+gbEwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwDwYDVR0TAQH/BAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFLs2mF1ly4jghyM3b1v3r4uK
+67q1ME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3BraS1kZXNr
+dG9wLnVzZXJzeXMucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQEL
+BQADggEBADVGCyuuZFdJ2vc5rTRhY3uGpM+BQUQDoX/0WL7R+P9M9/L1vxOn2ZH2
++gh6wuKTT3y+nNKv/B9JiKwH7eJJEJU8iQfbXReamLwn1DJmfszOuuFP/e53+zUl
+LvTyBXDX4fvzvSKFVHe4BHq0SEic27JhwHAnHyIilxbDPuh2xLfpR+O35W/3kgNn
+FEvOGwvl5WZiqbHtUfDy/6ys54EXmZjITce96WJRDdKjqSSCxDAtRVVBMael55z/
+5tfoGN09hayHFFOyZtZgp5Z91XC8ZEVNnPbRo+MWKx/LXjKEBy2U4qnv+eIft/6V
+BA4EgEwB53sf7ht901zQ26XjXqu9tHgxAA==
+-----END PKCS7-----
+.if
+
+.SH AUTHORS
+Matthew Harmsen <mharmsen@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR CMCRequest(1), CMCResponse(1), CMCRevoke(1), pki(1)
-- 
1.8.3.1


From eeaf6c2ec45415b2e32c46a0949539bef5e770a7 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 17 Aug 2016 16:44:48 +0200
Subject: [PATCH 09/10] Allowing optional CA signing CSR.

The CA signing CSR is already stored in request record which will
be imported as part of migration process, so it's not necessary to
export and reimport the CSR file again for migration.

To allow optional CSR, the pki-server subsystem-cert-validate
CLI has been modified to no longer check the CSR in CS.cfg. The
ConfigurationUtils.loadCertRequest() has been modified to ignore
the missing CSR in CS.cfg.

https://fedorahosted.org/pki/ticket/2440
(cherry picked from commit bde2cd1d3e65850c82a6ea7a6cebcae46a4408f2)
(cherry picked from commit f422b219ec989bc7a5be9569643d4cb598b2887c)
---
 .../netscape/cms/servlet/csadmin/ConfigurationUtils.java    | 13 ++++++++++---
 base/server/python/pki/server/cli/subsystem.py              |  4 ----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 3bd6d87..34500d0 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -2947,10 +2947,17 @@ public class ConfigurationUtils {
         cert.setDN(subjectDN);
 
         String subsystem = config.getString(PCERT_PREFIX + tag + ".subsystem");
-        String certreq = config.getString(subsystem + "." + tag + ".certreq");
-        String formattedCertreq = CryptoUtil.reqFormat(certreq);
 
-        cert.setRequest(formattedCertreq);
+        try {
+            String certreq = config.getString(subsystem + "." + tag + ".certreq");
+            String formattedCertreq = CryptoUtil.reqFormat(certreq);
+
+            cert.setRequest(formattedCertreq);
+
+        } catch (EPropertyNotFound e) {
+            // The CSR is optional for existing CA case.
+            CMS.debug("ConfigurationUtils.loadCertRequest: " + tag + " cert has no CSR");
+        }
     }
 
     public static void generateCertRequest(IConfigStore config, String certTag, Cert cert) throws Exception {
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 4651d74..c173ea2 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -917,10 +917,6 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
 
         print('  Cert ID: %s' % cert['id'])
 
-        if not cert['request']:
-            print('  Status: ERROR: missing certificate request')
-            return False
-
         if not cert['data']:
             print('  Status: ERROR: missing certificate data')
             return False
-- 
1.8.3.1


From 5117e59121048db4c172caf322d803e26c3644fb Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Sat, 20 Aug 2016 10:47:15 +0200
Subject: [PATCH 10/10] Updated pki-server subsystem-cert-update CLI.

The pki-server subsystem-cert-update CLI has been updated to
use certutil to retrieve the certificate data from the proper
token. It will also show a warning if the certificate request
cannot be found.

The NSSDatabase constructor has been modified to normalize the
name of internal NSS token to None. If the token name is None,
the certutil will be executed without the -h option.

The NSSDatabase.get_cert() has been modified to prepend the token
name to the certificate nickname.

https://fedorahosted.org/pki/ticket/2440
(cherry picked from commit eb28cf05cfad246383dbda054c8cd477bc7acc73)
(cherry picked from commit e0db19f831159689e9fd63b988799ee16b618dc6)
---
 base/common/python/pki/nssdb.py                | 11 ++++--
 base/server/python/pki/server/cli/subsystem.py | 49 +++++++++++++++-----------
 2 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index ed45654..736efca 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -105,7 +105,11 @@ class NSSDatabase(object):
             directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb')
 
         self.directory = directory
-        self.token = token
+
+        if token == 'internal' or token == 'Internal Key Storage Token':
+            self.token = None
+        else:
+            self.token = token
 
         self.tmpdir = tempfile.mkdtemp()
 
@@ -425,12 +429,15 @@ class NSSDatabase(object):
             '-d', self.directory
         ]
 
+        fullname = nickname
+
         if self.token:
             cmd.extend(['-h', self.token])
+            fullname = self.token + ':' + fullname
 
         cmd.extend([
             '-f', self.password_file,
-            '-n', nickname,
+            '-n', fullname,
             output_format_option
         ])
 
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index c173ea2..42da26e 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -21,10 +21,8 @@
 
 from __future__ import absolute_import
 from __future__ import print_function
-import base64
 import getopt
 import getpass
-import nss.nss as nss
 import os
 import string
 import subprocess
@@ -778,36 +776,47 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
             sys.exit(1)
         subsystem_cert = subsystem.get_subsystem_cert(cert_id)
 
-        # get cert data from NSS database
-        nss.nss_init(instance.nssdb_dir)
-        nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname'])
-        data = base64.b64encode(nss_cert.der_data)
-        del nss_cert
-        nss.nss_shutdown()
+        if self.verbose:
+            print('Retrieving certificate %s from %s' %
+                  (subsystem_cert['nickname'], subsystem_cert['token']))
+
+        token = subsystem_cert['token']
+        nssdb = instance.open_nssdb(token)
+        data = nssdb.get_cert(
+            nickname=subsystem_cert['nickname'],
+            output_format='base64')
         subsystem_cert['data'] = data
 
         # format cert data for LDAP database
         lines = [data[i:i + 64] for i in range(0, len(data), 64)]
         data = string.join(lines, '\r\n') + '\r\n'
 
-        # get cert request from local CA
+        if self.verbose:
+            print('Retrieving certificate request from CA database')
+
         # TODO: add support for remote CA
         ca = instance.get_subsystem('ca')
         if not ca:
             print('ERROR: No CA subsystem in instance %s.' % instance_name)
             sys.exit(1)
+
         results = ca.find_cert_requests(cert=data)
-        cert_request = results[-1]
-        request = cert_request['request']
-
-        # format cert request for CS.cfg
-        lines = request.splitlines()
-        if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
-            lines = lines[1:]
-        if lines[-1] == '-----END CERTIFICATE REQUEST-----':
-            lines = lines[:-1]
-        request = string.join(lines, '')
-        subsystem_cert['request'] = request
+
+        if results:
+            cert_request = results[-1]
+            request = cert_request['request']
+
+            # format cert request for CS.cfg
+            lines = request.splitlines()
+            if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
+                lines = lines[1:]
+            if lines[-1] == '-----END CERTIFICATE REQUEST-----':
+                lines = lines[:-1]
+            request = string.join(lines, '')
+            subsystem_cert['request'] = request
+
+        else:
+            print('WARNING: Certificate request not found')
 
         # store cert data and request in CS.cfg
         subsystem.update_subsystem_cert(subsystem_cert)
-- 
1.8.3.1