Blob Blame History Raw
From f10ba33f3d6f9cbd31831d0fb571e15b818e9990 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Mon, 26 Jun 2017 18:09:55 -0700
Subject: [PATCH] Ticket #2757 CMC enrollment profiles for system certificates

This patch supports CMC-based system certificate requests.

This patch contains the following:
* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert
* The cmc-based system enrollment profiles:
caCMCauditSigningCert.cfg
caCMCcaCert.cfg
caCMCkraStorageCert.cfg
caCMCkraTransportCert.cfg
caCMCocspCert.cfg
caCMCserverCert.cfg
caCMCsubsystemCert.cfg
* new URI's in web.xml as new access points

Usage example can be found here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29

(cherry picked from commit 65b1242cd139e6306fb3e039193a3a6b223ea9b1)
---
 base/ca/shared/conf/CS.cfg                         |  20 ++-
 .../shared/profiles/ca/caCMCauditSigningCert.cfg   |  80 +++++++++
 base/ca/shared/profiles/ca/caCMCcaCert.cfg         |  96 ++++++++++
 base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg |  86 +++++++++
 .../shared/profiles/ca/caCMCkraTransportCert.cfg   |  86 +++++++++
 base/ca/shared/profiles/ca/caCMCocspCert.cfg       |  71 ++++++++
 base/ca/shared/profiles/ca/caCMCserverCert.cfg     |  90 ++++++++++
 base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg  |  86 +++++++++
 base/ca/shared/profiles/ca/caFullCMCUserCert.cfg   |   4 +-
 .../shared/profiles/ca/caFullCMCUserSignedCert.cfg |   2 +-
 base/ca/shared/webapps/ca/WEB-INF/web.xml          | 196 +++++++++++++++++++++
 .../src/com/netscape/cmstools/CMCRequest.java      |   2 +-
 .../com/netscape/cms/authentication/CMCAuth.java   |  48 ++++-
 .../cms/authentication/CMCUserSignedAuth.java      |   2 +
 .../netscape/cms/profile/common/EnrollProfile.java |  12 ++
 .../servlet/profile/ProfileSubmitCMCServlet.java   |   2 +-
 16 files changed, 872 insertions(+), 11 deletions(-)
 create mode 100644 base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
 create mode 100644 base/ca/shared/profiles/ca/caCMCcaCert.cfg
 create mode 100644 base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
 create mode 100644 base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
 create mode 100644 base/ca/shared/profiles/ca/caCMCocspCert.cfg
 create mode 100644 base/ca/shared/profiles/ca/caCMCserverCert.cfg
 create mode 100644 base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 5a244d7..8976575 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -969,7 +969,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
 os.userid=nobody
-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
 profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
 profile.caManualRenewal.class_id=caEnrollImpl
@@ -988,12 +988,26 @@ profile.caAgentServerCert.class_id=caEnrollImpl
 profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentServerCert.cfg
 profile.caRAserverCert.class_id=caEnrollImpl
 profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAserverCert.cfg
+profile.caCMCUserCert.class_id=caEnrollImpl
+profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg
+profile.caCMCauditSigningCert.class_id=caEnrollImpl
+profile.caCMCauditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCauditSigningCert.cfg
+profile.caCMCcaCert.class_id=caEnrollImpl
+profile.caCMCcaCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCcaCert.cfg
+profile.caCMCkraStorageCert.class_id=caEnrollImpl
+profile.caCMCkraStorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraStorageCert.cfg
+profile.caCMCkraTransportCert.class_id=caEnrollImpl
+profile.caCMCkraTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraTransportCert.cfg
+profile.caCMCocspCert.class_id=caEnrollImpl
+profile.caCMCocspCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCocspCert.cfg
+profile.caCMCserverCert.class_id=caEnrollImpl
+profile.caCMCserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCserverCert.cfg
+profile.caCMCsubsystemCert.class_id=caEnrollImpl
+profile.caCMCsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCsubsystemCert.cfg
 profile.caCACert.class_id=caEnrollImpl
 profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCACert.cfg
 profile.caInstallCACert.class_id=caEnrollImpl
 profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInstallCACert.cfg
-profile.caCMCUserCert.class_id=caEnrollImpl
-profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg
 profile.caCrossSignedCACert.class_id=caEnrollImpl
 profile.caCrossSignedCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCrossSignedCACert.cfg
 profile.caDirBasedDualCert.class_id=caEnrollImpl
diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
new file mode 100644
index 0000000..ed5a1b2
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
@@ -0,0 +1,80 @@
+desc=This certificate profile is for enrolling audit signing certificates using CMC.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+authz.acl=group="Certificate Manager Agents"
+name=Audit Signing Certificate Enrollment using CMC
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=auditSigningCertSet
+policyset.auditSigningCertSet.list=1,2,3,4,5,6,9
+policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint
+policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.*
+policyset.auditSigningCertSet.1.constraint.params.accept=true
+policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.auditSigningCertSet.1.default.name=Subject Name Default
+policyset.auditSigningCertSet.1.default.params.name=
+policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.auditSigningCertSet.2.constraint.name=Validity Constraint
+policyset.auditSigningCertSet.2.constraint.params.range=720
+policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false
+policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false
+policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl
+policyset.auditSigningCertSet.2.default.name=Validity Default
+policyset.auditSigningCertSet.2.default.params.range=720
+policyset.auditSigningCertSet.2.default.params.startTime=0
+policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.auditSigningCertSet.3.constraint.name=Key Constraint
+policyset.auditSigningCertSet.3.constraint.params.keyType=RSA
+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.auditSigningCertSet.3.default.name=Key Default
+policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
+policyset.auditSigningCertSet.4.constraint.name=No Constraint
+policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default
+policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl
+policyset.auditSigningCertSet.5.constraint.name=No Constraint
+policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.auditSigningCertSet.5.default.name=AIA Extension Default
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false
+policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.auditSigningCertSet.6.default.name=Key Usage Default
+policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true
+policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false
+policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.auditSigningCertSet.9.constraint.name=No Constraint
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.auditSigningCertSet.9.default.name=Signing Alg
+policyset.auditSigningCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg
new file mode 100644
index 0000000..f6df36f
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg
@@ -0,0 +1,96 @@
+desc=This certificate profile is for enrolling Certificate Authority certificates using CMC.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+authz.acl=group="Certificate Manager Agents"
+name=Certificate Manager Signing Certificate Enrollment using CMC
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=caCertSet
+policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.caCertSet.1.constraint.name=Subject Name Constraint
+policyset.caCertSet.1.constraint.params.pattern=CN=.*
+policyset.caCertSet.1.constraint.params.accept=true
+policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.caCertSet.1.default.name=Subject Name Default
+policyset.caCertSet.1.default.params.name=
+policyset.caCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.caCertSet.2.constraint.name=Validity Constraint
+policyset.caCertSet.2.constraint.params.range=7305
+policyset.caCertSet.2.constraint.params.notBeforeCheck=false
+policyset.caCertSet.2.constraint.params.notAfterCheck=false
+policyset.caCertSet.2.default.class_id=caValidityDefaultImpl
+policyset.caCertSet.2.default.name=CA Certificate Validity Default
+policyset.caCertSet.2.default.params.range=7305
+policyset.caCertSet.2.default.params.startTime=0
+policyset.caCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.caCertSet.3.constraint.name=Key Constraint
+policyset.caCertSet.3.constraint.params.keyType=-
+policyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.caCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.caCertSet.3.default.name=Key Default
+policyset.caCertSet.4.constraint.class_id=noConstraintImpl
+policyset.caCertSet.4.constraint.name=No Constraint
+policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.caCertSet.4.default.name=Authority Key Identifier Default
+policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl
+policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint
+policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true
+policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true
+policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1
+policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1
+policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl
+policyset.caCertSet.5.default.name=Basic Constraints Extension Default
+policyset.caCertSet.5.default.params.basicConstraintsCritical=true
+policyset.caCertSet.5.default.params.basicConstraintsIsCA=true
+policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1
+policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.caCertSet.6.constraint.params.keyUsageCritical=true
+policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true
+policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true
+policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.caCertSet.6.default.name=Key Usage Default
+policyset.caCertSet.6.default.params.keyUsageCritical=true
+policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true
+policyset.caCertSet.6.default.params.keyUsageCrlSign=true
+policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.caCertSet.8.constraint.class_id=noConstraintImpl
+policyset.caCertSet.8.constraint.name=No Constraint
+policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default
+policyset.caCertSet.8.default.params.critical=false
+policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.caCertSet.9.constraint.name=No Constraint
+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.caCertSet.9.default.name=Signing Alg
+policyset.caCertSet.9.default.params.signingAlg=-
+policyset.caCertSet.10.constraint.class_id=noConstraintImpl
+policyset.caCertSet.10.constraint.name=No Constraint
+policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl
+policyset.caCertSet.10.default.name=AIA Extension Default
+policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true
+policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName
+policyset.caCertSet.10.default.params.authInfoAccessADLocation_0=
+policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.caCertSet.10.default.params.authInfoAccessCritical=false
+policyset.caCertSet.10.default.params.authInfoAccessNumADs=1
diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
new file mode 100644
index 0000000..259430b
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling KRA storage certificates using CMC
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+authz.acl=group="Certificate Manager Agents"
+name=KRA storage Certificate Enrollment using CMC
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=drmStorageCertSet
+policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9
+policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint
+policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.*
+policyset.drmStorageCertSet.1.constraint.params.accept=true
+policyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.drmStorageCertSet.1.default.name=Subject Name Default
+policyset.drmStorageCertSet.1.default.params.name=
+policyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.drmStorageCertSet.2.constraint.name=Validity Constraint
+policyset.drmStorageCertSet.2.constraint.params.range=720
+policyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false
+policyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false
+policyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl
+policyset.drmStorageCertSet.2.default.name=Validity Default
+policyset.drmStorageCertSet.2.default.params.range=720
+policyset.drmStorageCertSet.2.default.params.startTime=0
+policyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.drmStorageCertSet.3.constraint.name=Key Constraint
+policyset.drmStorageCertSet.3.constraint.params.keyType=RSA
+policyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.drmStorageCertSet.3.default.name=Key Default
+policyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl
+policyset.drmStorageCertSet.4.constraint.name=No Constraint
+policyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default
+policyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl
+policyset.drmStorageCertSet.5.constraint.name=No Constraint
+policyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.drmStorageCertSet.5.default.name=AIA Extension Default
+policyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false
+policyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true
+policyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.drmStorageCertSet.6.default.name=Key Usage Default
+policyset.drmStorageCertSet.6.default.params.keyUsageCritical=true
+policyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false
+policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl
+policyset.drmStorageCertSet.7.constraint.name=No Constraint
+policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false
+policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
+policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.drmStorageCertSet.9.constraint.name=No Constraint
+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.drmStorageCertSet.9.default.name=Signing Alg
+policyset.drmStorageCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
new file mode 100644
index 0000000..ec54f9c
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling Key Archival Authority transport certificates using CMC.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+authz.acl=group="Certificate Manager Agents"
+name=Key Archival Authority Transport Certificate Enrollment using CMC
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=transportCertSet
+policyset.transportCertSet.list=1,2,3,4,5,6,7,8
+policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.transportCertSet.1.constraint.name=Subject Name Constraint
+policyset.transportCertSet.1.constraint.params.pattern=CN=.*
+policyset.transportCertSet.1.constraint.params.accept=true
+policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.transportCertSet.1.default.name=Subject Name Default
+policyset.transportCertSet.1.default.params.name=
+policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.transportCertSet.2.constraint.name=Validity Constraint
+policyset.transportCertSet.2.constraint.params.range=720
+policyset.transportCertSet.2.constraint.params.notBeforeCheck=false
+policyset.transportCertSet.2.constraint.params.notAfterCheck=false
+policyset.transportCertSet.2.default.class_id=validityDefaultImpl
+policyset.transportCertSet.2.default.name=Validity Default
+policyset.transportCertSet.2.default.params.range=720
+policyset.transportCertSet.2.default.params.startTime=0
+policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.transportCertSet.3.constraint.name=Key Constraint
+policyset.transportCertSet.3.constraint.params.keyType=RSA
+policyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.transportCertSet.3.default.name=Key Default
+policyset.transportCertSet.4.constraint.class_id=noConstraintImpl
+policyset.transportCertSet.4.constraint.name=No Constraint
+policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.transportCertSet.4.default.name=Authority Key Identifier Default
+policyset.transportCertSet.5.constraint.class_id=noConstraintImpl
+policyset.transportCertSet.5.constraint.name=No Constraint
+policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.transportCertSet.5.default.name=AIA Extension Default
+policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.transportCertSet.5.default.params.authInfoAccessCritical=false
+policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.transportCertSet.6.constraint.params.keyUsageCritical=true
+policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.transportCertSet.6.default.name=Key Usage Default
+policyset.transportCertSet.6.default.params.keyUsageCritical=true
+policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.transportCertSet.6.default.params.keyUsageCrlSign=false
+policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.transportCertSet.7.constraint.class_id=noConstraintImpl
+policyset.transportCertSet.7.constraint.name=No Constraint
+policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.transportCertSet.7.default.params.exKeyUsageCritical=false
+policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
+policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.transportCertSet.8.constraint.name=No Constraint
+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.transportCertSet.8.default.name=Signing Alg
+policyset.transportCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg
new file mode 100644
index 0000000..8afbd46
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg
@@ -0,0 +1,71 @@
+desc=This certificate profile is for enrolling OCSP Responder signing certificates using CMC.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+authz.acl=group="Certificate Manager Agents"
+name=OCSP Responder Signing Certificate Enrollment using CMC
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=ocspCertSet
+policyset.ocspCertSet.list=1,2,3,4,5,6,8,9
+policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.ocspCertSet.1.constraint.name=Subject Name Constraint
+policyset.ocspCertSet.1.constraint.params.pattern=CN=.*
+policyset.ocspCertSet.1.constraint.params.accept=true
+policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.ocspCertSet.1.default.name=Subject Name Default
+policyset.ocspCertSet.1.default.params.name=
+policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.ocspCertSet.2.constraint.name=Validity Constraint
+policyset.ocspCertSet.2.constraint.params.range=720
+policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false
+policyset.ocspCertSet.2.constraint.params.notAfterCheck=false
+policyset.ocspCertSet.2.default.class_id=validityDefaultImpl
+policyset.ocspCertSet.2.default.name=Validity Default
+policyset.ocspCertSet.2.default.params.range=720
+policyset.ocspCertSet.2.default.params.startTime=0
+policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.ocspCertSet.3.constraint.name=Key Constraint
+policyset.ocspCertSet.3.constraint.params.keyType=-
+policyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.ocspCertSet.3.default.name=Key Default
+policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl
+policyset.ocspCertSet.4.constraint.name=No Constraint
+policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.ocspCertSet.4.default.name=Authority Key Identifier Default
+policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl
+policyset.ocspCertSet.5.constraint.name=No Constraint
+policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.ocspCertSet.5.default.name=AIA Extension Default
+policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false
+policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl
+policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension
+policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false
+policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9
+policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.ocspCertSet.6.default.name=Extended Key Usage Default
+policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false
+policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9
+policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl
+policyset.ocspCertSet.8.constraint.name=No Constraint
+policyset.ocspCertSet.8.constraint.params.extCritical=false
+policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5
+policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl
+policyset.ocspCertSet.8.default.name=OCSP No Check Extension
+policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false
+policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.ocspCertSet.9.constraint.name=No Constraint
+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.ocspCertSet.9.default.name=Signing Alg
+policyset.ocspCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg
new file mode 100644
index 0000000..8215d65
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg
@@ -0,0 +1,90 @@
+desc=This certificate profile is for enrolling server certificates using CMC.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+authz.acl=group="Certificate Manager Agents"
+name=Server Certificate Enrollment using CMC
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=.*CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.9.default.name=copy CN to SAN Default
diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg
new file mode 100644
index 0000000..f473f98
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling subsystem certificates using CMC.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+authz.acl=group="Certificate Manager Agents"
+name=Subsystem Certificate Enrollment using CMC
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
index 29baeed..90cb424 100644
--- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
@@ -1,7 +1,7 @@
-desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.
+desc=This certificate profile is for enrolling user certificates by using the agent-signed CMC certificate request with CMC Signature authentication.
 enable=true
 enableBy=admin
-name=Signed CMC-Authenticated User Certificate Enrollment
+name=Agent-Signed CMC-Authenticated User Certificate Enrollment
 visible=false
 auth.instance_id=CMCAuth
 input.list=i1,i2
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
index 63a4bca..7bfad9c 100644
--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
@@ -1,4 +1,4 @@
-desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with user CMC Signature authentication.
+desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication.
 enable=true
 enableBy=admin
 name=User-Signed CMC-Authenticated User Certificate Enrollment
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index a550142..2666049 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -1553,6 +1553,167 @@
    </servlet>
 
    <servlet>
+      <servlet-name>  caProfileSubmitCMCFullCACert  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  cert_request_type  </param-name>
+                         <param-value> cmc         </param-value> </init-param>
+             <init-param><param-name>  profileId   </param-name>
+                         <param-value> caCMCcaCert </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  authorityId  </param-name>
+                         <param-value> ca          </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> caProfileSubmitCMCFull </param-value> </init-param>
+             <init-param><param-name>  templatePath  </param-name>
+                         <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param>
+             <init-param><param-name>  resourceID  </param-name>
+                         <param-value> certServer.ee.profile </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> ee          </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  caProfileSubmitCMCFullServerCert  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  cert_request_type  </param-name>
+                         <param-value> cmc         </param-value> </init-param>
+             <init-param><param-name>  profileId   </param-name>
+                         <param-value> caCMCserverCert </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  authorityId  </param-name>
+                         <param-value> ca          </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> caProfileSubmitCMCFull </param-value> </init-param>
+             <init-param><param-name>  templatePath  </param-name>
+                         <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param>
+             <init-param><param-name>  resourceID  </param-name>
+                         <param-value> certServer.ee.profile </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> ee          </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  caProfileSubmitCMCFullOCSPCert  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  cert_request_type  </param-name>
+                         <param-value> cmc         </param-value> </init-param>
+             <init-param><param-name>  profileId   </param-name>
+                         <param-value> caCMCocspCert </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  authorityId  </param-name>
+                         <param-value> ca          </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> caProfileSubmitCMCFull </param-value> </init-param>
+             <init-param><param-name>  templatePath  </param-name>
+                         <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param>
+             <init-param><param-name>  resourceID  </param-name>
+                         <param-value> certServer.ee.profile </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> ee          </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  caProfileSubmitCMCFullSubsystemCert  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  cert_request_type  </param-name>
+                         <param-value> cmc         </param-value> </init-param>
+             <init-param><param-name>  profileId   </param-name>
+                         <param-value> caCMCsubsystemCert </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  authorityId  </param-name>
+                         <param-value> ca          </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> caProfileSubmitCMCFull </param-value> </init-param>
+             <init-param><param-name>  templatePath  </param-name>
+                         <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param>
+             <init-param><param-name>  resourceID  </param-name>
+                         <param-value> certServer.ee.profile </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> ee          </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  caProfileSubmitCMCFullAuditSigningCert  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  cert_request_type  </param-name>
+                         <param-value> cmc         </param-value> </init-param>
+             <init-param><param-name>  profileId   </param-name>
+                         <param-value> caCMCauditSigningCert </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  authorityId  </param-name>
+                         <param-value> ca          </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> caProfileSubmitCMCFull </param-value> </init-param>
+             <init-param><param-name>  templatePath  </param-name>
+                         <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param>
+             <init-param><param-name>  resourceID  </param-name>
+                         <param-value> certServer.ee.profile </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> ee          </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  caProfileSubmitCMCFullKRATransportCert  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  cert_request_type  </param-name>
+                         <param-value> cmc         </param-value> </init-param>
+             <init-param><param-name>  profileId   </param-name>
+                         <param-value> caCMCkraTransportCert </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  authorityId  </param-name>
+                         <param-value> ca          </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> caProfileSubmitCMCFull </param-value> </init-param>
+             <init-param><param-name>  templatePath  </param-name>
+                         <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param>
+             <init-param><param-name>  resourceID  </param-name>
+                         <param-value> certServer.ee.profile </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> ee          </param-value> </init-param>
+   </servlet>
+
+   <servlet>
+      <servlet-name>  caProfileSubmitCMCFullKRAstorageCert  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  cert_request_type  </param-name>
+                         <param-value> cmc         </param-value> </init-param>
+             <init-param><param-name>  profileId   </param-name>
+                         <param-value> caCMCkraStorageCert </param-value> </init-param>
+             <init-param><param-name>  AuthzMgr    </param-name>
+                         <param-value> BasicAclAuthz </param-value> </init-param>
+             <init-param><param-name>  authorityId  </param-name>
+                         <param-value> ca          </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> caProfileSubmitCMCFull </param-value> </init-param>
+             <init-param><param-name>  templatePath  </param-name>
+                         <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param>
+             <init-param><param-name>  resourceID  </param-name>
+                         <param-value> certServer.ee.profile </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> ee          </param-value> </init-param>
+   </servlet>
+
+   <servlet>
       <servlet-name>  caProfileSubmitUserSignedCMCFull  </servlet-name>
       <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
              <init-param><param-name>  GetClientCert  </param-name>
@@ -2303,6 +2464,41 @@
    </servlet-mapping>
 
    <servlet-mapping>  
+      <servlet-name>  caProfileSubmitCMCFullCACert  </servlet-name>
+      <url-pattern>   /ee/ca/profileSubmitCMCFullCACert  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>  
+      <servlet-name>  caProfileSubmitCMCFullServerCert  </servlet-name>
+      <url-pattern>   /ee/ca/profileSubmitCMCFullServerCert  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>  
+      <servlet-name>  caProfileSubmitCMCFullOCSPCert  </servlet-name>
+      <url-pattern>   /ee/ca/profileSubmitCMCFullOCSPCert  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>  
+      <servlet-name>  caProfileSubmitCMCFullSubsystemCert  </servlet-name>
+      <url-pattern>   /ee/ca/profileSubmitCMCFullSubsystemCert  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>  
+      <servlet-name>  caProfileSubmitCMCFullAuditSigningCert  </servlet-name>
+      <url-pattern>   /ee/ca/profileSubmitCMCFullAuditSigningCert  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>  
+      <servlet-name>  caProfileSubmitCMCFullKRATransportCert  </servlet-name>
+      <url-pattern>   /ee/ca/profileSubmitCMCFullKRAtransportCert  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>  
+      <servlet-name>  caProfileSubmitCMCFullKRAstorageCert  </servlet-name>
+      <url-pattern>   /ee/ca/profileSubmitCMCFullKRAstorageCert  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>  
       <servlet-name>  caProfileSubmitUserSignedCMCFull  </servlet-name>
       <url-pattern>   /ee/ca/profileSubmitUserSignedCMCFull  </url-pattern>
    </servlet-mapping>
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
index fd59aa1..9fcb8db 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
@@ -2393,7 +2393,7 @@ public class CMCRequest {
                 System.out.println("");
                 System.out.println("");
                 System.out.println("The CMC enrollment request in binary format is stored in " +
-                        ofilename + ".");
+                        ofilename);
             } catch (IOException e) {
                 System.out.println("CMCRequest:  unable to open file " + ofilename +
                         " for writing:\n" + e);
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
index 9441167..459c7c6 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
@@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.math.BigInteger;
+import java.security.cert.X509Certificate;
 import java.security.MessageDigest;
 import java.security.PublicKey;
 import java.util.Enumeration;
@@ -246,6 +247,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
         String auditCertSubject = ILogger.UNIDENTIFIED;
         String auditSignerInfo = ILogger.UNIDENTIFIED;
 
+        SessionContext auditContext = SessionContext.getExistingContext();
+        X509Certificate clientCert =
+               (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT);
+
         // ensure that any low-level exceptions are reported
         // to the signed audit log and stored as failures
         try {
@@ -361,7 +366,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
                 String userid = "defUser";
                 String uid = "defUser";
                 if (checkSignerInfo) {
-                    IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq);
+                    IAuthToken agentToken = verifySignerInfo(auditContext, authToken, cmcFullReq);
                     if (agentToken == null) {
                         CMS.debug(method + "agentToken null");
                         throw new EBaseException("CMCAuth: agent verifySignerInfo failure");
@@ -812,8 +817,12 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
                 level, "CMC Authentication: " + msg);
     }
 
-    protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException {
-
+    protected IAuthToken verifySignerInfo(
+            SessionContext auditContext,
+            AuthToken authToken,
+            SignedData cmcFullReq) throws EBaseException {
+        String method = "CMCAuth: verifySignerInfo: ";
+        String msg = "";
         EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
         OBJECT_IDENTIFIER id = ci.getContentType();
         OCTET_STRING content = ci.getContent();
@@ -822,6 +831,11 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
         CryptoToken signToken = null;
         CryptoToken savedToken = null;
         CryptoManager cm = null;
+
+        if (auditContext == null) {
+            CMS.debug(method + " auditConext can't be null");
+            return null;
+        }
         try {
             cm = CryptoManager.getInstance();
             ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray());
@@ -909,6 +923,34 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
                             si.verify(digest, id);
                         } else {
                             CMS.debug("CMCAuth: found signing cert... verifying");
+
+                            X509Certificate clientCert =
+                                    (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT);
+                            if (clientCert == null) {
+                            //    createAuditSubjectFromCert(auditContext, x509Certs[0]);
+                                msg = "missing SSL client authentication certificate;";
+                                CMS.debug(method + msg);
+                                s.close();
+                                throw new EMissingCredential(
+                                        CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT"));
+                            }
+                            netscape.security.x509.X500Name clientPrincipal =
+                                    (X500Name) clientCert.getSubjectDN();
+
+                            netscape.security.x509.X500Name cmcPrincipal =
+                                    (X500Name) x509Certs[0].getSubjectDN();
+
+                            // check ssl client cert against cmc signer
+                            if (!clientPrincipal.equals(cmcPrincipal)) {
+                                msg = "SSL client authentication certificate and CMC signer do not match";
+                                CMS.debug(method + msg);
+                                s.close();
+                                throw new EInvalidCredentials(
+                                        CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
+                            } else {
+                                CMS.debug(method + "ssl client cert principal and cmc signer principal match");
+                            }
+
                             PublicKey signKey = cert.getPublicKey();
                             PrivateKey.Type keyType = null;
                             String alg = signKey.getAlgorithm();
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
index 6c3ee8f..e11a344 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
@@ -1078,6 +1078,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
                                 s.close();
                                 throw new EInvalidCredentials(
                                         CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
+                            } else {
+                                CMS.debug(method + "ssl client cert principal and cmc signer principal match");
                             }
 
                             PublicKey signKey = cert.getPublicKey();
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
index 8f3e986..1356035 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
@@ -198,6 +198,7 @@ public abstract class EnrollProfile extends BasicProfile
             if (signingUserSerial != null) {
                 donePOI = true;
             }
+
             // catch for invalid request
             cmc_msgs = parseCMC(locale, cert_request, donePOI);
             if (cmc_msgs == null) {
@@ -723,6 +724,17 @@ public abstract class EnrollProfile extends BasicProfile
             byte randomSeed[] = null;
             UTF8String ident_s = null;
             SessionContext context = SessionContext.getContext();
+            String authManagerId = (String) context.get(SessionContext.AUTH_MANAGER_ID);
+            if (authManagerId == null) {
+                CMS.debug(method + "authManagerId null.????");
+                //unlikely, but...
+                authManagerId = "none";
+            } else {
+                CMS.debug(method + "authManagerId =" + authManagerId);
+            }
+            if(authManagerId.equals("CMCAuth")) {
+                donePOI = true;
+            }
 
             boolean id_cmc_revokeRequest = false;
             if (!context.containsKey("numOfControls")) {
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
index d087162..f7a6470 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
@@ -496,7 +496,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
         ///////////////////////////////////////////////
         String tmpCertSerialS = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT);
         if (tmpCertSerialS != null) {
-            // unlikely to happenm, but do this just in case
+            // unlikely to happen, but do this just in case
             CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth:" + tmpCertSerialS);
             CMS.debug("ProfileSubmitCMCServlet: null it out");
             ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, "");
-- 
1.8.3.1