Language and Page Formatting Options
9.3. CMC Authentication Plug-ins
CMC enrollment allows an enrollment client to use a CMC Authentication plug-in for authentication, by which the certificate request is either pre-signed with an agent certificate or a user certificate, depending on the plug-in. The Certificate Manager automatically issues certificates when a CMC request signed with a valid certificate is received.
The CMC authentication plug-ins also provide CMC revocation for the client. CMC revocation allows the client to have the certificate request either signed by the agent certificate, or a verifiable user that owns the certificate, and then send such a request to the Certificate Manager. The Certificate Manager automatically revokes certificates when a CMC revocation request signed with a valid certificate is received.
Certificate System provides the following CMC authentication plug-ins:
- Use this plug-in when a CA agent signs CMC requests.To use the
CMCAuthplug-in, set the following in the enrollment profile:
auth.instance_id=CMCAuthBy default, the following enrollment profiles use the
- For system certificates:
- For user certificates:
- Use this plug-in when users submit signed or SharedSecret-based CMC requests.To use the
CMCUserSignedAuthplug-in, set the following in the enrollment profile:
auth.instance_id=CMCUserSignedAuthA user-signed CMC request must be signed by the user's certificate which contains the same
subjectDNattribute as the requested certificate. You can only use a user-signed CMC request if the user already obtained a signing certificate which can be used to prove the user's identity for other certificates.A SharedSecret-based CMC request means that the request was signed by the private key of the request itself. In this case, the CMC request must use the Shared Secret mechanism for authentication. A SharedSecret-based CMC request is typically used to obtain the user's first signing certificate, which is later used to obtain other certificates. For further details, see Section 9.4, “CMC SharedSecret Authentication”.By default, the following enrollment profiles use the