8.3. Using CMC Enrollment

CMC enrollment allows an enrollment client to use the CMCAuth plug-in for authentication, by which the certificate request is pre-signed with an agent certificate. The Certificate Manager automatically issues certificates when a valid request signed with the agent certificate is received.


CMC enrollments are enabled by default. It should not be necessary to enable the CMC enrollment authentication plug-ins or profiles unless the configuration has been changed.
The CMCAuth authentication plug-in also provides CMC revocation for the client. CMC revocation allows the client to have the certificate request signed by the agent certificate, and then send such a request to the Certificate Manager. The Certificate Manager automatically revokes certificates when a valid request signed with the agent certificate is received. CMC revocation can be created with the CMCRevoke command line tool. For more information about CMCRevoke, see Section 6.2, “Performing a CMC Revocation”.
A CMC request can be submitted through browser end-entities forms or using a tool such as HttpClient to post the request to the appropriate profile. The CMCRequest tool generates a signed certificate request which can then be submitted using the HttpClient tool or the browser end-entities forms to enroll and receive the certificate automatically and immediately.
The CMCRequest tool has a simple command syntax, with all the configuration given in the .cfg input file:
CMCRequest /path/to/file.cfg
A single CMC enrollment can also be created using the CMCEnroll tool, with the following syntax:
CMCEnroll -d /agent's/certificate/directory -h password -n cert_nickname -r certrequest.file -p certDB_passwd [-c "comment"]
These tools are described in more detail in the CMCEnroll(1) man page.


Surround values that include spaces in quotation marks.

8.3.1. Testing CMCEnroll

  1. Create a certificate request using the certutil tool.
  2. Copy the PKCS #10 ASCII output to a text file.
  3. Run the CMCEnroll utility.
    For example, if the input file called request34.txt, the agent certificate is stored in the browser databases, the certificate common name of the agent certificate is CertificateManagerAgentsCert, and the password for the certificate database is secret, the command is as follows:
    CMCEnroll -d ~jsmith/.mozilla/firefox/1234.jsmith -n "CertificateManagerAgentsCert" -r /export/requests/request34.txt -p secret
    The output of this command is stored in a file with the same filename with .out appended to the filename.
  4. Submit the signed certificate through the end-entities page.
    1. Open the end-entities page.
    2. Select the CMC enrollment form from the list of certificate profiles.
    3. Paste the content of the output file into the Certificate Request text area of this form.
    4. Remove -----BEGIN NEW CERTIFICATE REQUEST----- and ----END NEW CERTIFICATE REQUEST----- from the pasted content.
    5. Fill in the contact information, and submit the form.
  5. The certificate is immediately processed and returned.
  6. Use the agent page to search for the new certificate.