Chapter 12. CMCRequest (Creating CMC Requests)

The CMC Request utility, CMCRequest, creates a CMC request from one or more PKCS #10 or CRMF requests. The utility can also be used to revoke certificates.

12.1. Syntax

The CMCRequest command uses a configuration file (.cfg) as a parameter. The .cfg file must include the path to the file of the formatted CMC request:
CMCRequest /path/to/file.cfg
For revocation requests, the revRequest.enable parameter must be set to true, and related parameters must contain the appropriate information.
The .cfg file contains the following parameters:
Parameters Description
numRequests
The total number of PKCS #10 or CRMF requests. In some cases, the value of this parameter can be 0.
For example, numRequests=1.
input
The full path and filename of the PKCS #10 or CRMF request, which must be in base-64 encoded format. Multiple filenames are separated by white space. This parameter is a required if the value for numRequests is greater than 0.
For example, input=crmf1.
output
Required. The full path and filename for the generated binary CMC request.
For example, output=cmc.
nickname
Required. The nickname of the agent certificate used to sign the full CMC request.
For example, nickname=CS Agent-102504a's 102504a ID.
dbdir
Required. The full path to the directory where the cert8.db, key3.db, and secmod.db databases are located. This is usually the agent's personal directory, such as their browser certificate database in the home directory.
For example, ~jsmith/.mozilla/firefox.
password
Required. The token password for cert8.db, which stores the agent certificate.
For example, password=secret.
format
The request format, either pkcs10 or crmf.
For example, format=crmf.
The following .cfg file parameters set CMC controls:
Parameters Description
confirmCertAcceptance.enable
If set to true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example, confirmCertAcceptance.enable=false.
confirmCertAcceptance.serial
The serial number for the confirmCertAcceptance control.
For example, confirmCertAcceptance.serial=3.
confirmCertAcceptance.issuer
The issuer name for the confirmCertAcceptance control.
For example, confirmCertAcceptance.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us.
getCert.enable
If set to true, then the request contains this attribute. If this parameter is not set, the value is assumed to be false.
For example, getCert.enable=false.
getCert.serial
The serial number for the getCert control.
For example, getCert.serial=300.
getCert.issuer
The issuer name for the getCert control.
For example, getCert.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us.
dataReturn.enable
If set to true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example, dataReturn.enable=false.
dataReturn.data
The data contained in the dataReturn control.
For example, dataReturn.data=test.
transactionMgt.enable
If set to true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example, transactionMgt.enable=true.
transactionMgt.id
The transaction identifier for transactionMgt control. VeriSign recommends that the transaction ID should be an MD5 hash of the public key.
senderNonce.enable
If set to true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example, senderNonce.enable=false.
senderNonce.id
The ID for the senderNonce control.
For example, senderNonce.id=testing.
revRequest.enable
If set to true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example, revRequest.enable=true.
revRequest.nickname
The nickname for the certificate being revoked.
For example, revRequest.nickname=newuser's 102504a ID.
revRequest.issuer
The issuer name for the certificate being revoked.
For example, revRequest.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us.
revRequest.serial
The serial number for the certificate being revoked.
For example, revRequest.serial=75.
revRequest.reason
The reason for revoking this certificate. The allowed values are unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, and removeFromCRL.
For example, revRequest.reason=unspecified.
revRequest.sharedSecret
The shared secret for the revocation request.
For example, revRequest.sharedSecret=testing.
revRequest.comment
A text comment for the revocation request.
For example, revRequest.comment=readable comment.
revRequest.invalidityDatePresent
If set to true, the current time is the invalidity date for the revoked certificate. If set to false, no invalidity date is present.
For example, revRequest.invalidityDatePresent=false.
identityProof.enable
If set to true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example, identityProof.enable=false.
identityProof.sharedSecret
The shared secret for identityProof control.
For example, identityProof.sharedSecret=testing.
popLinkWitness.enable
If set to true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example, popLinkWitness.enable=false.
LraPopWitness.enable
If set to true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example, LraPopWitness.enable=false.
LraPopWitness.bodyPartIDs
The space-delimited list of body part IDs for the LraPopWtiness control.
For example, LraPopWitness.bodyPartIDs=1 .