9.3. CMC Authentication Plug-ins
CMC enrollment allows an enrollment client to use a CMC Authentication plug-in for authentication, by which the certificate request is either pre-signed with an agent certificate or a user certificate, depending on the plug-in. The Certificate Manager automatically issues certificates when a CMC request signed with a valid certificate is received.
The CMC authentication plug-ins also provide CMC revocation for the client. CMC revocation allows the client to have the certificate request either signed by the agent certificate, or a verifiable user that owns the certificate, and then send such a request to the Certificate Manager. The Certificate Manager automatically revokes certificates when a CMC revocation request signed with a valid certificate is received.
Certificate System provides the following CMC authentication plug-ins:
CMCAuth
- Use this plug-in when a CA agent signs CMC requests.To use the
CMCAuth
plug-in, set the following in the enrollment profile:auth.instance_id=CMCAuth
By default, the following enrollment profiles use theCMCAuth
plug-in:- For system certificates:
caCMCauditSigningCert
caCMCcaCert
caCMCECserverCert
caCMCECsubsystemCert
caCMCECUserCert
caCMCkraStorageCert
caCMCkraTransportCert
caCMCocspCert
caCMCserverCert
caCMCsubsystemCert
- For user certificates:
caCMCUserCert
caECFullCMCUserCert
caFullCMCUserCert
CMCUserSignedAuth
- Use this plug-in when users submit signed or SharedSecret-based CMC requests.To use the
CMCUserSignedAuth
plug-in, set the following in the enrollment profile:auth.instance_id=CMCUserSignedAuth
A user-signed CMC request must be signed by the user's certificate which contains the samesubjectDN
attribute as the requested certificate. You can only use a user-signed CMC request if the user already obtained a signing certificate which can be used to prove the user's identity for other certificates.A SharedSecret-based CMC request means that the request was signed by the private key of the request itself. In this case, the CMC request must use the Shared Secret mechanism for authentication. A SharedSecret-based CMC request is typically used to obtain the user's first signing certificate, which is later used to obtain other certificates. For further details, see Section 9.4, “CMC SharedSecret Authentication”.By default, the following enrollment profiles use theCMCUserSignedAuth
plug-in:caFullCMCUserSignedCert
caECFullCMCUserSignedCert
caFullCMCSharedTokenCert
caECFullCMCSharedTokenCert