Chapter 12. CMCRequest (Creating CMC Requests)
The CMC Request utility,
CMCRequest, creates a CMC request from one or more PKCS #10 or CRMF requests. The utility can also be used to revoke certificates.
12.1. Syntax
The
CMCRequest command uses a configuration file (.cfg) as a parameter. The .cfg file must include the path to the file of the formatted CMC request:
CMCRequest /path/to/file.cfg
For revocation requests, the
revRequest.enable parameter must be set to true, and related parameters must contain the appropriate information.
The
.cfg file contains the following parameters:
| Parameters | Description |
|---|---|
numRequests |
The total number of PKCS #10 or CRMF requests. In some cases, the value of this parameter can be 0.
For example,
numRequests=1.
|
input |
The full path and filename of the PKCS #10 or CRMF request, which must be in base-64 encoded format. Multiple filenames are separated by white space. This parameter is a required if the value for
numRequests is greater than 0.
For example,
input=crmf1.
|
output |
Required. The full path and filename for the generated binary CMC request.
For example,
output=cmc.
|
nickname |
Required. The nickname of the agent certificate used to sign the full CMC request.
For example,
nickname=CS Agent-102504a's 102504a ID.
|
dbdir |
Required. The full path to the directory where the
cert8.db, key3.db, and secmod.db databases are located. This is usually the agent's personal directory, such as their browser certificate database in the home directory.
For example,
~jsmith/.mozilla/firefox.
|
password |
Required. The token password for
cert8.db, which stores the agent certificate.
For example,
password=secret.
|
format |
The request format, either
pkcs10 or crmf.
For example,
format=crmf.
|
The following
.cfg file parameters set CMC controls:
| Parameters | Description |
|---|---|
confirmCertAcceptance.enable |
If set to
true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example,
confirmCertAcceptance.enable=false.
|
confirmCertAcceptance.serial |
The serial number for the
confirmCertAcceptance control.
For example,
confirmCertAcceptance.serial=3.
|
confirmCertAcceptance.issuer |
The issuer name for the
confirmCertAcceptance control.
For example,
confirmCertAcceptance.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us.
|
getCert.enable |
If set to
true, then the request contains this attribute. If this parameter is not set, the value is assumed to be false.
For example,
getCert.enable=false.
|
getCert.serial |
The serial number for the
getCert control.
For example,
getCert.serial=300.
|
getCert.issuer |
The issuer name for the
getCert control.
For example,
getCert.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us.
|
dataReturn.enable |
If set to
true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example,
dataReturn.enable=false.
|
dataReturn.data |
The data contained in the
dataReturn control.
For example,
dataReturn.data=test.
|
transactionMgt.enable |
If set to
true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example,
transactionMgt.enable=true.
|
transactionMgt.id |
The transaction identifier for
transactionMgt control. VeriSign recommends that the transaction ID should be an MD5 hash of the public key.
|
senderNonce.enable |
If set to
true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example,
senderNonce.enable=false.
|
senderNonce.id |
The ID for the
senderNonce control.
For example,
senderNonce.id=testing.
|
revRequest.enable |
If set to
true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example,
revRequest.enable=true.
|
revRequest.nickname |
The nickname for the certificate being revoked.
For example,
revRequest.nickname=newuser's 102504a ID.
|
revRequest.issuer |
The issuer name for the certificate being revoked.
For example,
revRequest.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us.
|
revRequest.serial |
The serial number for the certificate being revoked.
For example,
revRequest.serial=75.
|
revRequest.reason |
The reason for revoking this certificate. The allowed values are
unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, and removeFromCRL.
For example,
revRequest.reason=unspecified.
|
revRequest.sharedSecret |
The shared secret for the revocation request.
For example,
revRequest.sharedSecret=testing.
|
revRequest.comment |
A text comment for the revocation request.
For example,
revRequest.comment=readable comment.
|
revRequest.invalidityDatePresent |
If set to
true, the current time is the invalidity date for the revoked certificate. If set to false, no invalidity date is present.
For example,
revRequest.invalidityDatePresent=false.
|
identityProof.enable |
If set to
true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example,
identityProof.enable=false.
|
identityProof.sharedSecret |
The shared secret for
identityProof control.
For example,
identityProof.sharedSecret=testing.
|
popLinkWitness.enable |
If set to
true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example,
popLinkWitness.enable=false.
|
LraPopWitness.enable |
If set to
true, then the request contains this control. If this parameter is not set, the value is assumed to be false.
For example,
LraPopWitness.enable=false.
|
LraPopWitness.bodyPartIDs |
The space-delimited list of body part IDs for the
LraPopWtiness control.
For example,
LraPopWitness.bodyPartIDs=1 .
|
