Chapter 8. Authentication for Enrolling Certificates
8.1. Automatic Approval by an Authentication Plug-in
The
auth.instance_id
parameter in a profile specifies the authentication mechanism. A certificate request can either be automatically approved through an authentication plug-in, or be manually approved by a CA agent.
Note
For instructions on how to edit certificate enrollment profiles, see Section 3.2, “Setting up Certificate Profiles”.
8.1.1. Setting up Auto-approval of Enrollment Requests
Configuring that enrollment requests are automatically approved depends on the type of requests:
- For agent-pre-approved CMC requests, set in the CA profile:
auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents"
Theauthz.acl
parameter defines the group that is allowed to approve requests. - For user-initiated requests:
- When using CMC Shared Token, set in the CA profile:
auth.instance_id=CMCUserSignedAuth
Required default and constraint:policyset.cmcUserCertSet.1.constraint.class_id=cmcSharedTokenSubjectNameConstraintImpl policyset.cmcUserCertSet.1.constraint.name=CMC Shared Token Subject Name Constraint policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl policyset.cmcUserCertSet.1.default.name=Subject Name Default
- When using User-signed requests, set in the CA profile:
auth.instance_id=CMCUserSignedAuth
Required default and constraint:policyset.cmcUserCertSet.1.default.params.name= policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl policyset.cmcUserCertSet.9.default.name=No Default
For details about editing a profile, see Section 3.2, “Setting up Certificate Profiles”.
8.1.2. CMC Authentication Plug-ins
Certificate System provides the following authentication plug-ins:
CMCAuth
- Use this plug-in when a CA agent signs CMC requests.To use the
CMCAuth
plug-in, set the following in the enrollment profile:auth.instance_id=CMCAuth
By default, the following enrollment profiles use theCMCAuth
plug-in:- For system certificates:
caCMCauditSigningCert
caCMCcaCert
caCMCECserverCert
caCMCECsubsystemCert
caCMCECUserCert
caCMCkraStorageCert
caCMCkraTransportCert
caCMCocspCert
caCMCserverCert
caCMCsubsystemCert
- For user certificates:
caCMCUserCert
caECFullCMCUserCert
caFullCMCUserCert
CMCUserSignedAuth
- Use this plug-in when users submit signed or SharedSecret-based CMC requests.To use the
CMCUserSignedAuth
plug-in, set the following in the enrollment profile:auth.instance_id=CMCUserSignedAuth
A user-signed CMC request must be signed by the user's certificate which contains the samesubjectDN
attribute as the requested certificate. You can only use a user-signed CMC request if the user already obtained a signing certificate which can be used to prove the user's identity for other certificates.A SharedSecret-based CMC request means that the request was signed by the private key of the request itself. In this case, the CMC request must use the Shared Secret mechanism for authentication. A SharedSecret-based CMC request is typically used to obtain the user's first signing certificate, which is later used to obtain other certificates. For further details, see Section 8.1.3, “CMC SharedSecret Authentication”.By default, the following enrollment profiles use theCMCUserSignedAuth
plug-in:caFullCMCUserSignedCert
caECFullCMCUserSignedCert
caFullCMCSharedTokenCert
caECFullCMCSharedTokenCert