New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: CMC ECC #933
Comments
Comment from cfu (@cfu) at 2012-12-19 05:31:48 also added support for CMC revocation in CMCRequest as well as op flags in ECC key gen |
Comment from cfu (@cfu) at 2012-12-19 05:33:40 also added support for CMC revocation in CMCRequest as well as op flags in ECC key gen |
Comment from cfu (@cfu) at 2012-12-19 06:02:41 The usages and examples for how to test each tool modified to work with CMC/ECC are to follow. ============= PKCS10Client new usage: Usage: PKCS10Client -d -h -p -a <algorithm: 'rsa' or 'ec'> -l -c -o -n
available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 Example 1 shows how to generate an EC PKCS10 request then turn into a CMC request then submit to CA for issuance in different ways:
alternative, instead of HttpClient, you can copy the CMC request and paste it into EE page CMC profile: |
Comment from cfu (@cfu) at 2012-12-19 06:08:08 CMCRequest config file example for CMC EC PKCS10 request |
Comment from cfu (@cfu) at 2012-12-19 06:09:44 HttpClient config file example to submit the CMC EC PKCS10 request from previous PKCS10Client and CMCRequest example |
Comment from cfu (@cfu) at 2012-12-19 06:23:10 CRMFPopClient new usage: CRMF Proof Of Possession Utility.... Usage: CRMFPopClient -d -p -h -o -n -a <algorithm: 'rsa' or 'ec'> -l -c -m hostname:port -f <profile name; rsa default caEncUserCert; ec default caEncECUserCert> -u -r -q <POP_NONE, POP_SUCCESS, or POP_FAIL; default POP_SUCCESS>
note: '-x true' can only be used with POP_NONE IMPORTANT: The file "transport.txt" needs to be created to contain the Example on how to run CRMFPopClient to generate an EC CRMF request and use CMCRequest to turn it into a CMC CRMF EC request:
(NOTE: due to certicom private key issue, key archival can only work with conforming tokens such as nethsm; The example provided and in my own developer's test environment, I use nethsm)
Alternative, instead of HttpClient, you can also paste the CMC request into EE page CMC enrollment profile: |
Comment from cfu (@cfu) at 2012-12-19 06:25:29 CMCRequest config file example for CMC EC CRMF request |
Comment from cfu (@cfu) at 2012-12-19 06:26:09 HttpClient config file example to submit the CMC EC CRMF request from previous CRMFPopClient and CMCRequest example |
Comment from cfu (@cfu) at 2012-12-19 06:28:36 CMCRevoke's new usage: Usage: CMCRevoke -d<dir to cert8.db, key3.db> -n -i -s -m -p -h -c Example: |
Comment from cfu (@cfu) at 2012-12-19 06:32:38 Example on how to use CMCRequest's support for CMC revocation (though CMCRevoke tool as shown above provides similar support): CMCRequest Demo_cmc_ECpkcs10Revoke.cfg see the following attachment: Demo_cmc_ECpkcs10Revoke.cfg |
Comment from cfu (@cfu) at 2012-12-19 06:33:16 CMCRequest config file example for CMC revocation request |
Comment from cfu (@cfu) at 2013-01-09 20:33:59 for 2nd review |
Comment from cfu (@cfu) at 2013-01-10 04:57:59 checked into PKI_8_1_ERRATA_BRANCH: Modified: |
Comment from cfu (@cfu) at 2013-01-10 04:58:41 checked into PKI_8_BRANCH: Modified: |
Comment from cfu (@cfu) at 2013-01-10 21:00:50 checked into DOGTAG_9_BRANCH: |
Comment from cfu (@cfu) at 2013-01-16 02:07:51 checked into master |
Comment from cfu (@cfu) at 2013-01-25 02:31:29 Here is one example steps on how to put cert/keys info HSM to be used as an agent cert for the tools above when needed:
PKCS10Client -p redhat123 -d . -o pkcs10nfast3.csr -n "CN=Christina Fu nfast 3" -a ec -c nistp256 -t false -h "NHSM6000-OCS"PKCS10Client: token NHSM6000-OCS logged in...
|
Comment from cfu (@cfu) at 2017-02-27 14:12:11 Metadata Update from @cfu:
|
This issue was migrated from Pagure Issue #362. Originally filed by cfu (@cfu) on 2012-10-08 21:14:02:
Currently, all the CMC tools as well as the CA CMC enrollment do not support ECC.
This task encompass all necessary changes to allow the CMC tools and the server CMC-handing to work with ECC.
The text was updated successfully, but these errors were encountered: