[Pkg-freeipa-devel] dogtag-pki: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Thu Dec 1 08:10:19 UTC 2016
debian/changelog | 8
debian/patches/series | 1
debian/patches/sync-rpm-10.3.5-7.diff | 3687 ++++++++++++++++++++++++++++++++++
debian/pki-tools.install | 1
4 files changed, 3697 insertions(+)
New commits:
commit 45a181ba188c64beaeb3d017e7eb3f21b3455688
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Dec 1 10:08:57 2016 +0200
releasing package dogtag-pki version 10.3.5-6
diff --git a/debian/changelog b/debian/changelog
index d300715..885dd58 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,10 @@
-dogtag-pki (10.3.5-6) UNRELEASED; urgency=medium
+dogtag-pki (10.3.5-6) unstable; urgency=medium
* sync-rpm-10.3.5-7.diff: Pull changes from upstream branch needed by
newer freeipa.
* tools.install: Add CMCEnroll manpage.
- -- Timo Aaltonen <tjaalton at debian.org> Thu, 01 Dec 2016 09:20:46 +0200
+ -- Timo Aaltonen <tjaalton at debian.org> Thu, 01 Dec 2016 10:08:50 +0200
dogtag-pki (10.3.5-5) unstable; urgency=medium
commit d76717efd00ecdc0f04c8f19e1c770097d7878eb
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Dec 1 10:08:15 2016 +0200
tools.install: Add CMCEnroll manpage.
diff --git a/debian/changelog b/debian/changelog
index aedfab9..d300715 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ dogtag-pki (10.3.5-6) UNRELEASED; urgency=medium
* sync-rpm-10.3.5-7.diff: Pull changes from upstream branch needed by
newer freeipa.
+ * tools.install: Add CMCEnroll manpage.
-- Timo Aaltonen <tjaalton at debian.org> Thu, 01 Dec 2016 09:20:46 +0200
diff --git a/debian/pki-tools.install b/debian/pki-tools.install
index 776529e..9a1522d 100644
--- a/debian/pki-tools.install
+++ b/debian/pki-tools.install
@@ -28,6 +28,7 @@ usr/share/java/pki/pki-tools.jar
usr/share/man/man1/AtoB.1
usr/share/man/man1/AuditVerify.1
usr/share/man/man1/BtoA.1
+usr/share/man/man1/CMCEnroll.1
usr/share/man/man1/KRATool.1
usr/share/man/man1/PrettyPrintCert.1
usr/share/man/man1/PrettyPrintCrl.1
commit 6c644d407327e3c762e45452a5cdb39c5cc468dc
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Dec 1 09:20:57 2016 +0200
sync-rpm-10.3.5-7.diff: Pull changes from upstream branch needed by newer freeipa.
diff --git a/debian/changelog b/debian/changelog
index 16ffa40..aedfab9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dogtag-pki (10.3.5-6) UNRELEASED; urgency=medium
+
+ * sync-rpm-10.3.5-7.diff: Pull changes from upstream branch needed by
+ newer freeipa.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Thu, 01 Dec 2016 09:20:46 +0200
+
dogtag-pki (10.3.5-5) unstable; urgency=medium
* server: Add /etc/dogtag to dirs, clean up stuff created by pkispawn
diff --git a/debian/patches/series b/debian/patches/series
index ad771fe..ef6ee99 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ use-root-homedir.diff
fix-cli-migrate.diff
use-bash.diff
fix-cve-2016-1240.diff
+sync-rpm-10.3.5-7.diff
diff --git a/debian/patches/sync-rpm-10.3.5-7.diff b/debian/patches/sync-rpm-10.3.5-7.diff
new file mode 100644
index 0000000..660c0b8
--- /dev/null
+++ b/debian/patches/sync-rpm-10.3.5-7.diff
@@ -0,0 +1,3687 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index c746056..457e144 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -54,7 +54,6 @@ macro_ensure_out_of_source_build("${PROJECT_NAME} requires an out of source buil
+ include(MacroCopyFile)
+ include(Java)
+
+-file(MAKE_DIRECTORY ${CMAKE_BINARY_DIR}/classes)
+ file(MAKE_DIRECTORY ${CMAKE_BINARY_DIR}/dist)
+
+ # required for all PKI components
+diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt
+index 854ce28..e612d72 100644
+--- a/base/ca/src/CMakeLists.txt
++++ b/base/ca/src/CMakeLists.txt
+@@ -96,7 +96,7 @@ javac(pki-ca-classes
+ ${PKI_CMSUTIL_JAR} ${PKI_NSUTIL_JAR}
+ ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSCORE_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ DEPENDS
+ symkey-jar pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-cmscore-jar
+ )
+@@ -114,7 +114,7 @@ jar(pki-ca-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-ca.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/ca/*.class
+ org/dogtagpki/server/ca/*.class
+diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
+index a5397da..ae90d3a 100644
+--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
+@@ -124,6 +124,7 @@ import com.netscape.certsrv.util.IStatsSubsystem;
+ import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory;
+ import com.netscape.cms.servlet.cert.EnrollmentProcessor;
+ import com.netscape.cms.servlet.cert.RenewalProcessor;
++import com.netscape.cms.servlet.cert.RevocationProcessor;
+ import com.netscape.cms.servlet.processors.CAProcessor;
+ import com.netscape.cmscore.base.ArgBlock;
+ import com.netscape.cmscore.dbs.CRLRepository;
+@@ -178,6 +179,7 @@ import netscape.security.x509.CertificateChain;
+ import netscape.security.x509.CertificateIssuerName;
+ import netscape.security.x509.CertificateSubjectName;
+ import netscape.security.x509.CertificateVersion;
++import netscape.security.x509.RevocationReason;
+ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X500Signer;
+ import netscape.security.x509.X509CRLImpl;
+@@ -677,6 +679,24 @@ public class CertificateAuthority
+ }
+ }
+
++ private boolean entryUSNPluginEnabled() {
++ try {
++ LDAPConnection conn = dbFactory.getConn();
++ try {
++ LDAPSearchResults results = conn.search(
++ "cn=usn,cn=plugins,cn=config", LDAPConnection.SCOPE_BASE,
++ "(nsslapd-pluginEnabled=on)", null, false);
++ return results != null && results.hasMoreElements();
++ } catch (LDAPException e) {
++ return false;
++ } finally {
++ dbFactory.returnConn(conn);
++ }
++ } catch (ELdapException e) {
++ return false; // oh well
++ }
++ }
++
+ private void initCRLPublisher() throws EBaseException {
+ // instantiate CRL publisher
+ if (!isHostAuthority()) {
+@@ -1549,7 +1569,12 @@ public class CertificateAuthority
+ CMS.debug("CA signing key and cert not (yet) present in NSSDB");
+ signingUnitException = e;
+ if (retrieveKeys == true) {
+- if (!keyRetrieverThreads.containsKey(authorityID)) {
++ if (authorityID == null) {
++ // Only the host authority should ever see a
++ // null authorityID, e.g. during two-step
++ // installation of externally-signed CA.
++ CMS.debug("null authorityID -> host authority; not starting KeyRetriever");
++ } else if (!keyRetrieverThreads.containsKey(authorityID)) {
+ CMS.debug("Starting KeyRetrieverRunner thread");
+ Thread t = new Thread(
+ new KeyRetrieverRunner(authorityID, mNickname, authorityKeyHosts),
+@@ -2964,7 +2989,8 @@ public class CertificateAuthority
+ authorityKeyHosts.add(thisClone);
+ }
+
+- public synchronized void deleteAuthority() throws EBaseException {
++ public synchronized void deleteAuthority(HttpServletRequest httpReq)
++ throws EBaseException {
+ if (isHostAuthority())
+ throw new CATypeException("Cannot delete the host CA");
+
+@@ -2984,13 +3010,54 @@ public class CertificateAuthority
+
+ shutdown();
+
++ revokeAuthority(httpReq);
+ deleteAuthorityEntry(authorityID);
+ deleteAuthorityNSSDB();
+ }
+
++ /** Revoke the authority's certificate
++ *
++ * TODO: revocation reason, invalidity date parameters
++ */
++ private void revokeAuthority(HttpServletRequest httpReq)
++ throws EBaseException {
++ CMS.debug("revokeAuthority: checking serial " + authoritySerial);
++ ICertRecord certRecord = mCertRepot.readCertificateRecord(authoritySerial);
++ String curStatus = certRecord.getStatus();
++ CMS.debug("revokeAuthority: current cert status: " + curStatus);
++ if (curStatus.equals(CertRecord.STATUS_REVOKED)
++ || curStatus.equals(CertRecord.STATUS_REVOKED_EXPIRED)) {
++ return; // already revoked
++ }
++
++ CMS.debug("revokeAuthority: revoking cert");
++ RevocationProcessor processor = new RevocationProcessor(
++ "CertificateAuthority.revokeAuthority", httpReq.getLocale());
++ processor.setSerialNumber(new CertId(authoritySerial));
++ processor.setRevocationReason(RevocationReason.UNSPECIFIED);
++ processor.setAuthority(this);
++ try {
++ processor.createCRLExtension();
++ } catch (IOException e) {
++ throw new ECAException("Unable to create CRL extensions", e);
++ }
++ processor.addCertificateToRevoke(mCaCert);
++ processor.createRevocationRequest();
++ processor.auditChangeRequest(ILogger.SUCCESS);
++ processor.processRevocationRequest();
++ processor.auditChangeRequestProcessed(ILogger.SUCCESS);
++ }
++
+ /** Delete keys and certs of this authority from NSSDB.
+ */
+ private void deleteAuthorityNSSDB() throws ECAException {
++ if (isHostAuthority()) {
++ String msg = "Attempt to delete host authority signing key; not proceeding";
++ log(ILogger.LL_WARN, msg);
++ CMS.debug(msg);
++ return;
++ }
++
+ CryptoManager cryptoManager;
+ try {
+ cryptoManager = CryptoManager.getInstance();
+@@ -3177,24 +3244,6 @@ public class CertificateAuthority
+ AuthorityID aid = new AuthorityID((String)
+ aidAttr.getStringValues().nextElement());
+
+- LDAPAttribute entryUSN = entry.getAttribute("entryUSN");
+- if (entryUSN == null) {
+- log(ILogger.LL_FAILURE, "Authority entry has no entryUSN. " +
+- "This is likely because the USN plugin is not enabled in the database");
+- return;
+- }
+-
+- Integer newEntryUSN = new Integer(entryUSN.getStringValueArray()[0]);
+- CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
+- Integer knownEntryUSN = entryUSNs.get(aid);
+- if (knownEntryUSN != null) {
+- CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN);
+- if (newEntryUSN <= knownEntryUSN) {
+- CMS.debug("readAuthority: data is current");
+- return;
+- }
+- }
+-
+ X500Name dn = null;
+ try {
+ dn = new X500Name((String) dnAttr.getStringValues().nextElement());
+@@ -3207,7 +3256,13 @@ public class CertificateAuthority
+ if (descAttr != null)
+ desc = (String) descAttr.getStringValues().nextElement();
+
+- if (dn.equals(mName)) {
++ /* Determine if it is the host authority's entry, by
++ * comparing DNs. DNs must be serialised in case different
++ * encodings are used for AVA values, e.g. PrintableString
++ * from LDAP vs UTF8String in certificate.
++ */
++ if (dn.toString().equals(mName.toString())) {
++ CMS.debug("Found host authority");
+ foundHostAuthority = true;
+ this.authorityID = aid;
+ this.authorityDescription = desc;
+@@ -3215,6 +3270,36 @@ public class CertificateAuthority
+ return;
+ }
+
++ Integer newEntryUSN = null;
++ LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
++ if (entryUSNAttr == null) {
++ CMS.debug("readAuthority: no entryUSN");
++ if (!entryUSNPluginEnabled()) {
++ CMS.debug("readAuthority: dirsrv USN plugin is not enabled; skipping entry");
++ log(ILogger.LL_FAILURE, "Lightweight authority entry has no"
++ + " entryUSN attribute and USN plugin not enabled;"
++ + " skipping. Enable dirsrv USN plugin.");
++ return;
++ } else {
++ CMS.debug("readAuthority: dirsrv USN plugin is enabled; continuing");
++ // entryUSN plugin is enabled, but no entryUSN attribute. We
++ // can proceed because future modifications will result in the
++ // entryUSN attribute being added.
++ }
++ } else {
++ newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]);
++ CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
++ }
++
++ Integer knownEntryUSN = entryUSNs.get(aid);
++ if (newEntryUSN != null && knownEntryUSN != null) {
++ CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN);
++ if (newEntryUSN <= knownEntryUSN) {
++ CMS.debug("readAuthority: data is current");
++ return;
++ }
++ }
++
+ @SuppressWarnings("unused")
+ X500Name parentDN = null;
+ if (parentDNAttr != null) {
+diff --git a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
+index a1b7748..736d870 100644
+--- a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
++++ b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
+@@ -20,16 +20,11 @@ package com.netscape.ca;
+
+ import java.io.IOException;
+ import java.io.InputStream;
+-import java.lang.Process;
+-import java.lang.ProcessBuilder;
+ import java.util.Collection;
+ import java.util.Stack;
+
+-import org.apache.commons.io.IOUtils;
+-import org.apache.commons.lang.ArrayUtils;
+-
+-import org.codehaus.jackson.map.ObjectMapper;
+ import org.codehaus.jackson.JsonNode;
++import org.codehaus.jackson.map.ObjectMapper;
+
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java
+index f708e55..405f20c 100644
+--- a/base/ca/src/com/netscape/ca/SigningUnit.java
++++ b/base/ca/src/com/netscape/ca/SigningUnit.java
+@@ -171,6 +171,7 @@ public final class SigningUnit implements ISigningUnit {
+ mCert = mManager.findCertByNickname(mNickname);
+ CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber());
+ } catch (ObjectNotFoundException e) {
++ CMS.debug("Unable to find certificate " + mNickname);
+ throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e);
+ }
+
+@@ -181,6 +182,7 @@ public final class SigningUnit implements ISigningUnit {
+ mPrivk = mManager.findPrivKeyByCert(mCert);
+ CMS.debug("Got private key from cert");
+ } catch (ObjectNotFoundException e) {
++ CMS.debug("Unable to find private key for " + mNickname);
+ throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e);
+ }
+
+@@ -257,16 +259,16 @@ public final class SigningUnit implements ISigningUnit {
+ } catch (NoSuchAlgorithmException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString()));
+ throw new ECAException(
+- CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname));
++ CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname), e);
+ } catch (TokenException e) {
+ // from get signature context or from initSign
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString()));
+ throw new ECAException(
+- CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname));
++ CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname), e);
+ } catch (InvalidKeyException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString()));
+ throw new ECAException(
+- CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED_FOR_KEY", algname));
++ CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED_FOR_KEY", algname), e);
+ }
+ }
+
+@@ -311,21 +313,21 @@ public final class SigningUnit implements ISigningUnit {
+ } catch (NoSuchAlgorithmException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+ throw new ECAException(
+- CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname));
++ CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname), e);
+ } catch (TokenException e) {
+ // from get signature context or from initSign
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+ // XXX fix this exception later.
+- throw new EBaseException(e.toString());
++ throw new EBaseException(e);
+ } catch (InvalidKeyException e) {
+ // XXX fix this exception later.
+- throw new EBaseException(e.toString());
++ throw new EBaseException(e);
+ } catch (SignatureException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+ CMS.debug("SigningUnit.sign: " + e.toString());
+ CMS.checkForAndAutoShutdown();
+ // XXX fix this exception later.
+- throw new EBaseException(e.toString());
++ throw new EBaseException(e);
+ }
+ }
+
+@@ -351,21 +353,21 @@ public final class SigningUnit implements ISigningUnit {
+ } catch (NoSuchAlgorithmException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+ // XXX fix this exception later.
+- throw new EBaseException(e.toString());
++ throw new EBaseException(e);
+ } catch (TokenException e) {
+ // from get signature context or from initSign
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+ // XXX fix this exception later.
+- throw new EBaseException(e.toString());
++ throw new EBaseException(e);
+ } catch (InvalidKeyException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+ // XXX fix this exception later.
+- throw new EBaseException(e.toString());
++ throw new EBaseException(e);
+ } catch (SignatureException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
+ CMS.checkForAndAutoShutdown();
+ // XXX fix this exception later.
+- throw new EBaseException(e.toString());
++ throw new EBaseException(e);
+ }
+ }
+
+@@ -410,7 +412,7 @@ public final class SigningUnit implements ISigningUnit {
+ String msg = "Invalid encoding in CA signing key.";
+
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", msg));
+- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg));
++ throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg), e);
+ }
+
+ if (key.getAlgorithmId().getOID().equals(AlgorithmId.DSA_oid)) {
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+index 246a3f0..584ab6e 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+@@ -329,7 +329,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
+ Map<String, String> auditParams = new LinkedHashMap<>();
+
+ try {
+- ca.deleteAuthority();
++ ca.deleteAuthority(servletRequest);
+ audit(ILogger.SUCCESS, OpDef.OP_DELETE, aidString, null);
+ return createNoContentResponse();
+ } catch (CATypeException e) {
+diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
+index ed45654..c044ba1 100644
+--- a/base/common/python/pki/nssdb.py
++++ b/base/common/python/pki/nssdb.py
+@@ -105,7 +105,11 @@ class NSSDatabase(object):
+ directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb')
+
+ self.directory = directory
+- self.token = token
++
++ if token == 'internal' or token == 'Internal Key Storage Token':
++ self.token = None
++ else:
++ self.token = token
+
+ self.tmpdir = tempfile.mkdtemp()
+
+@@ -233,7 +237,7 @@ class NSSDatabase(object):
+
+ if basic_constraints_ext:
+
+- cmd.extend(['-2', hash_alg])
++ cmd.extend(['-2'])
+
+ # Is this a CA certificate [y/N]?
+ if basic_constraints_ext['ca']:
+@@ -425,12 +429,15 @@ class NSSDatabase(object):
+ '-d', self.directory
+ ]
+
++ fullname = nickname
++
+ if self.token:
+ cmd.extend(['-h', self.token])
++ fullname = self.token + ':' + fullname
+
+ cmd.extend([
+ '-f', self.password_file,
+- '-n', nickname,
++ '-n', fullname,
+ output_format_option
+ ])
+
+diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
+index ee41b2f..7ce833c 100644
+--- a/base/common/src/CMakeLists.txt
++++ b/base/common/src/CMakeLists.txt
+@@ -131,7 +131,7 @@ javac(pki-certsrv-classes
+ ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${RESTEASY_CLIENT_JAR}
+ ${HTTPCLIENT_JAR} ${HTTPCORE_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ DEPENDS
+ pki-nsutil-jar pki-cmsutil-jar
+ )
+@@ -149,7 +149,7 @@ jar(pki-certsrv-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-certsrv.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/certsrv/*.class
+ org/dogtagpki/tps/*.class
+diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
+index 308bfba..5218a4c 100644
+--- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
++++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
+@@ -606,6 +606,6 @@ public interface ICertificateAuthority extends ISubsystem {
+ /**
+ * Delete this lightweight CA.
+ */
+- public void deleteAuthority()
++ public void deleteAuthority(HttpServletRequest httpReq)
+ throws EBaseException;
+ }
+diff --git a/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java b/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
+index 88b1263..51a1109 100644
+--- a/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
++++ b/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
+@@ -17,13 +17,13 @@
+ // --- END COPYRIGHT BLOCK ---
+ package com.netscape.certsrv.ldap;
+
+-import netscape.ldap.LDAPException;
+-
+ import com.netscape.certsrv.base.BadRequestException;
+ import com.netscape.certsrv.base.ConflictingOperationException;
+ import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.base.ResourceNotFoundException;
+
++import netscape.ldap.LDAPException;
++
+ /**
+ * @author Endi S. Dewata
+ */
+@@ -39,6 +39,8 @@ public class LDAPExceptionConverter {
+ return new ResourceNotFoundException("No such attribute.", e);
+ case LDAPException.INVALID_DN_SYNTAX:
+ return new BadRequestException("Invalid DN syntax.", e);
++ case LDAPException.INVALID_ATTRIBUTE_SYNTAX:
++ return new BadRequestException("Invalid attribute syntax.", e);
+ case LDAPException.ENTRY_ALREADY_EXISTS:
+ return new ConflictingOperationException("Entry already exists.", e);
+ default:
+diff --git a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
+index c07b96a..a55c651 100644
+--- a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
++++ b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
+@@ -20,6 +20,8 @@
+
+ package com.netscape.certsrv.selftests;
+
++import java.util.Collection;
++
+ ///////////////////////
+ // import statements //
+ ///////////////////////
+@@ -68,6 +70,8 @@ public interface ISelfTestSubsystem
+ // ISelfTestSubsystem methods //
+ ////////////////////////////////
+
++ public Collection<String> getSelfTestNames();
++
+ //
+ // methods associated with the list of on demand self tests
+ //
+diff --git a/base/console/src/CMakeLists.txt b/base/console/src/CMakeLists.txt
+index c1a86b7..dc5a3e3 100644
+--- a/base/console/src/CMakeLists.txt
++++ b/base/console/src/CMakeLists.txt
+@@ -97,13 +97,12 @@ javac(pki-console-classes
+ SOURCES
+ com/netscape/admin/certsrv/*.java
+ CLASSPATH
+- ${CMAKE_BINARY_DIR}/classes
+ ${BASE_JAR} ${LDAPJDK_JAR} ${MMC_JAR}
+ ${MMC_EN_JAR} ${NMCLF_JAR} ${NMCLF_EN_JAR}
+ ${PKI_CMSUTIL_JAR} ${PKI_NSUTIL_JAR} ${PKI_CERTSRV_JAR}
+ ${JSS_JAR} ${COMMONS_CODEC_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ )
+
+ configure_file(
+@@ -120,7 +119,7 @@ jar(pki-console-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-console.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/admin/certsrv/*.class
+ INPUT_DIR
+diff --git a/base/java-tools/man/man1/CMCEnroll.1 b/base/java-tools/man/man1/CMCEnroll.1
+new file mode 100644
+index 0000000..4cc861f
+--- /dev/null
++++ b/base/java-tools/man/man1/CMCEnroll.1
+@@ -0,0 +1,570 @@
++.\" First parameter, NAME, should be all caps
++.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
++.\" other parameters are allowed: see man(7), man(1)
++.TH CMCEnroll 1 "July 20, 2016" "version 10.3" "PKI CMC Enrollment Tool" Dogtag Team
++.\" Please adjust this date whenever revising the man page.
++.\"
++.\" Some roff macros, for reference:
++.\" .nh disable hyphenation
++.\" .hy enable hyphenation
++.\" .ad l left justify
++.\" .ad b justify to both left and right margins
++.\" .nf disable filling
++.\" .fi enable filling
++.\" .br insert line break
++.\" .sp <n> insert n+1 empty lines
++.\" for man page specific macros, see man(7)
++.SH NAME
++CMCEnroll \- Used to sign a certificate request with an agent's certificate.
++
++.SH SYNOPSIS
++.PP
++\fBCMCEnroll -d <directory_of_NSS_security_database_containing_agent_cert> -n <certificate_nickname> -r <certificate_request_file> -p <certificate_DB_passwd>\fP
++
++.SH DESCRIPTION
++.PP
++The Certificate Management over Cryptographic Message Syntax (CMC) Enrollment utility, \fBCMCEnroll\fP, provides a command-line utility used to sign a certificate request with an agent's certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users.
++.PP
++\fBCMCEnroll\fP takes a standard PKCS #10 certificate request and signs it with an agent certificate. The output is also a certificate request which can be submitted through the appropriate profile.
++
++.SH OPTIONS
++.PP
++The following parameters are mandatory:
++.PP
++\fBNote:\fP
++Surround values that include spaces with quotation marks.
++.TP
++.B -d <directory_of_NSS_security_database_containing_agent_cert>
++The directory containing the \fBcert8.db\fP, \fBkey3.db\fP, and \fBsecmod.db\fP files associated with the agent certificate. This is usually the agent's personal directory, such as their browser certificate database in the home directory.
++
++.TP
++.B -n <certificate_nickname>
++The nickname of the agent certificate that is used to sign the request.
++
++.TP
++.B -r <certificate_request_file>
++The filename of the certificate request.
++
++.TP
++.B -p <certificate_DB_passwd>
++The password to the NSS certificate database which contains the agent certificate, given in \fB-d <directory_of_NSS_security_database_containing_agent_cert>\fP.
++
++.SH EXAMPLES
++.PP
++Signed requests must be submitted to the CA to be processed.
++.PP
++\fBNote:\fP For this example to work automatically, the \fBCMCAuth\fP plug-in must be enabled on the CA server (which it is by default).
++.TP
++(1) Create a PKCS #10 certificate request using a tool like \fBcertutil\fP:
++.IP
++.nf
++# cd ~/.mozilla/firefox/<browser profile>
++
++# certutil -d . -L
++Certificate Nickname Trust Attributes
++ SSL,S/MIME,JAR/XPI
++
++Google Internet Authority G2 ,,
++COMODO RSA Domain Validation Secure Server CA ,,
++pki.example.com ,,
++DigiCert SHA2 Secure Server CA ,,
++DigiCert SHA2 Extended Validation Server CA ,,
++COMODO RSA Extended Validation Secure Server CA 2 ,,
++Symantec Class 3 Secure Server CA - G4 ,,
++Go Daddy Secure Certificate Authority - G2 ,,
++Oracle SSL CA - G2 ,,
++GeoTrust EV SSL CA - G4 ,,
++Symantec Class 3 Secure Server SHA256 SSL CA ,,
++GeoTrust SSL CA - G3 ,,
++PKI Administrator for example.com u,u,u
++DigiCert SHA2 High Assurance Server CA ,,
++COMODO RSA Organization Validation Secure Server CA ,,
++CA Signing Certificate - example.com Security Domain CT,C,C
++
++# certutil -d . -R -s "CN=CMCEnroll Test Certificate" -a
++
++A random seed must be generated that will be used in the
++creation of your key. One of the easiest ways to create a
++random seed is to use the timing of keystrokes on a keyboard.
++
++To begin, type keys on the keyboard until this progress meter
++is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
++
++
++Continue typing until the progress meter is full:
++
++|************************************************************|
++
++Finished. Press enter to continue:
++
++
++Generating key. This may take a few moments...
++
++
++Certificate request generated by Netscape certutil
++Phone: (not specified)
++
++Common Name: CMCEnroll Test Certificate
++Email: (not specified)
++Organization: (not specified)
++State: (not specified)
++Country: (not specified)
++
++-----BEGIN CERTIFICATE REQUEST-----
++MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
++dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
++IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
++6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
++QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
++WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
++rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
++68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
++YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
++sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
++FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
++ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
++TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
++-----END CERTIFICATE REQUEST-----
++.if
++
++.TP
++(2) Copy the PKCS #10 ASCII output to a text file.
++.IP
++.nf
++# vi cert.req
++-----BEGIN CERTIFICATE REQUEST-----
++MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
++dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
++IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
++6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
++QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
++WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
++rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
++68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
++YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
++sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
++FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
++ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
++TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
++-----END CERTIFICATE REQUEST-----
++.if
++
++.TP
++(3) Run the \fBCMCEnroll\fP command to sign the certificate request. If the input file is "\fB~/.mozilla/firefox/<profile>/cert.req\fP", the agent's certificate is stored in the "\fB~/.mozilla/firefox\<profile>fP" directory, the certificate common name for this CA is "\fBPKI Administrator for example.com\fP", and the password for the certificate database is "\fBSecret123\fP", the command is as follows:
++.IP
++.nf
++# CMCEnroll -d "~/.mozilla/firefox/<profile>/" -n "PKI Administrator for example.com" -r "~/.mozilla/firefox/<profile>/cert.req" -p "Secret123"
++cert/key prefix =
++path = ~/.mozilla/firefox/<profile>/
++-----BEGIN CERTIFICATE REQUEST-----
++MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJpYtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHLFsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+UbucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTLTAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==-----END CERTIFICATE REQUEST-----
++.if
++The output of this command is stored in a file with the same filename as the request with a \fB.out\fP appended to the filename (e. g. - cert.req.out):
++.IP
++.nf
++# cat cert.req.out
++-----BEGIN CERTIFICATE REQUEST-----
++MIIMhwYJKoZIhvcNAQcCoIIMeDCCDHQCAQMxCzAJBgUrDgMCGgUAMIIC6QYIKwYB
++BQUHDAKgggLbBIIC1zCCAtMwVDAvAgECBggrBgEFBQcHBjEgBB5Da2UvQ1V6VEZF
++Rzgwa1Ryb1dsNjVuTUZhMEU9DQowIQIBAwYIKwYBBQUHBwUxEgIQU05oqk+q+FdR
++go/eIzsjGTCCAnWgggJxAgEBMIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5y
++b2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
++AoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA
+++Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5
++tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1
++A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiu
++qv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUy
++UkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA
++Q9aHQvPDcDuOJOL62pQeoDJpYtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2
++fpfdrHB5901TdehlghQVOkN6sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9w
++Xz5ZY/QwSx6C97SodF0cuDHLFsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ
+++FGfQvmAqc9xHu5jvnBXX+UbucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SB
++Sa/Zxjy2iVMrQBeOiLcu8bTLTAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9D
++RJd1FJoocw0eGhw31I5rJDAAMACggge1MIIDzDCCArSgAwIBAgIBATANBgkqhkiG
++9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20gU2VjdXJpdHkg
++RG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE2MDcy
++MTIzNDAyNVoXDTM2MDcyMTIzNDAyNVowTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
++YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
++aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmWoikqOPpH
++0JLW3SZ1SPojvndjdILqDuGuRmqtcLuzZtmNuY7ZVwrXt61G1SCCBoEiy/OcUCKM
++GVpw0M15Dn3sjJmd9F2R5lrGT2eMWWfVTr15RyEwK9Pn0mxTDN+0eZ4WDY9U4Zg4
++2qZYIhkfGSTR5jhA4rs3uNOFm0ElLqDumGw3EXjJOy+RURvNbY4Pjlz89+Q2o6M0
++/XMmMYzxVtXusKu1bvTKIiWoWCXR5ge78GoT/8reer+zxuSXiKSeVV2myvCQhmMH
++AD2rik/7hazuY2ztC8h9HF09PMSeK2ev6PlzSV/PEqj9u5bgOcbqeiQkzR6IOcSi
++JCn9o7B+AUMCAwEAAaOBtDCBsTAfBgNVHSMEGDAWgBS7NphdZcuI4IcjN29b96+L
++iuu6tTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU
++uzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUFBzAB
++hjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRoYXQuY29tOjgwODAvY2Ev
++b2NzcDANBgkqhkiG9w0BAQsFAAOCAQEANUYLK65kV0na9zmtNGFje4akz4FBRAOh
++f/RYvtH4/0z38vW/E6fZkfb6CHrC4pNPfL6c0q/8H0mIrAft4kkQlTyJB9tdF5qY
++vCfUMmZ+zM664U/97nf7NSUu9PIFcNfh+/O9IoVUd7gEerRISJzbsmHAcCcfIiKX
++FsM+6HbEt+lH47flb/eSA2cUS84bC+XlZmKpse1R8PL/rKzngReZmMhNx73pYlEN
++0qOpJILEMC1FVUExp6XnnP/m1+gY3T2FrIcUU7Jm1mCnln3VcLxkRU2c9tGj4xYr
++H8teMoQHLZTiqe/54h+3/pUEDgSATAHnex/uG33TXNDbpeNeq720eDCCA+EwggLJ
++oAMCAQICAQYwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
++YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
++aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMzBaFw0xODA3MTEyMzQwMzBaMHQxKzApBgNV
++BAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xKTAnBgkqhkiG
++9w0BCQEWGmNhYWRtaW5AdXNlcnN5cy5yZWRoYXQuY29tMRowGAYDVQQDDBFQS0kg
++QWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPQ
++fOUyTIkdDnPzBrFRBknHqjYMrRpUDBR+JlarT/Sr6PqNQPMcM7JvgBNmXG32H+5w
++QH/sfVjOmKEJOMsh71vKiTM0wb5rIo08B34i9E5Cf2Wzx2/ht4qfWvSmb5ZBxy22
++YpasKLdv7SwSDQr0U7h+Q/96Hgq85ONxWWN6XubgZxSfbs7QVcA0jVq+2inhT67B
++0u4DO6MTxFJNCfDcWiA/M6xzKbjEqDUEh46Rk19krGPYsbfW2BMuOi7pyfTDJVJ5
++CAUbo4bpR3eeo5KMbUvgF3WUxA1whOF2Oc6t0hdINW6Xeq3vpnwn3RyX2TRQ0zqi
++n3K3uPdahteQNcRb/Q8CAwEAAaOBozCBoDAfBgNVHSMEGDAWgBS7NphdZcuI4Icj
++N29b96+Liuu6tTBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0dHA6Ly9w
++a2ktZGVza3RvcC51c2Vyc3lzLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1Ud
++DwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI
++hvcNAQELBQADggEBAADJNrg4qAZ1LxSz2Nn1k1SEmbugxrh8o1jpBAaSvLlv+blL
+++6wNq0D7c1GPzRO5TObyXgpbtHgofpKLSxw8cB3y8ugZMp7qJeCYxgzxQKEVMANW
++6eZgAxvEe1J5Vyk/ELNiCtQmY7Mi+BtwvCF0xkCwYtOGlgeLV5t6GjBdG+jpZSIb
++B0En0+t/JOwvqUAhzVStz/j9LgBza0P8ACd/s2Z/zjpot2JTXDofF0mbiGwMz4Em
++/dOT3QhUr3QqFY/Q6T7c/wW7KbUXpNjwvLAV86A9Oojq32Z3ppJPnnDoLxLWvn8f
++4rBdhhKrFhRZBYd91r3OExUIAEkFH9cmgPusjMsxggG6MIIBtgIBAzBTME4xKzAp
++BgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xHzAdBgNV
++BAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUCAQYwCQYFKw4DAhoFAKA+MBcGCSqG
++SIb3DQEJAzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUeIRBuSA10uyZK8LB
++yc5Abz4f74AwDQYJKoZIhvcNAQEBBQAEggEAC1DFoKDcAzJUdIIucV61TqQtbBJT
++H8hhnln3+TwAO+u3X55o74xZMgawy/3Hkt3CjYxYmWIYY9MZILb2UeD0VZz63yzq
++F9tEZu2IhlvaOgP6NLcu8SxDImQ/GuvPIvGkGg0m/X3cwCHKymH7ZXAUfxQXgqbw
++CAMc+DH99xx0yotaAr5HE9tauNJejo4CDVYwUn/5syTcw3molt2Ely2FIFEyI3HD
++yPmP2OHw/xqlBhFvnoecbtpTq2DiWGPWJHSnzcdInuXudHHaIsribXK8HGw2MnCD
++8Sq7UsrvBe50v0YebYzQdXYrsnluNc+Cwm2PdDQDfPT39e7iwGSLGi4KrQ==
++-----END CERTIFICATE REQUEST-----
++.if
++
++.TP
++(4) Submit the signed certificate request through the CA end-entities page:
++.IP
++.nf
++(a) Open the end-entities page.
++
++(b) Select the "Signed CMC-Authenticated User Certificate Enrollment" profile.
++
++(c) Paste the content of the output file into the first text area of this form.
++
++(d) Remove the "-----BEGIN CERTIFICATE REQUEST-----" header and the "-----END CERTIFICATE REQUEST-----" footer from the pasted content.
++
++(e) Fill in the contact information, and submit the form.
++.if
++
++.TP
++(5) The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled:
++.IP
++.nf
++Congratulations, your request has been processed successfully
++
++Your request ID is \fB7\fP.
++
++\fBOutputs\fP
++
++* Certificate Pretty Print
++
++ Certificate:
++ Data:
++ Version: v3
++ Serial Number: 0x7
++ Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
++ Issuer: CN=CA Signing Certificate,O=example.com Security Domain
++ Validity:
++ Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
++ Not After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
++ Subject: CN=CMCEnroll Test Certificate
++ Subject Public Key Info:
++ Algorithm: RSA - 1.2.840.113549.1.1.1
++ Public Key:
++ Exponent: 65537
++ Public Key Modulus: (2048 bits) :
++ DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
++ 0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
++ D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
++ 69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
++ 93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
++ 0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
++ B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
++ ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
++ A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
++ 97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
++ B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
++ 33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
++ A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
++ 2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
++ 31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
++ 6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
++ Extensions:
++ Identifier: Authority Key Identifier - 2.5.29.35
++ Critical: no
++ Key Identifier:
++ BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
++ 8A:EB:BA:B5
++ Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
++ Critical: no
++ Access Description:
++ Method #0: ocsp
++ Location #0: URIName: http://pki.example.com:8080/ca/ocsp
++ Identifier: Key Usage: - 2.5.29.15
++ Critical: yes
++ Key Usage:
++ Digital Signature
++ Non Repudiation
++ Key Encipherment
++ Identifier: Extended Key Usage: - 2.5.29.37
++ Critical: no
++ Extended Key Usage:
++ 1.3.6.1.5.5.7.3.2
++ 1.3.6.1.5.5.7.3.4
++ Signature:
++ Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
++ Signature:
++ 6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
++ 30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
++ 11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
++ D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
++ 69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
++ 2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
++ 76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
++ 2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
++ E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
++ 3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
++ 2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
++ 05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
++ BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
++ F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
++ 08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
++ 39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
++ FingerPrint
++ MD2:
++ C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
++ MD5:
++ 5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
++ SHA-1:
++ F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
++ 5C:A9:71:27
++ SHA-256:
++ 66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
++ 8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
++ SHA-512:
++ E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
++ 9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
++ F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
++ D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49
++
++* Certificate Base-64 Encoded
++
++-----BEGIN CERTIFICATE-----
++MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
++c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
++aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow
++JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG
++SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ
++SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad
++7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s
++rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s
++UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x
++/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw
++gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE
++QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo
++YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI
++KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug
More information about the Pkg-freeipa-devel
mailing list