You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using the Keyfactor Docker ejbca-ce version 8.0.0 (as a test case) to request client certificates from the server over CMP (with bouncycastle) with the server-side generated keys workflow. The certificates from the clients are used to encrypt files, therefore they need to be recoverable, so all server-side generated tokens are configured to be recoverable. The issue is, all CMP requested certificates are labeled in the RA GUI as user-generated and therefore are not recoverable. The CMP message from the client does not include a private key, the answer from the server includes a private key and certificate that i can extract and use.
Is there a different way to recover CMP requested keys ? Or is this some unexpected behavior ?
At the very moment my request does not contain a certificate template with unique values, i'm just sending the new user (userDN), the public key for the encryption secret and the algorithms that should be used.
The text was updated successfully, but these errors were encountered:
The use case to store keys generated by CMP CA generated keys is not implemented. The use case for CMP CA generated keys has so far been to generate keys for devices that don't have good, or fast, enough onboard key generation. So for CA generated authentication keys, which are not recoverable.
Indeed the label usergenerated sounds confusing.
It is expected behavior at this time. It's considered a feature request for now.
I will create a developer ticket for this, but since we haven't had this use case before I can't say that it will be in a roadmap any time soon.
For reference, I started this work in ECA-11981, some refactoring and clean-ups is needed to implement this nicely.
As a question, would you also use CMP for recovering keys stored by the CA? How do you see doing that recovery work-flow using CMP?
I'm using the Keyfactor Docker ejbca-ce version 8.0.0 (as a test case) to request client certificates from the server over CMP (with bouncycastle) with the server-side generated keys workflow. The certificates from the clients are used to encrypt files, therefore they need to be recoverable, so all server-side generated tokens are configured to be recoverable. The issue is, all CMP requested certificates are labeled in the RA GUI as user-generated and therefore are not recoverable. The CMP message from the client does not include a private key, the answer from the server includes a private key and certificate that i can extract and use.
My workflow is similar to https://github.com/rgorosito/ejbca/blob/master/modules/systemtests/src-test/org/ejbca/core/protocol/cmp/CrmfRequestTest.java -> test12ServerGeneratedKeys.
Is there a different way to recover CMP requested keys ? Or is this some unexpected behavior ?
At the very moment my request does not contain a certificate template with unique values, i'm just sending the new user (userDN), the public key for the encryption secret and the algorithms that should be used.
The text was updated successfully, but these errors were encountered: