Chapter 12. CMC Request

12.1. Syntax
12.2. Usage

The CMC Request utility, CMCRequest, creates a CMC request from one or more PKCS #10 or CRMF requests. The utility can also be used to revoke certificates.

12.1. Syntax

The CMCRequest command uses a configuration file (.cfg) as a parameter. The .cfg file must include the path to the file of the formatted CMC request:

CMCRequest /path/to/file.cfg

For revocation requests, the revRequest.enable parameter must be set to true, and related parameters must contain the appropriate information.

The .cfg file contains the following parameters:

Parameters	Description
`numRequests`	The total number of PKCS #10 or CRMF requests. In some cases, the value of this parameter can be 0. For example, `numRequests=1`.
`input`	The full path and filename of the PKCS #10 or CRMF request, which must be in base-64 encoded format. Multiple filenames are separated by white space. This parameter is a required if the value for `numRequests` is greater than 0. For example, `input=crmf1`.
`output`	Required. The full path and filename for the generated binary CMC request. For example, `output=cmc`.
`nickname`	Required. The nickname of the agent certificate used to sign the full CMC request. For example, `nickname=CS Agent-102504a's 102504a ID`.
`dbdir`	Required. The full path to the directory where the `cert8.db`, `key3.db`, and `secmod.db` databases are located. For example, `dbdir=/u/smith/db/`.
`password`	Required. The token password for `cert8.db`, which stores the agent certificate. For example, `password=redhat`.
`format`	The request format, either `pkcs10` or `crmf`. For example, `format=crmf`.

Table 12.1.

The following .cfg file parameters set CMC controls:

Parameters	Description
`confirmCertAcceptance.enable`	If set to `true`, then the request contains this control. If this parameter is not set, the value is assumed to be `false`. For example, `confirmCertAcceptance.enable=false`.
`confirmCertAcceptance.serial`	The serial number for the `confirmCertAcceptance` control. For example, `confirmCertAcceptance.serial=3`.
`confirmCertAcceptance.issuer`	The issuer name for the `confirmCertAcceptance` control. For example, `confirmCertAcceptance.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us`.
`getCert.enable`	If set to `true`, then the request contains this attribute. If this parameter is not set, the value is assumed to be `false`. For example, `getCert.enable=false`.
`getCert.serial`	The serial number for the `getCert` control. For example, `getCert.serial=300`.
`getCert.issuer`	The issuer name for the `getCert` control. For example, `getCert.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us`.
`dataReturn.enable`	If set to `true`, then the request contains this control. If this parameter is not set, the value is assumed to be `false`. For example, `dataReturn.enable=false`.
`dataReturn.data`	The data contained in the `dataReturn` control. For example, `dataReturn.data=test`.
`transactionMgt.enable`	If set to `true`, then the request contains this control. If this parameter is not set, the value is assumed to be `false`. For example, `transactionMgt.enable=true`.
`transactionMgt.id`	The transaction identifier for `transactionMgt` control. VeriSign recommends that the transaction ID should be an MD5 hash of the public key.
`senderNonce.enable`	If set to `true`, then the request contains this control. If this parameter is not set, the value is assumed to be `false`. For example, `senderNonce.enable=false`.
`senderNonce.id`	The ID for the `senderNonce` control. For example, `senderNonce.id=testing`.
`revRequest.enable`	If set to `true`, then the request contains this control. If this parameter is not set, the value is assumed to be `false`. For example, `revRequest.enable=true`.
`revRequest.nickname`	The nickname for the certificate being revoked. For example, `revRequest.nickname=newuser's 102504a ID`.
`revRequest.issuer`	The issuer name for the certificate being revoked. For example, `revRequest.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us`.
`revRequest.serial`	The serial number for the certificate being revoked. For example, `revRequest.serial=75`.
`revRequest.reason`	The reason for revoking this certificate. The allowed values are `unspecified`, `keyCompromise`, `caCompromise`, `affiliationChanged`, `superseded`, `cessationOfOperation`, `certificateHold`, and `removeFromCRL`. For example, `revRequest.reason=unspecified`.
`revRequest.sharedSecret`	The shared secret for the revocation request. For example, `revRequest.sharedSecret=testing`.
`revRequest.comment`	A text comment for the revocation request. For example, `revRequest.comment=readable comment`.
`revRequest.invalidityDatePresent`	If set to `true`, the current time is the invalidity date for the revoked certificate. If set to `false`, no invalidity date is present. For example, `revRequest.invalidityDatePresent=false`.
`identityProof.enable`	If set to `true`, then the request contains this control. If this parameter is not set, the value is assumed to be `false`. For example, `identityProof.enable=false`.
`identityProof.sharedSecret`	The shared secret for `identityProof` control. For example, `identityProof.sharedSecret=testing`.
`popLinkWitness.enable`	If set to `true`, then the request contains this control. If this parameter is not set, the value is assumed to be `false`. For example, `popLinkWitness.enable=false`.
`LraPopWitness.enable`	If set to `true`, then the request contains this control. If this parameter is not set, the value is assumed to be `false`. For example, `LraPopWitness.enable=false`.
`LraPopWitness.bodyPartIDs`	The space-delimited list of body part IDs for the `LraPopWtiness` control. For example, `LraPopWitness.bodyPartIDs=1` .

Table 12.2.