Setting Up Cmc Enrollment - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Chapter 15. Authentication for Enrolling Certificates
• ldap.minConns. Specifies the minimum number of connections permitted to the
authentication directory. The permissible values are 1 to 3.
• ldap.maxConns. Specifies the maximum number of connections permitted to the
authentication directory. The permissible values are 3 to 10.
Click OK.
f.
4. Customize the enrollment forms by configuring the inputs in the certificate profiles. Include the
information that will be needed by the plug-in to authenticate the user. If the default inputs do not
contain all of the information that needs to be collected, either create an input that does using the
CS SDK, or submit a request created with a third-party tool.

15.4. Setting up CMC Enrollment

CMC enrollment sets up an enrollment client, signs the certificate request with an agent certificate,
and then sends the signed request to the Certificate Manager. When this method is set up, the
Certificate Manager automatically issues certificates when a valid request signed with the agent
certificate is received.
The CMCAuth authentication plug-in also activates CMC revocation. CMC revocation sets up a
revocation client, signs the request with the agent certificate, and then sends the signed request to
the Certificate Manager. When this method is set up, the Certificate Manager automatically revokes
certificates when a valid request signed with the agent certificate is received.
To set up CMC enrollment, do the following:
1. Set up the certificate profile to use to enroll users by setting policies for specific certificates in the
certificate profile. See
2. If necessary, set up the CMCAuth authentication plug-in. An instance of this plug-in module is
created and enabled by default. It has no configuration parameters. When the instance is enabled,
CMC enrollment and CMC revocation are both enabled for the server.
a. Open the CA Console.
pkiconsole https://server.example.com:9443/ca
b. In the Configuration tab, select Authentication in the navigation tree.
The right pane shows the Authentication Instance tab listing currently configured
authentication instances.
c. Click Add.
The Select Authentication Plug-in Implementation window appears.
d. Select the CMCAuth plug-in module.
e. In the Authentication Instance ID field, type a unique name for this instance that will identify
it if the default name is not to be used.
There are no configuration options for this plug-in; it simply enables this functionality.
350
Chapter 12, Certificate Profiles
for information about profile policies.