000021727 - How to generate ProofOfPossession for Certificate Management Protocol (CMP) requests when you don't have the requester's private key (e.g. if you are the RA)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021727
Applies ToRSA BSAFE Cert-J
IssueHow to generate ProofOfPossession for Certificate Management Protocol (CMP) requests when you don't have the requester's private key (e.g. if you are the RA)
Resolution

In the RSA BSAFE Cert-J sample sample\provider\source\CMPRequest.java, replace the CMPPOPGenerationInfoSignature constructor with a CMPPOPGenerationInfoRAVerified constructor, and pass a null private key to cmpService.generateProofOfPossession:

/* CHANGE: Use raVerified and null private key instead */
/*
  CMPPOPGenerationInfoSignature crpopGenerationInfo =
   new CMPPOPGenerationInfoSignature (crsigningAlgorithm, subjectName);
        cmpService.generateProofOfPossession
   (crrequest, keyPair.getPrivateKey(), crpopGenerationInfo);
      */
      CMPPOPGenerationInfoRAVerified crpopGenerationInfo =
        new CMPPOPGenerationInfoRAVerified();

      JSAFE_PrivateKey nullPrivateKey = null;
      cmpService.generateProofOfPossession
        (crrequest, nullPrivateKey, crpopGenerationInfo);

      /* END CHANGE: Use raVerified and null private key instead */

Also, in order to allow a null proof-of-possession (raVerified), make sure the "POP Required" checkbox is unchecked when you create the shared secret in the KCA admin interface.

Legacy Article IDa24594

Attachments

    Outcomes