Certificate Management Protocol
The Certificate Management Protocol (CMP) is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). It is described in RFC 4210 and is one of two protocols so far to use the Certificate Request Message Format (CRMF), described in RFC 4211, with the other protocol being Certificate Management over CMS (CMC), described in RFC 5273. An obsolete version of CMP is described in RFC 2510, the respective CRMF version in RFC 2511.
CMP (Certificate Management Protocol) | |||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
family: | unknown | ||||||||||||||||||||||||||||
field of application : | certificate management | ||||||||||||||||||||||||||||
newest version: | cmp2000(2) | ||||||||||||||||||||||||||||
OID of the newest version: | 1.3.6.1.5.5.7.0.16 | ||||||||||||||||||||||||||||
TCP/UDP port: | 80 (http), 443 (https), 829 (pkix-3-ca-ra) | ||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
proposed standard: |
RFC 4210 (CMP, 2005) | ||||||||||||||||||||||||||||
obsolete standard: |
RFC 2510 (CMP, 1999) |
CMP messages are encoded in ASN.1, using the DER method and usually transported over HTTP.
PKI Entities
A certificate authority (CA), issuing the legal certificates, acts as the server in a PKI using CMP. One of the clients, obtaining their digital certificates by means of this protocol is called end entity (EE). None or any number of registration authorities (RA), can be used to mediate between the EEs and the CA.
Features
An end entity can utilize CMP to obtain certificates from the CA. This can be done through an "initial registration/certification", a "key pair update" or a "certificate update" message sequence. By means of a revocation request it can also get one of its own certificates revoked. Using a "cross-certification request" a CA can get a certificate signed by another CA. In case an end entity has lost its private key and it is stored by the CA, it might be recovered by requesting a "key pair recovery".
Transport
Several means of transportation are foreseen for conveying CMP messages:[1]
- Encapsulated in a HTTP message.
- TCP or any other reliable, connection-oriented transport protocol.
- As a file, e.g. over FTP or SCP.
- By E-Mail, using the MIME encoding standard.
The Content-Type used is application/pkixcmp; older versions of the draft used application/pkixcmp-poll, application/x-pkixcmp or application/x-pkixcmp-poll.
Implementations
- Nexus Certificate Manager supports CMP.
- The library cryptlib provides CMP support.
- Entrust Authority Security Manager implements CMP support.
- Insta Certifier CA implements CMPv2 support.
- EJBCA, a CA software, implements a subset[2] of the CMP functions.
- OpenSSL is capable of producing and parsing CMP messages, using an additional patch.[3]
- RSA BSAFE Cert-J provides CMP support.
- Bouncy Castle API offers CMP library for Java and C#.
References
- RFC 6712 Internet X.509 Public Key Infrastructure -- HTTP Transfer for the Certificate Management Protocol (CMP)
- "EJBCA - The Java EE Certificate Authority". Archived from the original on 2019-06-07. Retrieved 2019-06-07.
- CMP for OpenSSL, GitHub page