HOME

TheInfoList



Click Here for Items Related To - Certificate Management Protocol
OR:
Certificate Management Protocol on:   [Wikipedia]   [Google]   [Amazon]

The Certificate Management Protocol (CMP) is an Internet protocol standardized by the
IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and ...
used for obtaining X.509 digital certificates in a
public key infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facil ...
(PKI). CMP is a very feature-rich and flexible protocol, supporting any types of cryptography. CMP messages are self-contained, which, as opposed to EST, makes the protocol independent of the transport mechanism and provides end-to-end security. CMP messages are encoded in ASN.1, using the
DER Der or DER may refer to: Places * Darkənd, Azerbaijan * Dearborn (Amtrak station) (station code), in Michigan, US * Der (Sumer), an ancient city located in modern-day Iraq * d'Entrecasteaux Ridge, an oceanic ridge in the south-west Pacific Ocean ...
method. CMP is described in . Enrollment request messages employ the Certificate Request Message Format (CRMF), described in . The only other protocol so far using CRMF is Certificate Management over CMS (CMC), described in .


History

An obsolete version of CMP is described in , the respective CRMF version in .
CMP Update
is in preparation as well as
Lightweight CMP Profile
focusing on industrial use.


PKI Entities

In a
public key infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facil ...
(PKI), so-called end entities (EEs) act as CMP client, requesting one or more certificates for themselves from a
certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Th ...
(CA), which issues the legal certificates and acts as a CMP server. None or any number of registration authorities (RA), can be used to mediate between the EEs and CAs, having both a downstream CMP server interface and an upstream CMP client interface. Using a "cross-certification request" a CA can get a certificate signed by another CA.


Features

* Self-contained messages with protection independent of transfer mechanism - as opposed to related protocols EST and SCEP, this supports end-to-end security. * Full certificate life-cycle support: an end entity can utilize CMP to obtain certificates from a CA, request updates for them, and also get them revoked. * Key pair generation is usually done by the client side, but can also be requested from the server side. * Proof-of-possession is usually done by a self-signature of the requested certificate contents, but CMP supports also other methods. * CMP supports the very important aspect of proof-of-origin in two formats: based on a shared secret (used initially) and signature-based (using pre-existing certificates). * In case an end entity has lost its private key and it is stored by the CA, it might be recovered by requesting a "key pair recovery". * There are various further types of requests possible, for instance to retrieve CA certificates and to obtain PKI parameters and preferences of the server side.


Transport

CMP messages are usually transferred using HTTP, but any reliable means of transportation can be used. * Encapsulated in
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
messages, optionally using TLS (
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is e ...
) for additional protection. * Encapsulated in CoAP messages, optionally using DTLS for additional protection. *
TCP TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication s ...
or any other reliable, connection-oriented transport protocol. * As a file, e.g., over FTP or
SCP SCP may refer to: Organizations Political parties * Soviet Communist Party, the leading political party in the former Soviet Union * Syrian Communist Party * Sudanese Communist Party * Scottish Christian Party Companies * Seattle Computer Produ ...
. * By
E-Mail Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" mean ...
, using the
MIME Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email messages to support text in character sets other than ASCII, as well as attachments of audio, video, images, and application programs. Messa ...
encoding standard. The
Content-Type A media type (also known as a MIME type) is a two-part identifier for file formats and format contents transmitted on the Internet. The Internet Assigned Numbers Authority (IANA) is the official authority for the standardization and publication o ...
used is ''application/pkixcmp''; older versions of the draft used ''application/pkixcmp-poll'', ''application/x-pkixcmp'' or ''application/x-pkixcmp-poll''.


Implementations

*
OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HT ...
version 3.0 includes extensive CMP support in C.
Bouncy Castle API
offers a low-level CMP support in Java and C#. * RSA BSAFE Cert-J provides CMP support. * cryptlib provides CMP support. * EJBCA, a CA software, implements a subset{{Cite web , url=https://ejbca.org/features.html , title=EJBCA - The Java EE Certificate Authority , access-date=2019-06-07 , archive-url=https://web.archive.org/web/20190607065910/https://ejbca.org/features.html , archive-date=2019-06-07 , url-status=dead of the CMP functions.
Nexus Certificate Manager
supports CMP.
Entrust Authority Security Manager
implements CMP support.
Insta Certifier CA
implements CMPv2 support.


See also

* Simple Certificate Enrollment Protocol (SCEP) * Certificate Management over CMS (CMC) * Enrollment over Secure Transport (EST) *
Automated Certificate Management Environment The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' servers, allowing the automated deployment of public key infrastructure at ...
(ACME)


References

Public key infrastructure Cryptographic protocols Internet Standards Internet protocols