The Certificate Management Protocol (CMP) is an Internet protocol standardized by the
IETF used for obtaining X.509
digital certificates in a
public key infrastructure
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilit ...
(PKI).
CMP is a very feature-rich and flexible protocol, supporting any types of cryptography.
CMP messages are self-contained, which, as opposed to
EST, makes the protocol independent of the transport mechanism and provides end-to-end security.
CMP messages are encoded in
ASN.1, using the
DER
Der or DER may refer to:
Places
* Darkənd, Azerbaijan
* Dearborn (Amtrak station) (station code), in Michigan, US
* Der (Sumer), an ancient city located in modern-day Iraq
* d'Entrecasteaux Ridge, an oceanic ridge in the south-west Pacific Ocean ...
method.
CMP is described in . Enrollment request messages employ the Certificate Request Message Format (CRMF), described in .
The only other protocol so far using CRMF is
Certificate Management over CMS (CMC), described in .
History
An obsolete version of CMP is described in , the respective CRMF version in .
CMP Updateis in preparation as well as
Lightweight CMP Profilefocusing on industrial use.
PKI Entities
In a
public key infrastructure
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilit ...
(PKI), so-called end entities (EEs) act as CMP client, requesting one or more certificates for themselves from a
certificate authority (CA), which issues the legal certificates and acts as a CMP server. None or any number of
registration authorities (RA), can be used to mediate between the EEs and CAs, having both a downstream CMP server interface and an upstream CMP client interface. Using a "cross-certification request" a CA can get a certificate signed by another CA.
Features
* Self-contained messages with protection independent of transfer mechanism - as opposed to related protocols
EST and
SCEP, this supports end-to-end security.
* Full certificate life-cycle support: an end entity can utilize CMP to obtain certificates from a CA, request updates for them, and also get them revoked.
* Key pair generation is usually done by the client side, but can also be requested from the server side.
* Proof-of-possession is usually done by a self-signature of the requested certificate contents, but CMP supports also other methods.
* CMP supports the very important aspect of proof-of-origin in two formats: based on a shared secret (used initially) and signature-based (using pre-existing certificates).
* In case an end entity has lost its private key and it is stored by the CA, it might be recovered by requesting a "key pair recovery".
* There are various further types of requests possible, for instance to retrieve CA certificates and to obtain PKI parameters and preferences of the server side.
Transport
CMP messages are usually transferred using HTTP, but any reliable means of transportation can be used.
* Encapsulated in
HTTP messages, optionally using TLS (
HTTPS) for additional protection.
* Encapsulated in
CoAP messages, optionally using
DTLS for additional protection.
*
TCP
TCP may refer to:
Science and technology
* Transformer coupled plasma
* Tool Center Point, see Robot end effector
Computing
* Transmission Control Protocol, a fundamental Internet standard
* Telephony control protocol, a Bluetooth communication s ...
or any other reliable, connection-oriented transport protocol.
* As a
file, e.g., over
FTP or
SCP
SCP may refer to:
Organizations Political parties
* Soviet Communist Party, the leading political party in the former Soviet Union
* Syrian Communist Party
* Sudanese Communist Party
* Scottish Christian Party
Companies
* Seattle Computer Produ ...
.
* By
E-Mail, using the
MIME encoding standard.
The
Content-Type
A media type (also known as a MIME type) is a two-part identifier for file formats and format contents transmitted on the Internet. The Internet Assigned Numbers Authority (IANA) is the official authority for the standardization and publication o ...
used is ''application/pkixcmp''; older versions of the draft used ''application/pkixcmp-poll'', ''application/x-pkixcmp'' or ''application/x-pkixcmp-poll''.
Implementations
*
OpenSSL
OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...
version 3.0 includes extensive CMP support in C.
Bouncy Castle APIoffers a low-level CMP support in Java and C#.
*
RSA BSAFE Cert-J provides CMP support.
*
cryptlib provides CMP support.
*
EJBCA, a
CA software, implements a subset
[{{Cite web , url=https://ejbca.org/features.html , title=EJBCA - The Java EE Certificate Authority , access-date=2019-06-07 , archive-url=https://web.archive.org/web/20190607065910/https://ejbca.org/features.html , archive-date=2019-06-07 , url-status=dead ] of the CMP functions.
Nexus Certificate Managersupports CMP.
Entrust Authority Security Managerimplements CMP support.
Insta Certifier CAimplements CMPv2 support.
See also
*
Simple Certificate Enrollment Protocol (SCEP)
*
Certificate Management over CMS (CMC)
*
Enrollment over Secure Transport (EST)
*
Automated Certificate Management Environment
The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' servers, allowing the automated deployment of public key infrastructure at ...
(ACME)
References
Public key infrastructure
Cryptographic protocols
Internet Standards
Internet protocols