The Certificate Management Protocol (CMP) is an Internet protocol standardized by the

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...

used for obtaining X.509

digital certificates Digital usually refers to something using discrete digits, often binary digits. Technology and computing Hardware *Digital electronics, electronic circuits which operate using digital signals **Digital camera, which captures and stores digital i ...

in a public key infrastructure (PKI). CMP is a very feature-rich and flexible protocol, supporting any types of cryptography. CMP messages are self-contained, which, as opposed to EST, makes the protocol independent of the transport mechanism and provides end-to-end security. CMP messages are encoded in

ASN.1 Abstract Syntax Notation One (ASN.1) is a standard interface description language for defining data structures that can be serialized and deserialized in a cross-platform way. It is broadly used in telecommunications and computer networking, and ...

, using the DER method. CMP is described in . Enrollment request messages employ the Certificate Request Message Format (CRMF), described in . The only other protocol so far using CRMF is

Certificate Management over CMS The Certificate Management over CMS (CMC) is an Internet Standard published by the IETF, defining transport mechanisms for the Cryptographic Message Syntax (CMS). It is defined in , its transport mechanisms in . Similarly to the Certificate ...

(CMC), described in .

History

An obsolete version of CMP is described in , the respective CRMF version in .
CMP Update
is in preparation as well as
Lightweight CMP Profile
focusing on industrial use.

PKI Entities

In a public key infrastructure (PKI), so-called end entities (EEs) act as CMP client, requesting one or more certificates for themselves from a

certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...

(CA), which issues the legal certificates and acts as a CMP server. None or any number of registration authorities (RA), can be used to mediate between the EEs and CAs, having both a downstream CMP server interface and an upstream CMP client interface. Using a "cross-certification request" a CA can get a certificate signed by another CA.

Features

* Self-contained messages with protection independent of transfer mechanism - as opposed to related protocols EST and SCEP, this supports end-to-end security. * Full certificate life-cycle support: an end entity can utilize CMP to obtain certificates from a CA, request updates for them, and also get them revoked. * Key pair generation is usually done by the client side, but can also be requested from the server side. * Proof-of-possession is usually done by a self-signature of the requested certificate contents, but CMP supports also other methods. * CMP supports the very important aspect of proof-of-origin in two formats: based on a shared secret (used initially) and signature-based (using pre-existing certificates). * In case an end entity has lost its private key and it is stored by the CA, it might be recovered by requesting a "key pair recovery". * There are various further types of requests possible, for instance to retrieve CA certificates and to obtain PKI parameters and preferences of the server side.

Transport

CMP messages are usually transferred using HTTP, but any reliable means of transportation can be used. * Encapsulated in

HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide We ...

messages, optionally using TLS (

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...

) for additional protection. * Encapsulated in

CoAP Constrained Application Protocol (CoAP) is a specialized Internet application protocol for constrained devices, as defined iRFC 7252 It enables those constrained devices called "nodes" to communicate with the wider Internet using similar protocols ...

messages, optionally using

DTLS Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol i ...

for additional protection. * TCP or any other reliable, connection-oriented transport protocol. * As a

file File or filing may refer to: Mechanical tools and processes * File (tool), a tool used to ''remove'' fine amounts of material from a workpiece **Filing (metalworking), a material removal process in manufacturing ** Nail file, a tool used to gent ...

, e.g., over

FTP The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data ...

SCP SCP may refer to: Organizations Political parties * Soviet Communist Party, the leading political party in the former Soviet Union * Syrian Communist Party * Sudanese Communist Party * Scottish Christian Party Companies * Seattle Computer Produ ...

. * By

E-Mail Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic (digital) version of, or counterpart to, mail, at a time when "mail" meant ...

, using the

MIME Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email messages to support text in character sets other than ASCII, as well as attachments of audio, video, images, and application programs. Message ...

encoding standard. The Content-Type used is ''application/pkixcmp''; older versions of the draft used ''application/pkixcmp-poll'', ''application/x-pkixcmp'' or ''application/x-pkixcmp-poll''.

Implementations

* OpenSSL version 3.0 includes extensive CMP support in C.
Bouncy Castle API
offers a low-level CMP support in Java and C#. * RSA BSAFE Cert-J provides CMP support. *

cryptlib cryptlib is an open-source cross-platform software security toolkit library. It is distributed under the Sleepycat License, a free software license compatible with the GNU General Public License. Alternatively, cryptlib is available under a pr ...

provides CMP support. *

EJBCA EJBCA (formerly: ''Enterprise JavaBeans Certificate Authority'') is a free software public key infrastructure (PKI) certificate authority software package maintained and sponsored by the Swedish for-profit company PrimeKey Solutions AB, which h ...

, a CA software, implements a subset{{Cite web , url=https://ejbca.org/features.html , title=EJBCA - The Java EE Certificate Authority , access-date=2019-06-07 , archive-url=https://web.archive.org/web/20190607065910/https://ejbca.org/features.html , archive-date=2019-06-07 , url-status=dead of the CMP functions.
Nexus Certificate Manager
supports CMP.
Entrust Authority Security Manager
implements CMP support.
Insta Certifier CA
implements CMPv2 support.

References