Certificate Management Protocol
CMP (Certificate Management Protocol) | |||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Family: | unknown | ||||||||||||||||||||||||||||
Operation area: | Certificate management | ||||||||||||||||||||||||||||
Latest version: | cmp2000 (2) | ||||||||||||||||||||||||||||
Latest version OID : | 1.3.6.1.5.5.7.0.16 | ||||||||||||||||||||||||||||
TCP / UDP port: | 829 (pkix-3-ca-ra) | ||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Suggested Standard: |
RFC 4210 (CMP, 2005) |
||||||||||||||||||||||||||||
Obsolete standard: |
RFC 2510 (CMP, 1999) |
The Certificate Management Protocol ( CMP , English for " Certificate Management Protocol ") is a protocol from the IETF to manage digital certificates in a Public Key Infrastructure (PKI) according to the X.509 standard . The protocol regulates the interaction between the components of a PKI such as the certification authority (CA) or the registration authority (RA) and an application or a user.
Message types
A CMP message can be one of the following types:
- Initialization request
- Initialization response
- Certification requirement
- Certification response
- PKCS # 10 certification requirement
- Proof of Key Ownership Surrender
- Proof of Key Ownership Answer
- Key update request
- Key update response
- Key recovery request
- Key recovery response
- Withdrawal Request
- Withdrawal Response
- Cross certification requirement
- Cross certification answer
- CA key update announcement
- Certificate announcement
- Withdrawal Notice
- CRL announcement
- confirmation
- Nested message
- General message
- General answer
- Error message
- Certificate confirmation
- Survey request
- Question answer
Message format
CMP messages are DER encoded ASN.1 data structures. The basic structure consists of a header, the content of which is common to most message types, and a body, which contains information that is specific to the respective type. In addition, data to protect the integrity and additional certificates that may be useful for the recipient can be included in a message.
The body of the request types for initialization , certification , key update , key recovery and cross certification corresponds to the Certificate Request Message Format defined in RFC 4211 (CRMF, German certificate request message format ). The formats of the remaining messages are described in RFC 4210 , which CMP defines.
transport
There are several options for transporting CMP messages:
- Via TCP or any other reliable, connection-oriented transport protocol.
- Encapsulated in an HTTP message.
- In a file, e.g. B. via FTP or SCP .
- By email using the MIME coding standard. The content type set is application / pkixcmp . In older versions of the standard application / x-pkixcmp was used.
According to Peter Gutmann , the author of cryptlib , the transport encapsulated in HTTP is the most common.
Implementations
- The cryptlib library implements CMP components.
- EJBCA , a CA written in Java , implements a subset of the functions of CMP.
- OpenSSL can generate and parse CMP messages on the client side. An additional patch is required for this.
- The certifier from the Finnish company Insta supports CMP.
- BouncyCastle supports CMP for Java and C #. However, the implementations in versions 1.3x (Java) and 1.7x (C #) (and before) are incorrect.
Norms and standards
- RFC 2510 Internet X.509 Public Key Infrastructure Certificate Management Protocols [Obsolete, replaced by RFC 4210]
- RFC 4210 Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
- RFC 6712 Internet X.509 Public Key Infrastructure - HTTP Transfer for the Certificate Management Protocol (CMP) [extension of RFC 4210]
Individual evidence
- ↑ tools.ietf.org
- ↑ osdir.com ( Memento of the original from September 30, 2007 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.
- ↑ ejbca.sourceforge.net
- ↑ CMP for OpenSSL (English)