Certificate Management Protocol
   HOME

TheInfoList



Click Here for Items Related To - Certificate Management Protocol
OR:
Certificate Management Protocol on:   [Wikipedia]   [Google]   [Amazon]

The Certificate Management Protocol (CMP) is an Internet protocol standardized by the
IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...
used for obtaining X.509
digital certificates In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a Key authentication, public key. The certificate includes the public key and informati ...
in a
public key infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to fac ...
(PKI). CMP is a very feature-rich and flexible protocol, supporting many types of cryptography. CMP messages are self-contained, which, as opposed to EST, makes the protocol independent of the transport mechanism and provides end-to-end security. CMP messages are encoded in
ASN.1 Abstract Syntax Notation One (ASN.1) is a standard interface description language (IDL) for defining data structures that can be serialized and deserialized in a cross-platform way. It is broadly used in telecommunications and computer networ ...
, using the DER method. CMP is described in . Enrollment request messages employ the Certificate Request Message Format (CRMF), described in . The only other protocol so far using CRMF is Certificate Management over CMS (CMC), described in .


History

An obsolete version of CMP is described in , the respective CRMF version in . In November 2023
CMP UpdatesCMP Algorithms
an
CoAP transfer for CMP
have been published as well as th
Lightweight CMP Profile
focusing on industrial use.


PKI Entities

In a
public key infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to fac ...
(PKI), so-called end entities (EEs) act as CMP client, requesting one or more certificates for themselves from a
certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...
(CA), which issues the legal certificates and acts as a CMP server. None or any number of registration authorities (RA), can be used to mediate between the EEs and CAs, having both a downstream CMP server interface and an upstream CMP client interface. Using a "cross-certification request" a CA can get a certificate signed by another CA.


Features

* Self-contained messages with protection independent of transfer mechanism – as opposed to related protocols EST and SCEP, this supports end-to-end security. * Full certificate life-cycle support: an end entity can utilize CMP to obtain certificates from a CA, request updates for them, and also get them revoked. * Key pair generation is usually done by the client side, but can also be requested from the server side. * Proof-of-possession is usually done by a self-signature of the requested certificate contents, but CMP supports also other methods. * CMP supports the very important aspect of proof-of-origin in two formats: based on a shared secret (used initially) and signature-based (using pre-existing certificates). * In case an end entity has lost its private key and it is stored by the CA, it might be recovered by requesting a "key pair recovery". * There are various further types of requests possible, for instance to retrieve CA certificates and to obtain PKI parameters and preferences of the server side.


Transport

CMP messages are usually transferred using HTTP, but any reliable means of transportation can be used. * Encapsulated in
HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...
messages, optionally using TLS (
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protoc ...
) for additional protection. * Encapsulated in CoAP messages, optionally using
DTLS Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol ...
for additional protection. * TCP or any other reliable, connection-oriented transport protocol. * As a file, e.g., over
FTP The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and dat ...
or SCP. * By
email Electronic mail (usually shortened to email; alternatively hyphenated e-mail) is a method of transmitting and receiving Digital media, digital messages using electronics, electronic devices over a computer network. It was conceived in the ...
, using the
MIME A mime artist, or simply mime (from Greek language, Greek , , "imitator, actor"), is a person who uses ''mime'' (also called ''pantomime'' outside of Britain), the acting out of a story through body motions without the use of speech, as a the ...
encoding standard. The
Content-Type In information and communications technology, a media type, content type or MIME type is a two-part identifier for file formats and content formats. Their purpose is comparable to filename extensions and uniform type identifiers, in that they ide ...
used is ''application/pkixcmp''; older versions of the draft used ''application/pkixcmp-poll'', ''application/x-pkixcmp'' or ''application/x-pkixcmp-poll''.


Implementations

*
OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS web ...
version 3.0 includes extensive CMP support in C. *
Bouncy Castle Bounce or The Bounce may refer to: * Deflection (physics), the event where an object collides with and bounces against a plane surface Books * Mr. Bounce, a character from the Mr. Men series of children's books Broadcasting, film and TV * '' ...
offers a low-level CMP support in Java and C#. * RSA BSAFE Cert-J provides CMP support. *
cryptlib cryptlib is an open-source cross-platform software security toolkit library. It is distributed under the Sleepycat License, a free software license compatible with the GNU General Public License. Alternatively, cryptlib is available under a pro ...
provides CMP support. * EJBCA, a CA software, implements a subset of the CMP functions.


See also

* Simple Certificate Enrollment Protocol (SCEP) * Certificate Management over CMS (CMC) * Enrollment over Secure Transport (EST) * Automated Certificate Management Environment (ACME)


References

{{reflist Public key infrastructure Cryptographic protocols Internet Standards Internet protocols