Certificate Management Protocol

CMP (Certificate Management Protocol)
family: unknown
field of application : certificate management
newest version: cmp2021(3)
OID of the newest version: 1.3.6.1.5.5.7.0.16
TCP/UDP port: 80 (http), 443 (https), 829 (pkix-3-ca-ra)
CMP in the TCP/IP model:
application CMP CMP
HTTP HTTPS CoAP SMTP ...
transport TCP
Internet IP (IPv4, IPv6)
link Ethernet Token
Bus
Token
Ring
FDDI ...
proposed standard:

RFC 4210 (CMPv2, 2005)
RFC 9480 (CMPv3, 2023)

obsolete standard:

RFC 2510 (CMPv1, 1999)

The Certificate Management Protocol (CMP) is an Internet protocol standardized by the IETF used for obtaining X.509 digital certificates in a public key infrastructure (PKI).

CMP is a very feature-rich and flexible protocol, supporting many types of cryptography. CMP messages are self-contained, which, as opposed to EST, makes the protocol independent of the transport mechanism and provides end-to-end security. CMP messages are encoded in ASN.1, using the DER method.

CMP is described in RFC 4210. Enrollment request messages employ the Certificate Request Message Format (CRMF), described in RFC 4211. The only other protocol so far using CRMF is Certificate Management over CMS (CMC), described in RFC 5273.

History

edit

An obsolete version of CMP is described in RFC 2510, the respective CRMF version in RFC 2511.

In November 2023, CMP Updates, CMP Algorithms, and CoAP transfer for CMP, have been published as well as the Lightweight CMP Profile focusing on industrial use.

PKI Entities

edit

In a public key infrastructure (PKI), so-called end entities (EEs) act as CMP client, requesting one or more certificates for themselves from a certificate authority (CA), which issues the legal certificates and acts as a CMP server. None or any number of registration authorities (RA), can be used to mediate between the EEs and CAs, having both a downstream CMP server interface and an upstream CMP client interface. Using a "cross-certification request" a CA can get a certificate signed by another CA.

Features

edit
  • Self-contained messages with protection independent of transfer mechanism – as opposed to related protocols EST and SCEP, this supports end-to-end security.
  • Full certificate life-cycle support: an end entity can utilize CMP to obtain certificates from a CA, request updates for them, and also get them revoked.
  • Key pair generation is usually done by the client side, but can also be requested from the server side.
  • Proof-of-possession is usually done by a self-signature of the requested certificate contents, but CMP supports also other methods.
  • CMP supports the very important aspect of proof-of-origin in two formats: based on a shared secret (used initially) and signature-based (using pre-existing certificates).
  • In case an end entity has lost its private key and it is stored by the CA, it might be recovered by requesting a "key pair recovery".
  • There are various further types of requests possible, for instance to retrieve CA certificates and to obtain PKI parameters and preferences of the server side.

Transport

edit

CMP messages are usually transferred using HTTP, but any reliable means of transportation can be used.

  • Encapsulated in HTTP messages,[1] optionally using TLS (HTTPS) for additional protection.
  • Encapsulated in CoAP messages, optionally using DTLS for additional protection.[2]
  • TCP or any other reliable, connection-oriented transport protocol.
  • As a file, e.g., over FTP or SCP.
  • By email, using the MIME encoding standard.

The Content-Type used is application/pkixcmp; older versions of the draft used application/pkixcmp-poll, application/x-pkixcmp or application/x-pkixcmp-poll.

Implementations

edit

See also

edit

References

edit