Certificate Management Protocol

Certificate Management Protocol
CMP (Certificate Management Protocol)
family: unknown
field of application : certificate management
newest version: cmp2000(2)
OID of the newest version: 1.3.6.1.5.5.7.0.16
TCP/UDP port: 829 (pkix-3-ca-ra)
CMP in the TCP/IP model:
application CMP CMP
HTTP HTTPS SMTP ...
transport TCP
Internet IP (IPv4, IPv6)
link Ethernet Token
Bus		 Token
Ring		 FDDI ...
proposed standard:

RFC 4210 (CMP, 2005)
obsolete standard:

RFC 2510 (CMP, 1999)

The Certificate Management Protocol (CMP) is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). It is described in RFC 4210 and is one of two protocols so far to use the Certificate Request Message Format (CRMF), described in RFC 4211, with the other protocol being Certificate Management over CMS (CMC), described in RFC 5273. An obsolete version of CMP is described in RFC 2510, the respective CRMF version in RFC 2511.

CMP messages are encoded in ASN.1, using the DER method and usually encapsulated in HTTP.

Contents

PKI Entities

A certificate authority (CA), issuing the certificates, acts as the server in a PKI using CMP. One of the clients, obtaining their digital certificates by means of this protocol is called end entity (EE). None or any number of registration authorities (RA), can be used to mediate between the EEs and the CA.

Features

An EE can utilize CMP to obtain certificates from the CA. This can be done through an "initial registration/certification", a "key pair update" or a "certificate update" message sequence. By means of a revocation request it can also get one of its own certificates revoked. Using a "cross-certification request" a CA can get a certificate signed by another CA. In case an EE has lost its private key and it is stored by the CA, it might be recovered by requesting a "key pair recovery".

Transport

Several means of transportation are foreseen for conveying CMP messages:[1]

  • Encapsulated in a HTTP message.
  • TCP or any other reliable, connection-oriented transport protocol.
  • As a file, e.g. over FTP or SCP.
  • By E-Mail, using the MIME encoding standard.

The Content-Type used is application/pkixcmp; older versions of the draft used application/pkixcmp-poll, application/x-pkixcmp or application/x-pkixcmp-poll.

Implementations

  • The library cryptlib provides CMP support.
  • EJBCA, a CA, implements a subset[2] of the CMP functions.
  • OpenSSL is capable of producing and parsing CMP messages, using an additional patch.[3]

References

  1. ^ draft-ietf-pkix-cmp-transport-protocols - Internet X.509 Public Key Infrastructure - Transport Protocols for CMP (latest version)
  2. ^ EJBCA - The J2EE Certificate Authority
  3. ^ CMP for OpenSSL, Sourceforge Project page

Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Certificate Management Protocol — CMP (Certificate Management Protocol) Familie: unbekannt Einsatzgebiet: Zertifikatsverwaltung Neueste Version: cmp2000(2) OID der neuesten Version: 1.3.6.1.5.5.7.0.16 TCP/UDP Port: 829 (pkix 3 ca ra) CMP im TCP/IP Protokollstapel …   Deutsch Wikipedia

  • Certificate Management over CMS — CMC (Certificate Management over CMS) family: unknown field of application : certificate management newest version: RFC 5272 CMC in the TCP/IP model: application CMC …   Wikipedia

  • Online Certificate Status Protocol — (OCSP) es un método para determinar el estado de revocación de un certificado digital X.509 usando otros medios que no sean el uso de CRL (Listas de Revocación de Certificados). Este protocolo se describe en el RFC 2560 y está en el registro de… …   Wikipedia Español

  • Certificate Request Message Format — CRMF (Certificate Request Message Format) Familie: Nachrichtenformat Einsatzgebiet: Zertifikatsverwaltung Neueste Version: crmf2005 OID der neuesten Version: 1.3.6.1.5.5.7.0.36 Vorgeschlagener Standard: RFC 4211 (CRMF, 2005) Obsoleter Standard …   Deutsch Wikipedia

  • Certificate revocation list — In the operation of some cryptosystems, usually public key infrastructures (PKIs), a certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked or are no… …   Wikipedia

  • Certificate server — Certificate servers validate, or certify, keys as part of a Public key infrastructure. Keys are strings of text generated from a series of encryption algorithms that allow you to secure communication for a group of users. Many Web servers, such… …   Wikipedia

  • Certificate authority — In cryptography, a certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others… …   Wikipedia

  • Encapsulated Security Payload Protocol — IPsec im TCP/IP‑Protokollstapel: Anwendung HTTP IMAP SMTP DNS … Transport TCP UDP …   Deutsch Wikipedia

  • Internet Key Exchange Protocol — IPsec im TCP/IP‑Protokollstapel: Anwendung HTTP IMAP SMTP DNS … Transport TCP UDP …   Deutsch Wikipedia

  • Enterprise JavaBeans Certificate Authority — EJBCA Entwickler PrimeKey u.a. Aktuelle Version 3.10.3 (24. Juni 2010) Betriebssystem J2EE Kategorie Kryptografie …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”