521:
384:(RA), can be used to mediate between the EEs and CAs, having both a downstream CMP server interface and an upstream CMP client interface. Using a "cross-certification request" a CA can get a certificate signed by another CA.
413:
CMP supports the very important aspect of proof-of-origin in two formats: based on a shared secret (used initially) and signature-based (using pre-existing certificates).
419:
There are various further types of requests possible, for instance to retrieve CA certificates and to obtain PKI parameters and preferences of the server side.
542:
404:
Full certificate life-cycle support: an end entity can utilize CMP to obtain certificates from a CA, request updates for them, and also get them revoked.
274:
CMP is a very feature-rich and flexible protocol, supporting many types of cryptography. CMP messages are self-contained, which, as opposed to
655:
531:
612:
416:
In case an end entity has lost its private key and it is stored by the CA, it might be recovered by requesting a "key pair recovery".
410:
Proof-of-possession is usually done by a self-signature of the requested certificate contents, but CMP supports also other methods.
637:
398:
480:
278:, makes the protocol independent of the transport mechanism and provides end-to-end security. CMP messages are encoded in
766:
437:
564:
448:
771:
649:
444:
394:
275:
193:
119:
643:
306:
260:
676:
RFC 6712 Internet X.509 Public Key
Infrastructure – HTTP Transfer for the Certificate Management Protocol (CMP)
735:
454:
144:
393:
Self-contained messages with protection independent of transfer mechanism – as opposed to related protocols
283:
781:
776:
538:
433:
428:
CMP messages are usually transferred using HTTP, but any reliable means of transportation can be used.
407:
Key pair generation is usually done by the client side, but can also be requested from the server side.
369:
268:
624:
546:
297:. Enrollment request messages employ the Certificate Request Message Format (CRMF), described in
465:
381:
264:
606:
377:
688:"Constrained Application Protocol (CoAP) Transfer for the Certificate Management Protocol"
380:(CA), which issues the legal certificates and acts as a CMP server. None or any number of
8:
618:
58:
715:
376:(EEs) act as CMP client, requesting one or more certificates for themselves from a
334:
326:
310:
298:
290:
241:
222:
213:
687:
357:
353:
349:
345:
338:
330:
314:
302:
294:
245:
226:
217:
760:
461:
590:
488:
700:
469:
186:
91:
675:
179:
596:
174:
739:
578:
584:
457:
or any other reliable, connection-oriented transport protocol.
602:
476:
279:
112:
161:
157:
126:
105:
197:
192:
185:
178:
173:
168:
155:
143:
131:
124:
117:
110:
103:
96:
86:
549:
or poorly sourced material may be challenged or removed.
609:
software, implements a subset of the CMP functions.
259:(CMP) is an Internet protocol standardized by the
758:
581:version 3.0 includes extensive CMP support in C.
305:. The only other protocol so far using CRMF is
716:"Tech update – CMP in EJBCA and Bouncy Castle"
587:offers a low-level CMP support in Java and C#.
150:
138:
656:Automated Certificate Management Environment
736:"EJBCA - The Java EE Certificate Authority"
325:An obsolete version of CMP is described in
80:
75:80 (http), 443 (https), 829 (pkix-3-ca-ra)
21:
565:Learn how and when to remove this message
79:
710:
708:
759:
638:Simple Certificate Enrollment Protocol
532:self-sourcing popular culture examples
22:CMP (Certificate Management Protocol)
356:, have been published as well as the
705:
545:and remove less pertinent examples.
543:adding citations to reliable sources
514:
401:, this supports end-to-end security.
495:; older versions of the draft used
13:
619:Entrust Authority Security Manager
510:
14:
793:
333:, the respective CRMF version in
650:Enrollment over Secure Transport
519:
436:messages, optionally using TLS (
644:Certificate Management over CMS
363:
307:Certificate Management over CMS
257:Certificate Management Protocol
16:Cryptographic Internet protocol
728:
694:
680:
669:
18:
1:
662:
440:) for additional protection.
423:
360:focusing on industrial use.
7:
631:
447:messages, optionally using
387:
38:field of application :
10:
798:
701:CMPforOpenSSL, GitHub page
505:application/x-pkixcmp-poll
451:for additional protection.
320:
239:
234:
211:
206:
74:
69:
64:
56:
51:
46:
41:
36:
31:
26:
767:Public key infrastructure
627:implements CMPv2 support.
613:Nexus Certificate Manager
370:public key infrastructure
269:public key infrastructure
263:used for obtaining X.509
82:CMP in the TCP/IP model:
497:application/pkixcmp-poll
382:registration authorities
772:Cryptographic protocols
621:implements CMP support.
358:Lightweight CMP Profile
42:certificate management
61:of the newest version:
599:provides CMP support.
593:provides CMP support.
501:application/x-pkixcmp
378:certificate authority
354:CoAP transfer for CMP
539:improve this section
309:(CMC), described in
289:CMP is described in
265:digital certificates
493:application/pkixcmp
83:
65:1.3.6.1.5.5.7.0.16
782:Internet protocols
777:Internet Standards
625:Insta Certifier CA
483:encoding standard.
344:In November 2023,
236:obsolete standard:
208:proposed standard:
81:
585:Bouncy Castle API
575:
574:
567:
372:(PKI), so-called
253:
252:
202:
201:
789:
751:
750:
748:
747:
738:. Archived from
732:
726:
725:
723:
722:
712:
703:
698:
692:
691:
684:
678:
673:
591:RSA BSAFE Cert-J
570:
563:
559:
556:
550:
523:
522:
515:
443:Encapsulated in
432:Encapsulated in
84:
19:
797:
796:
792:
791:
790:
788:
787:
786:
757:
756:
755:
754:
745:
743:
734:
733:
729:
720:
718:
714:
713:
706:
699:
695:
686:
685:
681:
674:
670:
665:
634:
571:
560:
554:
551:
536:
524:
520:
513:
511:Implementations
426:
390:
366:
323:
221:
188:
181:
48:newest version:
17:
12:
11:
5:
795:
785:
784:
779:
774:
769:
753:
752:
727:
704:
693:
679:
667:
666:
664:
661:
660:
659:
653:
647:
641:
633:
630:
629:
628:
622:
616:
610:
600:
594:
588:
582:
573:
572:
527:
525:
518:
512:
509:
485:
484:
473:
458:
452:
441:
425:
422:
421:
420:
417:
414:
411:
408:
405:
402:
389:
386:
365:
362:
350:CMP Algorithms
322:
319:
251:
250:
248:(CMPv1, 1999)
238:
232:
231:
229:(CMPv3, 2023)
210:
204:
203:
200:
199:
196:
191:
184:
177:
172:
166:
165:
154:
148:
147:
142:
136:
135:
130:
123:
116:
109:
101:
100:
95:
90:
77:
76:
73:
67:
66:
63:
54:
53:
50:
44:
43:
40:
34:
33:
30:
24:
23:
15:
9:
6:
4:
3:
2:
794:
783:
780:
778:
775:
773:
770:
768:
765:
764:
762:
742:on 2019-06-07
741:
737:
731:
717:
711:
709:
702:
697:
689:
683:
677:
672:
668:
657:
654:
651:
648:
645:
642:
639:
636:
635:
626:
623:
620:
617:
615:supports CMP.
614:
611:
608:
604:
601:
598:
595:
592:
589:
586:
583:
580:
577:
576:
569:
566:
558:
548:
544:
540:
534:
533:
528:This section
526:
517:
516:
508:
506:
502:
498:
494:
490:
482:
478:
474:
471:
467:
464:, e.g., over
463:
459:
456:
453:
450:
446:
442:
439:
435:
431:
430:
429:
418:
415:
412:
409:
406:
403:
400:
396:
392:
391:
385:
383:
379:
375:
371:
361:
359:
355:
351:
347:
342:
340:
336:
332:
328:
318:
316:
312:
308:
304:
300:
296:
292:
287:
285:
281:
277:
272:
270:
266:
262:
258:
249:
247:
243:
237:
233:
230:
228:
224:
220:(CMPv2, 2005)
219:
215:
209:
205:
195:
190:
183:
176:
171:
167:
163:
159:
153:
149:
146:
141:
137:
134:
129:
128:
122:
121:
115:
114:
108:
107:
102:
99:
94:
89:
85:
78:
72:
71:TCP/UDP port:
68:
62:
60:
55:
49:
45:
39:
35:
29:
25:
20:
744:. Retrieved
740:the original
730:
719:. Retrieved
696:
682:
671:
561:
555:October 2021
552:
537:Please help
529:
504:
500:
496:
492:
489:Content-Type
486:
479:, using the
427:
374:end entities
373:
367:
364:PKI Entities
343:
324:
288:
282:, using the
273:
256:
254:
240:
235:
212:
207:
169:
151:
139:
132:
125:
118:
111:
104:
97:
92:
87:
70:
57:
47:
37:
27:
346:CMP Updates
88:application
52:cmp2021(3)
761:Categories
746:2019-06-07
721:2022-06-21
663:References
547:Unsourced
424:Transport
140:transport
632:See also
597:cryptlib
491:used is
388:Features
286:method.
175:Ethernet
152:Internet
32:unknown
579:OpenSSL
321:History
271:(PKI).
28:family:
658:(ACME)
640:(SCEP)
530:gives
352:, and
337:
329:
313:
301:
293:
244:
225:
216:
652:(EST)
646:(CMC)
603:EJBCA
477:email
460:As a
438:HTTPS
368:In a
280:ASN.1
267:in a
187:Token
180:Token
113:HTTPS
605:, a
487:The
481:MIME
462:file
449:DTLS
445:CoAP
434:HTTP
399:SCEP
397:and
339:2511
331:2510
315:5273
303:4211
295:4210
261:IETF
255:The
246:2510
227:9480
218:4210
198:...
194:FDDI
189:Ring
170:link
162:IPv6
158:IPv4
156:IP (
127:SMTP
120:CoAP
106:HTTP
541:by
503:or
475:By
470:SCP
468:or
466:FTP
455:TCP
395:EST
335:RFC
327:RFC
311:RFC
299:RFC
291:RFC
284:DER
276:EST
242:RFC
223:RFC
214:RFC
182:Bus
145:TCP
133:...
98:CMP
93:CMP
59:OID
763::
707:^
607:CA
507:.
499:,
348:,
341:.
317:.
164:)
160:,
749:.
724:.
690:.
568:)
562:(
557:)
553:(
535:.
472:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.