Certificate Management Protocol

An obsolete version of CMP is described in {{IETF RFC|2510}}, the respective CRMF version in {{IETF RFC|2511}}.

In November 2023, [https://datatracker.ietf.org/doc/html/rfc9480 CMP Updates], [https://datatracker.ietf.org/doc/html/rfc9481 CMP Algorithms], and [https://datatracker.ietf.org/doc/html/rfc9482 CoAP transfer for CMP], have been published as well as the [https://datatracker.ietf.org/doc/html/rfc9483 Lightweight CMP Profile] focusing on industrial use.

In a public key infrastructure (PKI), so-called end entities (EEs) act as CMP client, requesting one or more certificates for themselves from a certificate authority (CA), which issues the legal certificates and acts as a CMP server. None or any number of registration authorities (RA), can be used to mediate between the EEs and CAs, having both a downstream CMP server interface and an upstream CMP client interface. Using a "cross-certification request" a CA can get a certificate signed by another CA.

• Self-contained messages with protection independent of transfer mechanism – as opposed to related protocols EST and SCEP, this supports end-to-end security.
• Full certificate life-cycle support: an end entity can utilize CMP to obtain certificates from a CA, request updates for them, and also get them revoked.
• Key pair generation is usually done by the client side, but can also be requested from the server side.
• Proof-of-possession is usually done by a self-signature of the requested certificate contents, but CMP supports also other methods.
• CMP supports the very important aspect of proof-of-origin in two formats: based on a shared secret (used initially) and signature-based (using pre-existing certificates).
• In case an end entity has lost its private key and it is stored by the CA, it might be recovered by requesting a "key pair recovery".
• There are various further types of requests possible, for instance to retrieve CA certificates and to obtain PKI parameters and preferences of the server side.

CMP messages are usually transferred using HTTP, but any reliable means of transportation can be used.

• Encapsulated in HTTP messages,[http://tools.ietf.org/html/rfc6712 RFC 6712 Internet X.509 Public Key Infrastructure – HTTP Transfer for the Certificate Management Protocol (CMP)] optionally using TLS (HTTPS) for additional protection.
• Encapsulated in CoAP messages, optionally using DTLS for additional protection.{{cite web | url=https://datatracker.ietf.org/doc/html/rfc9482 | title=Constrained Application Protocol (CoAP) Transfer for the Certificate Management Protocol | date=November 2023 | last1=Sahni | first1=Mohit | last2=Tripathi | first2=Saurabh }}
• TCP or any other reliable, connection-oriented transport protocol.
• As a file, e.g., over FTP or SCP.
• By email, using the MIME encoding standard.

The Content-Type used is application/pkixcmp; older versions of the draft used application/pkixcmp-poll, application/x-pkixcmp or application/x-pkixcmp-poll.

{{Refexample|section|date=October 2021}}

• OpenSSL version 3.0 includes extensive CMP support in C.[https://github.com/mpeylo/cmpossl/wiki CMPforOpenSSL, GitHub page]
• Bouncy Castle offers a low-level CMP support in Java and C#.
• RSA BSAFE Cert-J provides CMP support.
• cryptlib provides CMP support.
• EJBCA, a CA software, implements a subset{{Cite web |url=https://www.ejbca.org/news/tech-update-ejbca-cmp/ |title=Tech update – CMP in EJBCA and Bouncy Castle |access-date=2022-06-21}}{{Cite web |url=https://ejbca.org/features.html |title=EJBCA - The Java EE Certificate Authority |access-date=2019-06-07 |archive-url=https://web.archive.org/web/20190607065910/https://ejbca.org/features.html |archive-date=2019-06-07 |url-status=dead }} of the CMP functions.

• Simple Certificate Enrollment Protocol (SCEP)
• Certificate Management over CMS (CMC)
• Enrollment over Secure Transport (EST)
• Automated Certificate Management Environment (ACME)

{{reflist}}

Category:Public key infrastructure

Category:Cryptographic protocols

Category:Internet Standards

Category:Internet protocols