CMP (Certificate Management Protocol)
family:	unknown
field of application :	certificate management
newest version:	cmp2000(2)
OID Object identifier In computing, an object identifier or OID is an identifier used to name an object . Structurally, an OID consists of a node in a hierarchically-assigned namespace, formally defined using the ITU-T's ASN.1 standard. Successive numbers of the nodes, starting at the root of the tree, identify each...  of the newest version:	1.3.6.1.5.5.7.0.16
TCP/UDP port:	829 (pkix-3-ca-ra)
CMP in the TCP/IP model: application CMP CMP HTTP HTTPS Https Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server... SMTP ... transport TCP Transmission Control Protocol The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP... Internet IP (IPv4 IPv4 Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet... , IPv6 IPv6 Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4... ) link Ethernet Ethernet Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies.... Token Bus Token bus Token bus is a network implementing the token ring protocol over a "virtual ring" on a coaxial cable. A token is passed around the network nodes and only the node possessing the token may transmit. If a node doesn't have anything to send, the token is passed on to the next node on the virtual ring... Token Ring FDDI Fiber Distributed Data Interface Fiber Distributed Data Interface provides a 100 Mbit/s optical standard for data transmission in a local area network that can extend in range up to . Although FDDI logical topology is a ring-based token network, it does not use the IEEE 802.5 token ring protocol as its basis; instead, its... ...
proposed standard:	RFC 4210 (CMP, 2005)
obsolete standard:	RFC 2510 (CMP, 1999)

The Certificate Management Protocol (CMP) is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure

Public key infrastructure

Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...

 (PKI). It is described in RFC 4210 and is one of two protocols so far to use the Certificate Request Message Format (CRMF), described in RFC 4211, with the other protocol being Certificate Management over CMS

Certificate Management over CMS

The Certificate Management over CMS is an internet standard by the IETF, defining transport mechanisms for the Cryptographic Message Syntax . It is defined in RFC 5272, its transport mechanisms in RFC 5273...

 (CMC), described in RFC 5273. An obsolete version of CMP is described in RFC 2510, the respective CRMF version in RFC 2511.

CMP messages are encoded in ASN.1, using the DER

Distinguished Encoding Rules

Distinguished Encoding Rules , is a message transfer syntax specified by the ITU in X.690. The Distinguished Encoding Rules of ASN.1 is an International Standard drawn from the constraints placed on basic encoding rules encodings by X.509. DER encodings are valid BER encodings...

 method and usually encapsulated in HTTP.

PKI Entities

A certificate authority

Certificate authority

In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...

 (CA), issuing the certificates, acts as the server in a PKI using CMP. One of the clients, obtaining their digital certificates by means of this protocol is called end entity (EE). None or any number of registration authorities

Registration authority

A registration authority or maintenance agency is a body given the responsibility of maintaining lists of codes under international standards and issuing new codes to those wishing to register them...

 (RA), can be used to mediate between the EEs and the CA.

Features

An EE can utilize CMP to obtain certificates from the CA. This can be done through an "initial registration/certification", a "key pair update" or a "certificate update" message sequence. By means of a revocation request it can also get one of its own certificates revoked. Using a "cross-certification request" a CA can get a certificate signed by another CA. In case an EE has lost its private key and it is stored by the CA, it might be recovered by requesting a "key pair recovery".

Transport

Several means of transportation are foreseen for conveying CMP messages:

• Encapsulated in a HTTP
  Hypertext Transfer Protocol
  The Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web....
  
   message.
• TCP
  Transmission Control Protocol
  The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
  
   or any other reliable, connection-oriented transport protocol.
• As a file, e.g. over FTP
  File Transfer Protocol
  File Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...
  
   or SCP
  Secure copy
  Secure Copy or SCP is a means of securely transferring computer files between a local and a remote host or between two remote hosts. It is based on the Secure Shell protocol....
  
  .
• By E-Mail
  E-mail
  Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
  
  , using the MIME encoding standard.

The Content-Type used is application/pkixcmp; older versions of the draft used application/pkixcmp-poll, application/x-pkixcmp or application/x-pkixcmp-poll.

Implementations

• The library cryptlib
  Cryptlib
  cryptlib is an open source cross-platform software security toolkit library. It is distributed under the Sleepycat License, a free software license compatible with the GNU General Public License...
  
   provides CMP support.
• EJBCA
  EJBCA
  Enterprise Java Bean Certificate Authority, or ', is a free software public key infrastructure certificate authority software package maintained and sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most of the codebase...
  
  , a CA
  Certificate authority
  In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
  
  , implements a subset of the CMP functions.
• OpenSSL
  OpenSSL
  OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
  
  is capable of producing and parsing CMP messages, using an additional patch.