Introduction 


A public key certificate is a document which uses a digital signature to bind a public key with an identity information, such as the name of a person or organisation, address, etc. The certificate can be used to verify that a public key belongs to an individual. Certificate Management Protocol (CMP) is an internet protocol standardised by the Internet Engineering Task Force (IETF) used for obtaining X.509 digital certificates in a PKI. CMP is a rich featured and flexible protocol and supports any type of cryptography. 


Web RA provides this feature to use CMP so that an entity can obtain certificates from a CA, request updates for them, and also get them revoked. 


How it works?


CMP request can be catered in two ways, it is MAC-based and signature-based.


Enrolment and usage of CMP generally follows this work flow:


MAC-based CMP Request:

  1. Web RA will generate a shared secret and communicate with client/End Entity in a secure manner.
  2. Client will use the shared secret to calculate the MAC over CMP Request and send it to Web RA. Web RA will verify the CMP request using the shared secret. If the request is verified, Web RA will send the request to the CA (ADSS Server). 
  3. CA (ADSS Server) will generate certificate and return to Web RA. 
  4. Web RA will then use shared secret to protect the certificate response and return it to the client.


Signature-based CMP Request: 


  1. Obtain a copy of the Certificate Authority (CA) certificate and validate it.
  2. The CMP request signature is computed on the client end and is sent to Web RA. 
  3. Web RA will verify the CMP message with client's public key and send it to the CA (ADSS Server) .
  4. CA will generate requested certificate and return it to Web RA. 
  5. Web RA will use server certificate for protecting CMP message and return it to the client. The client will verify the response using the trusted server certificate. 


The device enrolment in Web RA requires the following configurations:


  1. Device Enrolment configuration is done to enable the CMP service in the Web RA
  2. The configuration requires CMP Server PFX and its password, CMP Server Certificate, CMP Server Web RA URL and Challenge type
  3. Web RA CMP Server starts working after the configurations by processing the requests coming from the infrastructure devices


Certificate Management Protocol


Field

Description

Enable Certificate Management Protocol (CMP)

Enable this checkbox to enable the CMP functionality

CMP Server Encryption Auth Key (PFX)

When the GetCACert request is issued by the devices, the certificate is returned to the device. This certificate will be used to encrypt the communication between the device and the RA application.

Note:  Once the CMP option is enabled, it will be available for every user in each enterprise and they can use CMP to get the device certificates from the Web RA Web portal

CMP Server Encryption Auth Key (PFX) Password

Password to decrypt the key so that application can use this key

Challenge Type

The CMP provides an additional layer of security using the challenge value. The device puts this challenge in the device CSR and the Web RA verifies this challenge as part of request validation. There are three challenge password options available as following:

  • None - No challenge password is required in the CSR request from the device
  • Fixed - When this option is used, the administrator sets the fixed challenge password. This challenge password will be used for each device in each enterprise. In short, this is the application level challenge password for each registered device
  • Random - The CMP Server generates a unique challenge password for each device when a device is registered in the Web RA Web and the device must have to pass this password in the request to get the certificate

CMP URL

This is the CMP URL that the devices will use to communicate with the Web RA