Using the certificate management protocol (CMP) with PKI Services

Certificate management protocol (CMP) is an internet protocol used to manage X.509 digital certificates within a PKI. It is described in RFC 4210 and uses the certificate request message format (CRMF) described in RFC 4211. A certificate request message object is used within the protocol to convey a request for a certificate to a certificate authority. CMP messages are ASN.1-encoded. PKI Services allows a CMP client to communicate with it to request, revoke, suspend and resume certificates.

Restrictions: The following restrictions apply to the PKI Services support for CMP:
  1. PKI Services supports only a subset of the CMP messages, and only some fields in those messages. See Support for CMP messages for a description of the support.
  2. PKI Services supports only the HTTP protocol for CMP messages.
PKI Services implements CMP through a CGI program. The tcp-message is sent to the PKI CMP CGI program by HTTPS POST, as specified in Internet X.509 Public Key Infrastructure -- Transport Protocols for CMP . The entire POST body is the message and the mime-type for both requester and responder (client and server) is application/pkixcmp.
Note: The application/pkixcmp mime-type requires that the entire tcp-message be Base64-encoded.

When a CMP client sends a request to the HTTP Server, it must send the request directly to the HTTP Server (and port number) that handles the client authentication requests. The request cannot be handled by a redirect statement.

Table 1 shows the format of version 10 tcp-messages (the only existing version):
Table 1. Format of tcp-messages
Field Length Contents
Length 32 bits The length of the rest of the tcp-message (the length of the CMP message + 3)
Version 8 bits 10
Flags 8 bits The least significant bit indicates a closed connection. The other bits are unused.
Message type 8 bits Supported types are:
  • pkiReq, value X'00', indicating a synchronous request
  • pkiRep, value X'05', indicating a synchronous response
  • errorMsgRep, value X'06', indicating an error
Value Variable, based on the length of the CMP message The ASN.1 encoded CMP message

The communication between the CMP client and the CGI program is over HTTPS only. Client authentication is required. The client (the CMP requester) needs to have a certificate installed in RACF® under the client’s ID. This certificate is used by the requester to authenticate itself, and its owner ID is used to access the PKI Services functions.

Parent topic: Using PKI Services