Using the certificate management protocol (CMP) with PKI Services
Certificate management protocol (CMP) is an internet protocol used to manage X.509 digital certificates within a PKI. It is described in RFC 4210 and uses the certificate request message format (CRMF) described in RFC 4211. A certificate request message object is used within the protocol to convey a request for a certificate to a certificate authority. CMP messages are ASN.1-encoded. PKI Services allows a CMP client to communicate with it to request, revoke, suspend and resume certificates.
- PKI Services supports only a subset of the CMP messages, and only some fields in those messages. See Support for CMP messages for a description of the support.
- PKI Services supports only the HTTP protocol for CMP messages.
When a CMP client sends a request to the HTTP Server, it must send the request directly to the HTTP Server (and port number) that handles the client authentication requests. The request cannot be handled by a redirect statement.
Field | Length | Contents |
---|---|---|
Length | 32 bits | The length of the rest of the tcp-message (the length of the CMP message + 3) |
Version | 8 bits | 10 |
Flags | 8 bits | The least significant bit indicates a closed connection. The other bits are unused. |
Message type | 8 bits | Supported types are:
|
Value | Variable, based on the length of the CMP message | The ASN.1 encoded CMP message |
The communication between the CMP client and the CGI program is over HTTPS only. Client authentication is required. The client (the CMP requester) needs to have a certificate installed in RACF® under the client’s ID. This certificate is used by the requester to authenticate itself, and its owner ID is used to access the PKI Services functions.