Support for CMP messages
PKI Services supports the following request message types from
the client:
- Certificate request message (type cr)
- Revocation request message (type rr)
- PKCS #10 certificate request message (type p10cr)
- Certificate response message (type cp)
- Revocation response message (type rp)
- Error message (type error)
- The header, containing information common to many messages
- The body, containing information specific to the message
- Optionally, certificates that might be useful to the recipient
Table 1 identifies the fields in the PKIMessage structure defined in RFC 4210 that PKI Services supports.
| Field name | Notes |
|---|---|
| header | See Table 2. |
| body | See Table 3. |
| extraCerts | This field can be used by the client on
a certificate request message (cr) when PKI Services is generating
the public and private key for the requested certificate. This field
can contain a list of x.509 certificates to be used as recipients
of the private key to be returned by PKI Services. If this field is
present, the _PKISERV_CMP_HONOR_CLIENT_CERTS environment variable
determines whether extra certificates are allowed, and how many are
allowed. If allowed, and if PKI Services generates the public and
private key pair for the request, each certificate has a recipientInfo
structure added to the returned encrypted private key (PKCS #7 EnvelopedData structure). For information about the _PKISERV_CMP_HONOR_CLIENT_CERTS environment variable, seeTable 3. |
Table 2 identifies the fields in the PKIHeader structure defined in RFC 4210 that PKI Services supports.
| Field name | Notes |
|---|---|
| pvno | |
| sender | |
| recipient | If this GeneralName field
is in the form of a directoryName in a cr, p10cr,
or rr message, it can be used to determine the PKI
Services CA domain to which the request is directed. For information about how PKI Services determines the CA domain, see Determining the CA domain to which a request is routed. |
| transactionID | |
| generalInfo | The only InfoTypeAndValue recognized by PKI Services is ImplicitConfirm, which is required for cr and p10cr messages. This field is ignored if present on an rr request message. |
Table 3 identifies the values in the PKIBody structure defined in RFC 4210 that PKI Services supports. These are the CMP message types.
| Value | Description | Notes |
|---|---|---|
| cr | Certificate request | See Table 1. |
| cp | Certificate response | See Table 1. |
| p10cr | PKCS #10 certificate request | See Table 1. |
| rr | Revocation request | See Table 1. |
| rp | Revocation response | See Table 1. |
| error | Error message | See Table 1. |