CMPv2

CMPv2, RFC 4210, Internet X.509 Public Key Infrastructure Certificate Management Protocol(CMP) is a protocol between a Certificate Authority (CA) and an end entity. It provides multiple certificate management functions like certificate enrollment, certificate update, and so on.

The SR OS supports following CMPv2 operations:

• initial registration

  This is the process the SR OS uses to enroll a certificate with a specific CA for the first time.

  • Public/private key pair must be pre-provisioned before enrollment by means of local generation or other methods.

  • Users can optionally include a certificate or certificate chain in the extraCerts field of the initial registration request.

• key pair update

  This is a process for SR OS to update an existing certificate because of reasons like refreshes key/cert before it expires or any other reason.

• certificate update

  This is a process where an initialized SR OS system obtains additional certificates.

• polling

  In some cases, the CA may not return the certificate immediately for reasons such as request processing need manual intervention. In such cases, the SR OS supports polling requests and responds as described in Section 5.3.22, Polling Request and Response, in RFC 4210, Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP).

The following lists some implementation details:

• HTTP is the only supported transport protocol for CMPv2. HTTP 1.1 and 1.0 are supported and configurable.

• All CMPv2 messages sent by SR OS consist of only one PKI Message. The size of the sequence for PKI Messages are 1 in all cases.

• Both the password-based MAC and the public key-based signature CMPv2 message protection are supported.

• SR OS only allows one outstanding ir/cr/kur request for each CMPv2 server. The means that no new requests are allowed if a pending request is present.