CMP (Certificate Management Protocol) | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
family: | unknown | |||||||||||||||||||||||||||||
field of application : | certificate management | |||||||||||||||||||||||||||||
newest version: | cmp2000(2) | |||||||||||||||||||||||||||||
OID of the newest version: | 1.3.6.1.5.5.7.0.16 | |||||||||||||||||||||||||||||
TCP/UDP port: | 80 (http), 443 (https), 829 (pkix-3-ca-ra) | |||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||
proposed standard: |
RFC 4210 (CMP, 2005) | |||||||||||||||||||||||||||||
obsolete standard: |
RFC 2510 (CMP, 1999) |
The Certificate Management Protocol (CMP) is an Internet protocol standardized by the IETF used for obtaining X.509 digital certificates in a public key infrastructure (PKI).
CMP is a very feature-rich and flexible protocol, supporting any types of cryptography. CMP messages are self-contained, which, as opposed to EST, makes the protocol independent of the transport mechanism and provides end-to-end security. CMP messages are encoded in ASN.1, using the DER method.
CMP is described in RFC 4210. Enrollment request messages employ the Certificate Request Message Format (CRMF), described in RFC 4211. The only other protocol so far using CRMF is Certificate Management over CMS (CMC), described in RFC 5273.
An obsolete version of CMP is described in RFC 2510, the respective CRMF version in RFC 2511. A CMP Update is in preparation as well as a Lightweight CMP Profile focusing on industrial use.
In a public key infrastructure (PKI), so-called end entities (EEs) act as CMP client, requesting one or more certificates for themselves from a certificate authority (CA), which issues the legal certificates and acts as a CMP server. None or any number of registration authorities (RA), can be used to mediate between the EEs and CAs, having both a downstream CMP server interface and an upstream CMP client interface. Using a "cross-certification request" a CA can get a certificate signed by another CA.
CMP messages are usually transferred using HTTP, but any reliable means of transportation can be used.
The Content-Type used is application/pkixcmp; older versions of the draft used application/pkixcmp-poll, application/x-pkixcmp or application/x-pkixcmp-poll.