|[Front page] [Index]|
The CMP Service provides the PKI certificate life-cycle management capabilities. The CMP Service acts as a server for handling incoming CMP messages (including certification requests and revocation requests). The CMP Service can be configured to provide either TCP or HTTP-based transport for the Certificate Management Protocol (CMP).
The CMP implementation of SSH Tectia Certifier is based on Internet-Draft documents draft-ietf-pkix-rfc2510bis and draft-ietf-pkix-rfc2511bis, also known as CMPv2. The CMP messages currently supported in the CMP Service are:
- Initial request
- Cross-certification request
- PKCS#10 request
- Revocation request
- Certification requests signed by an initialized end entity
In CMP, an end entity needs to send an initial request when the first certificate is enrolled from a given CA. Consequent certification requests can be signed with the valid private key to facilitate automatic key renewal. Revocation requests can be used to inform the CA about the need to revoke a certificate.
The default port in the CMP Service for CMP on TCP is 829. For HTTP transport the URL is
http://host:8080/pkix/. These parameters can be modified by editing the CMP Service via the Certifier Administration Service. See Section Editing the CMP Service.
SSH Tectia Certifier ships with a simple command-line utility that supports the client side of the corresponding server-side functionality of the CMP Service. It can be used to generate private keys and performing enrollment, key updates and revocation requests. For more information, see Section ssh-cmpclient.
[Front page] [Index]