Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

CMP Service

The CMP Service provides the PKI certificate life-cycle management capabilities. The CMP Service acts as a server for handling incoming CMP messages (including certification requests and revocation requests). The CMP Service can be configured to provide either TCP or HTTP-based transport for the Certificate Management Protocol (CMP).

The CMP implementation of SSH Tectia Certifier is based on Internet-Draft documents draft-ietf-pkix-rfc2510bis and draft-ietf-pkix-rfc2511bis, also known as CMPv2. The CMP messages currently supported in the CMP Service are:

  • Initial request
  • Cross-certification request
  • PKCS#10 request
  • Revocation request
  • Certification requests signed by an initialized end entity

In CMP, an end entity needs to send an initial request when the first certificate is enrolled from a given CA. Consequent certification requests can be signed with the valid private key to facilitate automatic key renewal. Revocation requests can be used to inform the CA about the need to revoke a certificate.

The default port in the CMP Service for CMP on TCP is 829. For HTTP transport the URL is http://host:8080/pkix/. These parameters can be modified by editing the CMP Service via the Certifier Administration Service. See Section Editing the CMP Service.

The communication between RAs and CAs of SSH Tectia Certifier uses CMP. Also SSH Token Master, whether used as an RA or end entity, uses CMP for requesting certificates from the CA or RA.

SSH Tectia Certifier ships with a simple command-line utility that supports the client side of the corresponding server-side functionality of the CMP Service. It can be used to generate private keys and performing enrollment, key updates and revocation requests. For more information, see Section ssh-cmpclient.

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now