Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Editing the CMP Service

Certificate Management Protocol (CMP) is an online certificate life-cycle management protocol that provides functions such as initial enrollment, certificate renewal, key update, and revocation request. Within SSH Tectia Certifier, CMP is used in the RA-CA communication. Also some PKI client applications use CMP to communicate with the CA. If there are RAs that connect to the SSH Tectia Certifier system or clients that use CMP, the system needs to have a CMP Service for providing the server-side functionality of the CMP.

Basic Settings

Service description is a free-form description of the Service and its function.

Service status can be either Active or Disabled. If the service is Disabled, it does not perform its function. This option can be used to take the service temporarily out of use.

Service bind address is a mandatory field. The address is either an HTTP URL or a TCP URL, since CMP supports both transport mechanisms. Optionally, also Service domain name can be given (a fully qualified domain name). If the field is left empty, the name is generated from the Service bind address.

Service domain name and Service description are shown on the web enrollment pages. Service domain name is also shown on the entity print page.

Figure : Editing the CMP Service configuration

Allowed Operations

The Allowed operations check boxes can be used to select the CMP operations that are allowed via the service.

The following operations can be selected:

  • Allow enrollment based on pre-shared secrets

    Allows certificate enrollment using pre-shared keys as the initial authentication method.

  • Allow enrollment based on existing certificate (signature)

    Allows a certificate holder to request another certificate using the signature (with the key bound to the existing certificate) as the authentication method.

  • Allow revocation requests

    Allows a certificate holder to request revocation of an certificate using the pre-shared key (PSK). The PSK use count is not affected by this.

  • Allow key update requests

    Allows requesting a certificate for a new key. The old certificate is used for authentication and a similar certificate is requested for the new key.

  • Allow key backup

    Allows backing up a private key.

  • Allow key recovery requests

    Allows an end entity to request recovery of a backed-up private key. The entity has to authenticate itself using another key bound to the same entity.

    Key recovery requests by an RA are allowed irrespective of this setting.

Accessible CAs

Accessible CAs is used to define the CAs of the system that can be accessed via the Service. If all CAs can be used with the Service, click All CAs. If only some CAs can be used, click Only selected CAs, select the CAs you want to use with the service from the drop-down list, and click Add. Or click All except selected CAs and select the CAs that cannot be used and click Add.

Commiting Changes

Click the Continue button to accept changes made to the Service settings, or click Cancel to discard them. After clicking Continue, remember to Commit Changes on the Edit Server Entity page.

PreviousNextUp[Front page] [Index]


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more