Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Editing the CMP Service

Certificate Management Protocol (CMP) is an online certificate life-cycle management protocol that provides functions such as initial enrollment, certificate renewal, key update, and revocation request. Within SSH Tectia Certifier, CMP is used in the RA-CA communication. Also some PKI client applications use CMP to communicate with the CA. If there are RAs that connect to the SSH Tectia Certifier system or clients that use CMP, the system needs to have a CMP Service for providing the server-side functionality of the CMP.

Basic Settings

Service description is a free-form description of the Service and its function.

Service status can be either Active or Disabled. If the service is Disabled, it does not perform its function. This option can be used to take the service temporarily out of use.

Service bind address is a mandatory field. The address is either an HTTP URL or a TCP URL, since CMP supports both transport mechanisms. Optionally, also Service domain name can be given (a fully qualified domain name). If the field is left empty, the name is generated from the Service bind address.

Service domain name and Service description are shown on the web enrollment pages. Service domain name is also shown on the entity print page.

Figure : Editing the CMP Service configuration

Allowed Operations

The Allowed operations check boxes can be used to select the CMP operations that are allowed via the service.

The following operations can be selected:

  • Allow enrollment based on pre-shared secrets

    Allows certificate enrollment using pre-shared keys as the initial authentication method.

  • Allow enrollment based on existing certificate (signature)

    Allows a certificate holder to request another certificate using the signature (with the key bound to the existing certificate) as the authentication method.

  • Allow revocation requests

    Allows a certificate holder to request revocation of an certificate using the pre-shared key (PSK). The PSK use count is not affected by this.

  • Allow key update requests

    Allows requesting a certificate for a new key. The old certificate is used for authentication and a similar certificate is requested for the new key.

  • Allow key backup

    Allows backing up a private key.

  • Allow key recovery requests

    Allows an end entity to request recovery of a backed-up private key. The entity has to authenticate itself using another key bound to the same entity.

    Key recovery requests by an RA are allowed irrespective of this setting.

Accessible CAs

Accessible CAs is used to define the CAs of the system that can be accessed via the Service. If all CAs can be used with the Service, click All CAs. If only some CAs can be used, click Only selected CAs, select the CAs you want to use with the service from the drop-down list, and click Add. Or click All except selected CAs and select the CAs that cannot be used and click Add.

Commiting Changes

Click the Continue button to accept changes made to the Service settings, or click Cancel to discard them. After clicking Continue, remember to Commit Changes on the Edit Server Entity page.

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now