|[Front page] [Index]|
Certificate Management Protocol (CMP) is an online certificate life-cycle management protocol that provides functions such as initial enrollment, certificate renewal, key update, and revocation request. Within SSH Tectia Certifier, CMP is used in the RA-CA communication. Also some PKI client applications use CMP to communicate with the CA. If there are RAs that connect to the SSH Tectia Certifier system or clients that use CMP, the system needs to have a CMP Service for providing the server-side functionality of the CMP.
Service description is a free-form description of the Service and its function.
Service status can be either Active or Disabled. If the service is Disabled, it does not perform its function. This option can be used to take the service temporarily out of use.
Service bind address is a mandatory field. The address is either an HTTP URL or a TCP URL, since CMP supports both transport mechanisms. Optionally, also Service domain name can be given (a fully qualified domain name). If the field is left empty, the name is generated from the Service bind address.
Service domain name and Service description are shown on the web enrollment pages. Service domain name is also shown on the entity print page.
The Allowed operations check boxes can be used to select the CMP operations that are allowed via the service.
The following operations can be selected:
- Allow enrollment based on pre-shared secrets
Allows certificate enrollment using pre-shared keys as the initial authentication method.
- Allow enrollment based on existing certificate (signature)
Allows a certificate holder to request another certificate using the signature (with the key bound to the existing certificate) as the authentication method.
- Allow revocation requests
- Allow key update requests
Allows requesting a certificate for a new key. The old certificate is used for authentication and a similar certificate is requested for the new key.
- Allow key backup
Allows backing up a private key.
- Allow key recovery requests
Allows an end entity to request recovery of a backed-up private key. The entity has to authenticate itself using another key bound to the same entity.
Key recovery requests by an RA are allowed irrespective of this setting.
Accessible CAs is used to define the CAs of the system that can be accessed via the Service. If all CAs can be used with the Service, click All CAs. If only some CAs can be used, click Only selected CAs, select the CAs you want to use with the service from the drop-down list, and click Add. Or click All except selected CAs and select the CAs that cannot be used and click Add.
Click the Continue button to accept changes made to the Service settings, or click Cancel to discard them. After clicking Continue, remember to Commit Changes on the Edit Server Entity page.