CMP Interoperability
The following covers EJBCA's interoperability with various clients, devices and libraries. For more general information about the Certificate Management Protocol (CMP) and how it works with EJBCA, see CMP.
EJBCA's cmpclient
ENTERPRISE This is an EJBCA Enterprise feature.
EJBCA Enterprise includes a java command line client for CMP, used to request, renew and revoke certificates.
To build and run the cmpclient client, use the following:
$ ant cmpclient
$
cd
dist
/cmpclient
$ java -jar cmpclient.jar
$ java -jar cmpclient.jar crmf --help
An example workflow when you have one CMP alias in RA mode (raalias), using password based authentication of the RA, and another CMP alias (clientupdate) in client mode allowing updates using certificate authentication.
$ java -jar cmpclient.jar crmf --dn
"CN=tomas"
--url http:
//192
.168.122.230:8080
/cmpProxy/raalias
--authparam password --reqnewkeyspec RSA2048
$ openssl pkcs12 -
export
-inkey dest
/tomas-key
.pem -
in
/dest/tomas
.pem -certfile ManagementCA.cacert.pem -name tomas -out dest
/tomas
.p12
$ java -jar cmpclient.jar update --dn
"CN=tomas"
--url http:
//192
.168.122.230:8080
/cmpProxy/clientupdate
--keystore dest
/tomas
.p12 --keystorepwd foo123 --extraCertsFriendlyName tomas --includepopo --reqnewkeyspec RSA2048
$ openssl x509 -
in
dest
/tomas
.pem -text
$ java -jar cmpclient.jar revoke --issuer
"CN=ManagementCA,O=EJBCA Sample,C=SE"
--serno 17b9a7b8ce44b3fa --url http:
//192
.168.122.230:8080
/cmpProxy/raalias
--authparam password
You can use a https URL with the cmpclient, but you may need to provide a truststore to Java in order for the client to verify the server certificate. The truststore contains the Root CA certificate of the server certificate chain.
java -Djavax.net.ssl.trustStore=truststore.jks -jar cmpclient.jar crmf --dn
"CN=tomas"
--url https:
//ejbca.example.com:8442/ejbca/publicweb/cmp/cmpra --authparam password --reqnewkeyspec RSA2048
AET BlueX
CMP has been tested with BlueX from AET Europe. From EJBCA's point of view BlueX functions as an RA with the same configuration options as for jCert.
Aventra
CMP has been tested with Aventra card management system. Same configuration as above.
BouncyCastle
CMP has been tested with BouncyCastle CMP classes, available in BC 1.46 or later. Both client and RA mode should work. For sample implementations of client messages using BouncyCastle, see the CMP Operations Guide.
CMP for OpenSSL
OpenSSL includes CMP from version 3.0, i.e. cmpforopenssl below is merged into OpenSSL main and is available in OpenSSL Git (or a release when available on your platform).
CMP has been tested with cmpforopenssl. cmpforopenssl is submitted for inclusion in OpenSSL and the code is available on GitHub on https://github.com/mpeylo/cmpossl. For documentation for the command, refer to https://github.com/mpeylo/cmpossl/blob/cmp/doc/man1/cmp.pod and for a Quick Start guide, tested with EJBCA, refer to https://github.com/mpeylo/cmpossl/wiki/Quick-Start.
The old client tool in cmpforopenssl was called cmpclient, while the new one is in the openssl command itself. Only the new one is documented here. It works with EJBCA CMP in both RA mode and client mode.
See the CMP Operations Guide for more information about commands for cmpforopenssl.
Cryptlib
CMP has been tested with CryptLib.
Huawei Pico 3GPP
The Huawei Pico cell is confirmed to successfully receive operator certificates using CMPv2.
In order to authenticate the Pico cell for initial enrollment the Huawei Vendor CA must be imported in EJBCA. Go to Certificate Authorities in the Admin GUI and import Huawei Equipment Root CA as External Certificate Authority by clicking Import CA Certificate.
CMP Alias Settings
CMP Operational Mode - Client
CMP Authentication Module - EndEntityCertificate only
Extract Username Component - CN
Vendor Certificate Mode - Use
List Of Vendor CAs - Huawei Equipment Root CA
CMP Response Protection - Signature
CMP Response Additional CA certificates - Leave blank
PKI Message Response Additional CA certificates - Leave blank
Certificate Confirmation Default CA - Use whatever CA is configure in the End Entity
Automatic Key Update - Checked
Certificate renewal with same keys - Checked
Allow Server Generated Keys - Unchecked
Nested Message Trusted Certificates Path - Leave blank
End Entity Profile Settings
Batch Generation - Use
Subject DN Attributes, CN - Required
Default and Available Certificate Profiles - Set to your CMP Certificate profile
Default and Available CAs - Set to the Issuing CA that you have set in CMP Certificate Confirmation Default CA
Default Token - User Generated
Certificate Profile Settings
Available CAs - Set to the Issuing CA that you have set in CMP Certificate Confirmation Default CA
Apache configuration
Certain Pico devices do not allow for a URL to a CMP host. If this is the case, we recommend running apache in front of the EJBCA JBoss/WildFly application server. You can add in this configuration to an Apache to have it redirect to the EJBCA CMP URL.
Listen
8080
<VirtualHost *:
8080
>
DocumentRoot /var/www/html/
# Disallow any HTTP method that is not HEAD, GET or POST
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(HEAD|GET|POST)$ [NC]
RewriteRule .* - [F,L]
#Since we are adding an additional port we can redirect all traffic to the CMP alias
ProxyPass
"/"
"ajp://localhost/ejbca/publicweb/cmp/3gpp"
keepalive=On ping=500ms retry=
1
timeout=
300
ProxyPassReverse
"/"
"ajp://localhost/ejbca/publicweb/cmp/3gpp"
</VirtualHost>
RSA jCert
CMP has been tested using RSA jCert toolkit for initialization requests. To run this as an RA, configure CMP according to the following:
CMP Operational Mode: RA Mode
Allow RA Verify Proof-of-Possession: enabled
CMP Response Protection: pbe
CMP Authentication Module: HMAC
CMP Authentication Parameters: your shared password
and other configurations you want for your RA.
Related Content
Page:CMP Proxy
Page:CMP Error Messages
Page:Using CMP with 3GPP
Page:CMP