Enrolling in RA Mode

cmpforopenssl works with EJBCA in RA mode with the following EJBCA configuration, using for example alias "opensslra" (unmentioned configurations = default):

You can then use cmpforopenssl (as an RA):

This requests a certificate, defining the subject DN that will be used. The CA used to sign the certificate is specified in the EJBCA CMP configuration and can be taken from the keyid. EJBCA authenticated the request using the HMAC protection with the password, and accepts any request upon correct authentication.

You can request server generated keys by omitting the public key in the certificate request, using the same request as an ir, but without public key. Note however that the cmpclient cannot be used since no cmpclient parameters support omitting the public key. For example Java code, refer to the test class CrmfRequestTest.test12ServerGeneratedKeys().

For p10cr request type:

First generate a CSR of the type PKCS10 and the RSA key pair using the following command (subject flag is not supported in case of p10cr):

Then use the following openssl command to get a certificate from EJBCA cmp backend:

Note that in the above command ref is the common name mentioned in the CSR and the secret used is of type password and should be set in the alias accordingly.

Revoking a Certificate in RA Mode

To revoke an issued certificate the RA can send a CMP Revoke Request:

Note that the ref value is a random value.

Enrolling in Client Mode with HMAC Password Authentication

cmpforopenssl works with EJBCA in client mode, with HMAC password authentication, using the following EJBCA configuration with for example the alias "opensslclient" (unmentioned configurations = default):

You can now add a new user in EJBCA:

You can then use cmpforopenssl (as a client):

This requests a certificate, and the requested subject DN must match the registered subject DN. EJBCA authenticates the request using the HMAC protection with the password of the registered user. See the CMP documentation above for more advanced configuration.

In case of p10cr requests (assuming new user1 with status GENERATED exists in EJBCA):

First create a PKCS#10 CSR using the following command:

Then you can use that csr with openssl p10cr sub-command to issue a certificate as follows:

Enrolling in Client Mode, Client Certificate Authentication

cmpforopenssl works with with EJBCA in client mode, with certificate authentication, using the following EJBCA configuration with alias tex. "openssleec" (unmentioned configurations = default):

You can now issue a certificate using certificate authentication in EJBCA (the end entity needs a certificate before so we re-use user1 from above):

You can then use cmpforopenssl (as a client):

This requests a certificate, and the requested subject DN must match the registered subject DN. EJBCA authenticates the request using the signature protection with the certificate of the registered user. See the CMP documentation above for more advanced configuration.

You can also use a 'cr' instead of an 'ir';

In case of p10cr message you can use the following openssl command (set the user1 status back to 10 before):

user1.key is the key used to sign the original CSR.

Enrolling Device with HMAC password

A typical PKI workflow using CMP involves enrolling a device with a certificate and then having the device automatically renew the certificate when it is about to expire.

1. Generate a key pair.

2. Initial enrolment of client certificate using a one-time enrollment code.

3. Generate a new key pair.

4. Renew with a new certificate for the new key pair, authenticated using the old key pair and certificate.

The above steps can be simulated in reality using the openssl and cmpforopenssl client, but also using the EJBCA cmpclient.

This works with a default cmpalias (named cmp) configured with parameters:

1. Generate a key pair:

   $ ./openssl genrsa -out certs/cl_key.pem 2048

2. Initial enrolment:
   Before initial enrolment, add a new End Entity in EJBCA, in this example with user name cmptest and subject DN 'CN=cmptest', and enrolment code 'CMP-pwd' (clear text password should be set for the cmptest user).

   openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/cmp -srvcert ManagementCA.cacert.pem -ref cmptest -secret pass:CMP-pwd -newkey certs/cl_key.pem -certout certs/cl_cert.pem -subject "/CN=cmptest"

3. Generate a new key pair:

   $ ./openssl genrsa -out certs/cl_new_key.pem 2048

4. Renew with a new certificate (cmptest user status should be set back to 10 (NEW)):

   openssl cmp -cmd kur -server localhost:8080 -path ejbca/publicweb/cmp/cmp -srvcert ManagementCA.cacert.pem -key certs/cl_key.pem -cert certs/cl_cert.pem -newkey certs/cl_new_key.pem -certout certs/cl_new_cert.pem

   For p10cr request type key update, generate a new key pair first:

Set the status of the cmptestp10cr user (assuming it already exists in EJBCA) back to NEW (10) :

And update the keys (getting a new cert) using the new key pair generated above with the following command: