CMP Protocol
Certificate Management Protocol (CMP) is a flexible and extensible protocol standardized. that enables secure and automated management of digital certificates throughout their lifecycle. Operating primarily over HTTPS, CMP facilitates a wide range of PKI operations, including initial certificate enrollment, key updates, certificate revocation requests, and retrieval of CA certificates and Certificate Revocation Lists (CRLs).
CMP supports robust client authentication methods, including Basic Authentication as implemented in emCA, and ensures message integrity and authenticity through cryptographic protections such as digital signatures and password-based message authentication codes (MACs). Its rich message structure (PKIMessage) allows for asynchronous communication patterns, including polling for certificate issuance in delayed processing scenarios. CMP is widely used in enterprise and governmental PKI deployments requiring strong security, traceability, and automation.
Prerequisite
Create Certificate Template
Create the appropriate certificate template in emCA by following the steps outlined in Section 6.3 – Manage Profiles of the emCA User Manual. Be sure to record important details such as the Certificate Profile ID, as these will be required during the certificate enrollment process
Configure Properties
Properties configuration must be defined in the database. The required values must be updated in the api_properties table to enable CMP server functionality.
CMPCertificateProfileID
CMP Cert Profile ID
Active
CMPAuthenticationCode
Password or secret code
Active
Please find the following script to update the necessary values in the database:
-- Certificate template profile ID
UPDATE api_properties
SET prop_value = 'xxxx', prop_status = 1
WHERE prop_key = 'CMPCertificateProfileID’;
-- Client authentication code or password
UPDATE api_properties
SET prop_value = 'XXXX', prop_status = 1
WHERE prop_key = ‘CMPAuthenticationCode’;
Restart Tomcat Services
To apply the configuration changes, it is necessary to restart the Tomcat services. Please follow the steps below to restart Tomcat:
Stop the Tomcat services
Run the following command to stop the Tomcat service:$CATALINA_HOME/bin/shutdown.sh
Start the Tomcat Service
Once the service is stopped, start it again using the following command:
$CATALINA_HOME/bin/startup.sh
CMP EndPoint
URL: https://www.example.com/emCAServices/cmp
Supported Endpoints
/enrollment
POST
Main endpoint for CMP-based certificate enrollment. Clients send PKIMessage requests to this endpoint.
Authentication
The emCA CMP Services application authenticates certificate management operations using a pre-configured shared secret.
CMP messages must be encapsulated in a ProtectedPKIMessage, which ensures message integrity and authenticity.
Clients are required to include a shared secret (authentication key), known in advance to both the client and the emCA server, to authenticate their requests.
This secret is used by the client to generate a Password-Based MAC (PBM) or other cryptographic protection in the protection field of the ProtectedPKIMessage.
The emCA CMP server validates the received message by verifying the PBM protection using the pre-configured shared secret associated with the client identity.
Only clients with valid shared secrets are authorized to perform operations such as certificate enrollment, revocation, or confirmation.
HTTP Response Status Code
200
OK
The CMP server processed the PKIMessage successfully and returned a valid response.
400
Bad Request
Sent when the client sends an improperly formatted PKIMessage, unsupported operation, or missing fields.
401
Unauthorized
Returned when the CMP client failed to authenticate using TLS client certificate, shared secret, or other methods.
415
Unsupported Media Type
Returned when the request is not sent with application/pkixcmp as the Content-Type.
Last updated