Skip to main content
Skip table of contents

CMP Interoperability

The following covers EJBCA's interoperability with various clients, devices and libraries. For more general information about the Certificate Management Protocol (CMP) and how it works with EJBCA, see CMP.

EJBCA's cmpclient

ENTERPRISE

EJBCA Enterprise includes a java command line client for CMP, used to request, renew and revoke certificates.

To build and run the cmpclient client, use the following:

BASH
$ ant cmpclient
$ cd dist/cmpclient
$ java -jar cmpclient.jar
$ java -jar cmpclient.jar crmf --help
$ java -jar cmpclient.jar p10cr --help


An example workflow can be done using the p10cr command, which sends a P10CR request body for the certificate creation. The below example uses an RA Mode CMP alias (cmpalias) with password authentication, and a Client Mode CMP alias (cmpupdate) with EndEntityCertificate enabled in the authentication module.

BASH
# Using a CSR created with OpenSSL.
$ openssl req -newkey rsa:2048 -keyout your-key.key -out your-request.csr
$ java -jar cmpclient.jar p10cr --dn "CN=yourCN" --csr "your-request.csr" --url http://localhost:8080/ejbca/publicweb/cmp/cmpalias --authparam password

# Or without CSR, where a signature algorithm is required to be added to the command.
$ java -jar cmpclient.jar p10cr --dn "CN=yourCN" --sigalgorithm "SHA256WithRSA" --url http://localhost:8080/ejbca/publicweb/cmp/cmpalias --authparam password

# Using update command and previously acquired certificate for authentication. 
# (End Entity status must be changed from Generated to New, Failed or In Process before this step.)
$ openssl pkcs12 -export -inkey dest/yourCN-key.pem -in dest/yourCN.pem -certfile ManagementCA.cacert.pem -name yourCN -out dest/yourCN.p12
$ java -jar cmpclient.jar update --dn "CN=yourCN" --url http://localhost:8080/ejbca/publicweb/cmp/cmpupdate --keystore dest/yourCN.p12 --keystorepwd foo123 --extraCertsFriendlyName yourCN --includepopo --reqnewkeyspec RSA2048

# Revoking the certificate
$ openssl x509 -in dest/yourCN.pem -text
$ java -jar cmpclient.jar revoke --issuer "CN=ManagementCA,O=EJBCA Sample,C=SE" --serno 17b9a7b8ce44b3fa --url http://localhost:8080/ejbca/publicweb/cmp/cmpalias --authparam password

You can use a https URL with the cmpclient, but you may need to provide a truststore to Java in order for the client to verify the server certificate. The truststore contains the Root CA certificate of the server certificate chain.

CODE
java -Djavax.net.ssl.trustStore=truststore.jks -jar cmpclient.jar crmf --dn "CN=tomas" --url https://ejbca.example.com:8442/ejbca/publicweb/cmp/cmpra --authparam password --reqnewkeyspec RSA2048

Using encrCert Proof of Possession for KEM keys

For post-quantum keys, you can use encrCert (indirect) proof of possession, requesting the CA to send back the certificate encrypted. If the client is able to decrypt the received certificate, proof of possession of the private key is claimed. The cmpclient will automatically request keyEnciperment+SubSequentMessage.encrCert POP in the request message, if the flag includepopo is used, and the key is a post-quantum KEM key. If these conditions are not met, such as when attempting to use an RSA key, the client will return an error message.

Example command.

CODE
./cmpclient.sh crmf --url http://localhost/ejbca/publicweb/cmp/encrcert --dn "CN=encrCertPOP" --authparam qw --reqnewkeyspec ML-KEM-512 --includepopo --v

AET BlueX

CMP has been tested with BlueX from AET Europe. From EJBCA's point of view BlueX functions as an RA with the same configuration options as for jCert.

Aventra

CMP has been tested with Aventra card management system. Same configuration as above.

BouncyCastle

CMP has been tested with BouncyCastle CMP classes, available in BC 1.46 or later. Both client and RA mode should work. For sample implementations of client messages using BouncyCastle, see the CMP Operations Guide.

CMP for OpenSSL

OpenSSL includes CMP from version 3.0, i.e. cmpforopenssl below is merged into OpenSSL main and is available in OpenSSL Git (or a release when available on your platform).

CMP has been tested with cmpforopenssl. cmpforopenssl is submitted for inclusion in OpenSSL and the code is available on GitHub on https://github.com/mpeylo/cmpossl. For documentation for the command, refer to https://github.com/mpeylo/cmpossl/blob/cmp/doc/man1/cmp.pod and for a Quick Start guide, tested with EJBCA, refer to https://github.com/mpeylo/cmpossl/wiki/Quick-Start.

The old client tool in cmpforopenssl was called cmpclient, while the new one is in the openssl command itself. Only the new one is documented here. It works with EJBCA CMP in both RA mode and client mode.

See the CMP Operations Guide for more information about commands for cmpforopenssl.

Cryptlib

CMP has been tested with CryptLib

RSA jCert

CMP has been tested using RSA jCert toolkit for initialization requests. To run this as an RA, configure CMP according to the following:

  • CMP Operational Mode: RA Mode
  • Allow RA Verify Proof-of-Possession: enabled
  • CMP Response Protection: pbe
  • CMP Authentication Module: HMAC
  • CMP Authentication Parameters: your shared password
  • and other configurations you want for your RA.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.