Certificate Manager supports certificate enrollment over the Certificate Management Protocol (CMP), which is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). CMP is defined in RFC 4210.
The Protocol Gateway CMP service is compliant with the Certificate Enrollment Protocol (CMP) v2 as profiled by 3GPP for LTE, see 3GPP TS 33.310 version 9.5.0, and supports both initial enrollment requests and update requests for certificate renewal.
If a password-based mac is to be used, it must be enabled in the cmpenroll certificate format. In the file cmpenroll.conf, set enroll.messagesigner.hmac.enabled to true. For information on settings in cmp.conf, see also CMP security configuration in Certificate Manager.
A certificate request is sent from the LTE eNodeB or Security Gateway via the CMP service to the Certificate Factory.
The request must contain the FQDN and must be signed either with a vendor device certificate, the old device certificate or a password-based mac. The FQDN is verified against the registrations in the database. The CMP request signature is verified and if it is signed with a certificate then the signature certificate is verified, and must be issued by a CA in the Certificate Manager database.
If the request meets all requirements, a certificate will be created and returned to the requesting hardware.