Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.


This article describes the CA and RA modes for enrollment used by CMP and SCEP protocols, and how to use CA mode in Protocol Gateway

About enrollment modes

The CMP and SCEP protocols specify two enrollment modes: 

  • CA mode - The CA key pair is used to protect the protocol messages.
  • RA mode - A separate device RA key pair is used to protect the protocol messages.

Protocol Gateway only supports the enrollment protocols in RA mode, that is, a device RA key pair is used to protect the protocol messages. CA mode is not supported, since the CA's private key should only be used for signing certificates and CRLs. When managing end entities, ensure that they operate in RA mode. 

However, some devices don't support RA mode and requires that the CA key pair is used to protect the protocol messages. To support these devices in Protocol Gateway, follow the instruction below to configure the CA key pair to be used as a device RA key pair. It is assumed that an HSM is used to store the CA keys.


Expand/Collapse All

Step-by step instruction

To be able to use the CA certificate as a RA certificate in PGW, the CA certificate key usage must be complemented with Digital Signature and Key Encipherment:

  1. Copy the format file that you will use to create a CA certificate, that is found under <server_root>/config/certformats
  2. Open the new copy for editing. 
  3. Add the following code to the new format file: 

    Add code in format file
    extension.keyusage.attributes.digitalsignature=true
    extension.keyusage.attributes.keyencipherment=true
    
  4. Restart the server to make it aware of the new format file.
  1. In Administrator's Workbench, create a CA key with the new format. See Create CA key in Certificate Manager.
  2. Verify that the resulting certificate has Digital Signature and Key Encipherment as key usage as well as Certificate Signing and CRL Signing. 
  3. Put the new certificate in the HSM that is used by Protocol Gateway. See Install certificate.
  4. If you use two different HSM's for CM server and Protocol Gateway, copy the key using your HSM's own tools.

To configure Protocol Gateway to use the new CA certificate as RA: 

  1. Open the properties file for editing, for example cmp.properties
  2. Add a handler that uses the new CA certificate as RA certificate.
    Example: The handler defined below will be used when accessing <url>/cmp/example

    Example: cmp.properties
    handler.1.filter = example
    handler.1.ra.keyfile =
    handler.1.ra.certificate.subject = exampleCA
    handler.1.ra.password = 1234
    handler.1.ra.pkcs11 = {ProgramFiles}/tomcatWorkingDirectory/cs2_pkcs11.dll