CMC support in Certificate Manager
This article describes the support for the Certificate Management over CMS (CMC) protocol in Nexus Certificate Manager via Protocol Gateway.
Certificate Manager supports certificate enrollment over Certificate Management over CMS (CMC) as well as Revocation Request Control, which is used to request a certificate to be revoked. The request must be signed by an authorized CM officer with the revocation role, and one certificate revocation is allowed per request. CMC is an Internet Standard published by the IETF, defining transport mechanisms for the Cryptographic Message Syntax (CMS). It is defined in RFC 5272, its transport mechanisms in RFC 5273.
Verification of certificate requests
Protocol Gateway provides additional security by the option to require the user to be a CM Officer. Every request is being verified by three stages:
- checking the Digest Message
- checking the content type
- verifying the officer who signed the request
Supported content types in requests and responses
The standard configuration supports the following content types of a request message:
- PKCS#10 (application/pkcs10)
- CMC request (application/pkcs7-mime; smime-type=cmc-request)
Supported content types of the response message:
- PKCS#7 certificates only (application/pkcs7-mime; smime-type=certsonly) with optional issuer
chain - X.509 certificate (application/pkix-cert)
- CMC response (application/pkcs7-mime; smime-type=cmc-response)
CMC status information
The CMC Status info controls returns information about the status of a client/server request/response.
The status contains a code representing the success or failure of a specific operation. The CMC service supports Revocation Request Control which is used to request a certificate to be revoked. The request must contain the standard revocation information and be signed by an authorized CM officer with the revocation role.
Only mandatory fields are taken into consideration (issuerName
, serialNumber
and reason
) and optional fields (invalidityDate
, sharedSecret
and comment
) are ignored.
Supported reason codes in CMC revocation
The following reason codes are allowed in CMC revocation:
- Unspecified (0)
- KeyCompromise (1)
- AffiliationChanged (3)
- Superseded (4)
- CessationOfOperation (5)
Links
- RFC 5272 - Certificate Management over CMS (CMC)
- RFC 5273 - Certificate Management over CMS (CMC): Transport Protocols