Skip to main content
Skip table of contents

CMC support in Certificate Manager

This article describes the support for the Certificate Management over CMS (CMC) protocol in Nexus Certificate Manager via Protocol Gateway.

Certificate Manager supports certificate enrollment over Certificate Management over CMS (CMC) as well as Revocation Request Control, which is used to request a certificate to be revoked. The request must be signed by an authorized CM officer with the revocation role, and one certificate revocation is allowed per request. CMC is an Internet Standard published by the IETF, defining transport mechanisms for the Cryptographic Message Syntax (CMS). It is defined in RFC 5272, its transport mechanisms in RFC 5273. 

Verification of certificate requests 

Protocol Gateway provides additional security by the option to require the user to be a CM Officer. Every request is being verified by three stages:

  • checking the Digest Message
  • checking the content type
  • verifying the officer who signed the request

Supported content types in requests and responses 

The standard configuration supports the following content types of a request message:

  • PKCS#10 (application/pkcs10)
  • CMC request (application/pkcs7-mime; smime-type=cmc-request)

Supported content types of the response message:

  • PKCS#7 certificates only (application/pkcs7-mime; smime-type=certsonly) with optional issuer
    chain
  • X.509 certificate (application/pkix-cert)
  • CMC response (application/pkcs7-mime; smime-type=cmc-response)

CMC status information

The CMC Status info controls returns information about the status of a client/server request/response.

The status contains a code representing the success or failure of a specific operation. The CMC service supports Revocation Request Control which is used to request a certificate to be revoked. The request must contain the standard revocation information and be signed by an authorized CM officer with the revocation role.

Only mandatory fields are taken into consideration (issuerName, serialNumber and reason) and optional fields (invalidityDate, sharedSecret and comment) are ignored. 

Supported reason codes in CMC revocation

The following reason codes are allowed in CMC revocation:

  • Unspecified (0)
  • KeyCompromise (1)
  • AffiliationChanged (3)
  • Superseded (4)
  • CessationOfOperation (5)


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.