Skip to main content
Skip table of contents

Example: CMP configuration in Protocol Gateway

This article describes a configuration example of the CMP protocol in Protocol Gateway, using the provided enrollment templates file.

Certificate Manager supports certificate enrollment over the Certificate Management Protocol (CMP), which is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). It is defined in RFC 4210. CMP is for example used in PKI for long-term evolution (LTE) networks, together with the 3GPP specification.

Protocol Gateway only supports the enrollment protocols in RA mode, that is, a device RA key pair is used to protect the protocol messages. For use with devices that don't support RA mode, see more information in Use CMP or SCEP protocol in CA mode.


Configure CMP protocol

Configure and sign imported CMP elements

The elements that were imported during the initial configuration are marked with a black and yellow "under construction" bar, since they are not signed yet.

In Administrator's workbench (AWB), open each element and make needed configurations and sign the changes: 

  1. Modify Protocol Gateway CMP Certificate Procedure:

    1. Change Issuing CA to the Device Issuing CA.

    2. Click OK and sign the updates. See Sign tasks in Certificate Manager.

  2. For each of the following token procedures, select Modify, click OK and sign the updates. See Sign tasks in Certificate Manager.

    1. CMP Registration and Enroll Procedure
      This token procedure uses the input view GPIV 6 - Save and Search CMP Enrollment Registrations.

    2. CMP Password Registration and Enroll Procedure
      This token procedure uses the input view GPIV 7 - Save and Search CMP Password Enrollment Registrations.

The renewal parameters in the certificate procedure can be set to return the existing certificate for the same subject name and public key. This option is not compatible with the certificate confirmation step in CMP. 

Therefore, the UseExistingCertificate modifier is disabled in the cmpenroll certificate format and the Return existing until parameter in the Protocol Gateway CMP Certificate Procedure is not used. 

Set CMP properties

To set the properties for the CMP protocols: 

  1. Open \Nexus\cm-gateway\conf\ for editing.

  2. Modify the following properties: 

    1. Enable the CMP protocol by setting start to true

    2. Set default.tokenprocedure to CMP Registration and Enroll Procedure.

    3. Set default.ra.keyfile to the Protocol Gateway RA token file and default.ra.password to the related PIN. For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.

  3. If needed, scramble sensitive parameters in the configuration file, for example the RA password. See Scramble sensitive data in configuration files in Protocol Gateway.

  4. Save the file.  

start = true
default.tokenprocedure = CMP Registration and Enroll Procedure
default.ra.keyfile = protocol-gateway-ra.p12
default.ra.password = <Protocol Gateway RA PIN>

Restart Tomcat

Restart the Tomcat service. 

Test CMP protocol with Nexus test client

Configure Nexus CMP test client

For information on how to start using Nexus test client, see Set up and use test clients in Protocol Gateway.

To configure the CMP test client: 

  1. Copy the protocol-gateway-ra.cer to \Nexus\testclients\temp.

  2. Open the file for editing: 

  3. Set the parameter raCert to temp\protocol-gateway-ra.cer.

Create demo vendor and demo device

  1. In the command prompt, start an interactive session, by typing the command: 

    Example: Generate CMP request

    java –jar testtools.jar CMPClient interactive
  2. Generate a new Vendor CA with the CMP client, by running the vendorcacert command. 
    A demo Vendor CA certificate is created in the folder \Nexus\testclient\temp

  3. In Administrator's workbench (AWB), select Cross > Import Certificate. Select the Vendor CA certificate from \Nexus\testclient\temp.

  4. Create a demo device with the vendor command. A demo device is created with a serial number.  

Register wildcard CMP device

  1. In Registration Authority (RA) in Certificate Manager, go to the Order tab. 

  2. In Procedure, select CMP Password Registration and Enroll Procedure.

  3. Register a wildcard FQDN, by entering the following details:

    1.  In FQDN, enter *.
      Any device on this wildcard domain can get a certificate. For more information, see Allowed domain names for preregistration in Certificate Manager.

    2. In Validity time (days), enter the number of days that the registration shall be valid. 

    3. In State, select Open

Verify certificate request over CMP

To verify the installation using the Nexus CMP Client, in the same interactive CMPClient session, do the following: 

  1. Generate a key pair for the device with the genkeypair command.

  2. Create an initialization request with the ir command.

  3. Send the request with the send command.

  4. Build a confirmation of the certificate reception with the certconf command. 

  5. Send the certificate confirmation with the send command.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.