Skip to main content
Skip table of contents

raVerified CMP requests

Overview

In a CMP environment where a Registration Authority (RA) is either modifying requests of an End-Entity (EE), or sending requests on behalf of an EE, there is a need for enabling the support for CMP requests which has 'raVerified' Proof-Of-Possession (POP). More information can be found in [CMP].

In CM, CMP can work in three different POP verification modes:

  • client (default): allows signature based POP.
  • ra: allows both raVerified and signature based POP.
  • ra-strict allows only raVerified POP.

Configuration

Prerequisites

 CMP configured in modes ra or ra-strict utilizes the CF Production Order service to dynamically create CMP registrations. This requires that the parameter CardProductionManager.start is set to true in cm.conf.

Procedure policy objects
  1. This step can be skipped if you already have a token procedure for CMP issuance, and you want to use it for both signature based and ra based POP.
  2. Launch the Nexus Administrators Workbench client (AWB).
  3. Create a new certificate procedure using the AWB. The certificate format must be cmpenroll.
  4. Create a new token procedure using the AWB. It should reference the created certificate procedure, have storage profile pkcs10 and the inputview GPIV 6 - Save and Search CMP Enrollment Registrations.
Handler configuration in cmp.properties

The remaining task is to configure the PGW request handler which is to receive CMP requests with raVerified POP.

The handler must have the previously created token procedure as its configured handler.<n>.tokenprocedure. By setting the mode to one of the three modes mentioned above, determines what kind of POPs the handler accepts.

In either of the two ra modes either or both certificate pining or officer validation must be specified. Certificate pining is done with ramode.certs.<n> configuration, and officer validation is done with the ramode.officervalidation configuration. If neither configuration is set and a handler is in a ra mode then PGW will abort startup.

Parameters

CMP raVerified handler

CMP raVerified filter. The request url to match this handler.

CODE 
handler.4.filter = ra


CMP raVerified format. Must be set to cmp.

CODE 
handler.4.format = cmp


CMP token procedure.

CODE 
handler.4.tokenprocedure = CMP Registration and Enroll Procedure


CMP raVerified mode.

CODE 
handler.4.mode = [client | ra | ra-strict]


CMP raVerified ramode certificate pinning. A list of RA signer certificates to use when validating incoming requests.

CODE 
handler.4.ramode.certs.0 = relative/path/to/signer/cert.cer


CMP raVerified officer validation. Defines if the requesting RA certificate should be forwarded to CF for officer validation.

CODE 
handler.4.ramode.officervalidation = [true|false]



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close