Request certificate via CMP and Protocol Gateway in Certificate Manager

The enrollment process is made up of the following major steps:

1. Hardware registration  
   

   1. If certificate-based signature is to be used, the vendor CA certificate must be imported to CM with the Administrator's workbench (AWB).
      In the AWB client, select Cross menu and Import Certificate and open the file that contains the vendor CA certificate. See Import external CA certificate in Certificate Manager.

   2. If a password-based mac is to be used, it must be enabled in the cmpenroll certificate format. 
      In the file cmpenroll.conf, set enroll.messagesigner.hmac.enabled to true. For information on settings in cmp.conf, see also CMP security configuration in Certificate Manager.

   3. The hardware must be registered in the Certificate Manager database, via the Registration Authority (RA) in Certificate Manager, in the Order tab. The registration shall contain the fully qualified domain name (FQDN). 

2. Certificate enrollment
   

   1. A certificate request is sent from the LTE eNodeB or Security Gateway via the CMP service to the Certificate Factory.

   2. The request must contain the FQDN and must be signed either with a vendor device certificate, the old device certificate or a password-based mac. The FQDN is verified against the registrations in the database. The CMP request signature is verified and if it is signed with a certificate then the signature certificate is verified, and must be issued by a CA in the Certificate Manager database.

   3. If the request meets all requirements, a certificate will be created and returned to the requesting hardware.

For more information on the CMP security features in Protocol Gateway, see CMP security configuration in Certificate Manager.