Skip to main content
Skip table of contents

Use CMP or SCEP protocol in CA mode

This article describes the CA and RA modes for enrollment used by CMP and SCEP protocols, and how to use CA mode in Protocol Gateway

Enrollment modes

The CMP and SCEP protocols specify two enrollment modes: 

  • CA mode - The CA key pair is used to protect the protocol messages.
  • RA mode - A separate device RA key pair is used to protect the protocol messages.

Protocol Gateway only supports the enrollment protocols in RA mode, that is, a device RA key pair is used to protect the protocol messages. CA mode is not supported, since the CA's private key should only be used for signing certificates and CRLs. When managing end entities, ensure that they operate in RA mode. 

However, some devices don't support RA mode and requires that the CA key pair is used to protect the protocol messages. To support these devices in Protocol Gateway, follow the instruction below to configure the CA key pair to be used as a device RA key pair. It is assumed that an HSM is used to store the CA keys.


Configure key usage for CA certificate

To be able to use the CA certificate as a RA certificate in PGW, the CA certificate key usage must be complemented with Digital Signature and Key Encipherment:

  1. Copy the format file that you will use to create a CA certificate, that is found under <server_root>/config/certformats
  2. Open the new copy for editing. 

  3. Add the following code to the new format file: 

    Add code in format file

    CODE 
    extension.keyusage.attributes.digitalsignature=true
extension.keyusage.attributes.keyencipherment=true
  4. Restart the server to make it aware of the new format file.
Create CA key
  1. In Administrator's Workbench, create a CA key with the new format. See Create CA key in Certificate Manager.
  2. Verify that the resulting certificate has Digital Signature and Key Encipherment as key usage as well as Certificate Signing and CRL Signing. 
  3. Put the new certificate in the HSM that is used by Protocol Gateway. See Install certificate.
  4. If you use two different HSM's for CM server and Protocol Gateway, copy the key using your HSM's own tools.
Configure RA certificate in Protocol Gateway

To configure Protocol Gateway to use the new CA certificate as RA: 

  1. Open the properties file for editing, for example cmp.properties

  2. Add a handler that uses the new CA certificate as RA certificate.
    Example: The handler defined below will be used when accessing <url>/cmp/example

    Example: cmp.properties

    CODE 
    handler.1.filter = example
handler.1.ra.keyfile =
handler.1.ra.certificate.subject = exampleCA
handler.1.ra.password = 1234
handler.1.ra.pkcs11 = {ProgramFiles}/tomcatWorkingDirectory/cs2_pkcs11.dll


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close