Page tree
Skip to end of metadata
Go to start of metadata

Certificate Manager interfaces

To allow external clients to order certificates from Certificate Manager, the following interfaces and protocols are supported via Protocol Gateway:

  • WinEP
    Nexus Windows Enrollment Proxy (WinEP) facilitates enrollment to Microsoft Windows clients through native protocols. WinEP requires the WinEP service together with the WinEP Protocol Gateway servlet.

  • CM WS
    CM Web Services (CM WS) is a SOAP-based web service interface used for certificate management in CM. CM WS has the functionality to enroll, revoke, search and fetch certificates.
  • CMP
    Certificate Manager supports certificate enrollment over the Certificate Management Protocol (CMP), which is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). It is described in RFC 4210. CMP is for example used in PKI for long-term evolution (LTE) networks, together with the 3GPP specification.

  • SCEP
    Simple Certificate Enrollment Protocol is a protocol for handling certificates for large-scale implementation to everyday users. SCEP is an Internet Draft in the Internet Engineering Task Force (IETF).

  • CMC
    Certificate Manager supports certificate enrollment over Certificate Management over CMS (CMC), which is an Internet Standard published by the IETF, defining transport mechanisms for the Cryptographic Message Syntax (CMS). It is defined in RFC 5272, its transport mechanisms in RFC 5273

  • EST
    The Enrollment over Secure Transport (EST) is a cryptographic protocol that describes an X.509 certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire key pairs, client certificates and associated Certification Authority (CA) certificates over https. Example of functions are initial certificate enrollment, certificate renewal, and CA rollover. EST is defined in RFC 7030.

  • EST-coaps
    EST over secure CoAP (EST-coaps) is a protocol that can be used for secure bootstrapping and certificate enrollment to low-resource devices. Constrained devices can be battery powered and unattended for years, supporting DTLS, 6LoWPAN; IPv6 over IEEE 802.15.4 based networks. Contiki NG OS based devices is an example of clients that can use EST over coaps.

  • AST
    Using the Authenticated Soft Token (AST) an end user or administrator can, while properly authenticated, request PKCS#12 Soft Tokens for signing and authentication. 

  • Ping
    The Ping service (monitoring service) is used for system health checks and can be used by load balancers to detect issues in nodes. A Ping call engages all internal components in the CA system, including HSM's.