CMP Profile
CMP Profile specifies the configurations of the CMP server behaviour. It holds the configuration listed below:
| Configuration | Purpose | Default Value | Mandatory |
|---|---|---|---|
| Name | CMP Profile Name | Yes | |
| Description | Description of the CMP Profile | No | |
| Variant | Variant of the CMP protocol defining the behaviour | Yes | |
| Request Protection Method | One of available protection methods for the CMP requests | Yes | |
| Shared Secret | Shared secret for the protection of CMP message when request protection method is shared secret | No | |
| Response Protection Method | One of available protection methods for the CMP responses | Yes | |
| Signing Certificate | Certificate used for signing CMP responses whn the response protection method is signature | Yes | |
| RA Profile | RA Profile that will be set as default for the CMP Profile | No |
Supported CMP variants
The platform supports the following CMP variants:
CMPv2- CMP version 2 as defined by RFC 4210CMPv2 3GPP- CMP version 2 with 3GPP extensions as defined by 3GPP Specification
The CMP variant CMPv3 is prepared for future use case according to the RFC 9483 - Lightweight Certificate Management Protocol (CMP) Profile, however, not yet fully implemented.
Request and response protection methods
The platform supports the following protection methods for CMP requests and responses:
Shared Secret- Shared secret for the protection of CMP message according to the RFC 4210, section 5.1.3.1Signature- Signing of CMP message according to the RFC 4210, section 5.1.3.3
The following restrictions apply for the protection methods configuration:
- If the
Response Protection Methodis set toShared Secret, theShared Secretprotection method must be configured also for theRequest Protection Method - If the
Request Protection Methodis set toSignature, theSignatureprotection method must be used also for theResponse Protection Method
Request signing certificate
When the Request Protection Method is set to Signature, the request must contain signing certificate in the PKIMessage extraCerts field. The first certificate in the extraCerts field is used for the signature verification.
Response signing certificate requirements
The certificate with associated private key should be available in the inventory in case Response Protection Method is set to Signature. The certificate should meet the following criteria:
- The certificate should be valid
- The certificate should have associated private key managed by the platform
- The private key should be valid and active
- The private key should have the
Key Usageset toSign
Attributes for certificate management
If a default RA Profile is selected then Attributes to issue and revoke certificates must be configured, if needed.
Certificate management Attributes for CMP Profile are used during certificate management and cannot be changed by the CMP client.
Operations on CMP Profile
The following operations can be performed on the CMP Profile:
| Operation | Description |
|---|---|
| Create | Create a new CMP Profile. New CMP Profile is disabled by default |
| Update | Update configuration of already existing CMP Profile |
| Delete | Delete existing CMP Profile |
| Disable | Disable existing CMP Profile. All request to disabled CMP Profile will be rejected |
| Enable | Enable existing CMP Profile |