Skip to main content

Test CMP certificate enrollment using OpenSSL

You can verify CMP-based certificate enrollment in DigiCert​​®​​ Trust Lifecycle Manager by submitting a test request using OpenSSL.

The Certificate Management Protocol (CMP) implementation in Trust Lifecycle Manager is based on RFC9480. CMP enables automated certificate lifecycle operations such as enrollment, renewal, and revocation. This topic shows how to enroll a private trust certificate via CMP using an Enrollment Code as the authentication method.

Prerequisites

Make sure these prerequisites are met to test certificate enrollment in Trust Lifecycle Manager using CMP.

DigiCert Private CA issuance

Your account must be configured to issue certificates from DigiCert® Private CA. For help verifying or enabling this feature, contact your DigiCert account representative.

CMP-enabled certificate profile

You need to create a CMP-enabled certificate profile in Trust Lifecycle Manager using one of the following DigiCert Private CA templates:

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Generic User Certificate

  • Private S/MIME Secure Email

The certificate profile must be configured with the following settings:

  • Enrollment method: CMP

  • Authentication method: Enrollment Code

  • Enrollment code policy settings: Dynamic enrollment code options enabled

Note the CMP URL for the certificate profile. After creating the profile, the CMP URL is displayed in the confirmation dialog and is also available on the Profile details page.

Active enrollment code

You need an active enrollment code for the CMP-enabled certificate profile to use for certificate issuance. For more information, see Prepare enrollment codes for authentication.

Testing via OpenSSL

You can test the CMP service using OpenSSL v3.2.2.1 or later.

The test procedure includes the following tasks:

CMP certificate enrollments

Enroll a new certificate using the CMP protocol with the configured profile.

Prepare a Certificate Signing Request (CSR)

Run the following command to generate a private key and CSR.

openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/CN=client.example.com"

Submit the CMP enrollment request

Substitute the placeholders in the command below with values specific to your environment.

To enroll a certificate using CMP, use the following command syntax:

openssl cmp -cmd cr -server <server> -ref "anything" -secret "pass:<password>" -newkey certs/<privateKey-file> -certout certs/<certificate-file> -cacertsout <issuer-cert-file> -popo 1 -verbosity 8 -config <OpenSSL-config-file> -trusted <trusted-root-cert-file> -chainout <cert-chain-file>

Parameters

Use the following values when defining the command:

  • server: The CMP URL for the certificate profile.

  • password: The enrollment code to use for authenticating the issuance request.

  • privateKey-file: The private key associated with CSR.

  • certificate-file: The output file that will contain the issued X.509 certificate for the uninitialized entity.

  • issuer-cert-file: The file where the issuing CA certificate will be saved in PEM format.

  • OpenSSL-config-file: The OpenSSL configuration file used to generate the certificate request.

  • trusted-root-cert-file: The root CA certificate in PEM format used to establish trust.

  • cert-chain-file: The output file where the certificate chain (intermediate CA certificates) associated with the newly enrolled certificate will be saved.

Example

 openssl cmp -cmd cr -server https://dcone.cluster.local/mpki/api/v1/ec/cmp/6104dc7e-2708-4cdf-a10b-e2f807482989 -ref "anything" -secret pass:123456789 -newkey  client.key -certout mycert.cer -cacertsout  issuer.cer -popo 1 -verbosity 8 -config  myconf.cnf

Result

If the enrollment is successful, the issued client certificate is saved to the file specified by the -certout option. For example, mycert.cer.

Key Update Request (KUR) of a client certificate

Renew an existing client certificate before it expires using the CMP protocol.

Required files for renewal

Before submitting a KUR, ensure you have the following files:

  • The private key used for the original certificate.

  • The current (soon-to-expire) client certificate.

  • The trusted root certificate in PEM format.

Submit the CMP renewal request

To request certificate renewal, submit a KUR to the CMP server using the CMP protocol.

Substitute the placeholders in the command below with values specific to your environment.

To renew an existing certificate via CMP, use the following command syntax:

openssl cmp -cmd kur -sever <server> -ref "anything" -certout certs/<kur-cert-file> -verbosity 8 -key certs/<privateKey-file> -newkey certs/<privateKey-file> -cert certs/<ir-cert-file> -trusted certs/<trusted-root-cert-file>  -chainout certs/<cert-chain-file>

Parameters

Use the following values when defining the command:

  • server: The CMP URL for the certificate profile.

  • privateKey-file: The private key associated with the CSR.

  • kur-cert-file: The output file that will contain the renewed or rekeyed certificate.

  • ir-cert-file: The existing certificate to be renewed or re-keyed.

  • trusted-root-cert-file: The root CA certificate in PEM format used to establish trust.

  • cert-chain-file: The output file where the certificate chain (intermediate CA certificates) associated with the renewed certificate will be saved.

Example

openssl cmp -cmd kur  -server https://standalone-ca.dev.blu.digicert.com/certificate-authority/api/v1/cmp/8F2973336FA2C29EE729B3D0E3E67B17 -ref "aloha-ecdsa-kur" -certout certs/kur_cert.pem -verbosity 8 -key

CMP certificate revocation

CMP certificate revocation using "Enrollment Code" as the challenge password

Run the following command to revoke an issued certificate.

openssl cmp -cmd rr -server https://<cmp-url> -oldcert myoldcert3.cer -ref "anything" -secret pass:GO8ZOT2MA -revreason 1  -key client.key  -verbosity 8
In this section: