Skip to main content

Sample CMP implementation

This sample shows a CMP implementation using OpenSSL.

Prerequisites

  • A CMP profile in your DigiCert® Private CA.

  • OpenSSL 3.2.2.1 or later. CMP protocol is a part of OpenSSL itself.

Initial setup

Install OpenSSL version 3.2.2.1 or later on the client system.

Enroll a client certificate

Enroll a new client certificate using the CMP protocol. In CMP terminology this is also called Initial Registration (IR).

STEP 1: Generate a private key and CSR

Generate a private key and certificate signing request (CSR) using OpenSSL:

openssl req -new -newkey rsa:2048 -nodes \
  -keyout client.key \
  -out client.csr \
  -subj "/CN=client.example.com"

Where:

  • -keyout is the private key file required for your CSR

  • -out is the CSR file which contains your certificate signing request.

  • -subj is the subject common name for your client system.

STEP 2: Run the enrollment command

Replace the placeholders with your actual values:

openssl cmp -cmd ir \
  -server https://<ca-server>/certificate-authority/api/v1/cmp/<ProfileID> \
  -ref "anything" \
  -secret "pass:<password>" \
  -newkey certs/ir_key.pem \
  -certout certs/ir_cert.pem \
  -cacertsout ca_chain.pem \
  -popo 1 \
  -verbosity 8 \
  -config cmp_client.cnf \
  -trusted certs/root.pem \
  -chainout certs/ir_chain.pem

Where:

  • -server is the CMP profile URL.

  • -secret is the authentication credential as configured in the CMP profile in your private CA.

  • -newkey is the private key file required for your CSR in PEM format.

  • -certout is the placeholder for the output file. This is where you'll find the issued client certificate when the request is completed.

  • -cacertsout is the issuer CA chain in PEM format.

  • -config is the CMP configuration file in your OpenSSL implementation.

  • -trusted is the root CA in the issuing chain.

  • -chainout is the complete chain for the newly enrolled certificate in PEM format.

Renew a client certificate

Renew or rekey an existing client certificate using the CMP protocol. This command is called Key Update Request (KUR) in CMP.

STEP 1: Gather the prerequisites

  • The private key used for the original certificate

  • The existing client certificate

  • The CA certificate chain

STEP 2: Run the renewal command

openssl cmp -cmd kur \
  -server https://<ca-server>/certificate-authority/api/v1/cmp/<ProfileID> \
  -ref "aloha-ecdsa-kur" \
  -certout certs/kur_cert.pem \
  -verbosity 8 \
  -key certs/ir_key.pem \
  -newkey certs/ir_key.pem \
  -cert certs/ir_cert.pem \
  -trusted certs/root.pem \
  -chainout certs/kur_chain.pem

Where:

  • -server is the CMP profile URL.

  • -ref is the ????

  • -certout is the placeholder for the output file. This is where you'll find the renewed client certificate when the request is completed.

  • -verbosity is the ????

  • -newkey is the private key file from the original certificate in PEM format.

  • -cert is the original client certificate that requires renewing.

  • -trusted is the root CA in the issuing chain.

  • -chainout is the complete chain for the renewed certificate in PEM format.

Revoke a client certificate

CMP supports revocation of certificates. This command is called Revocation Request (RR) in CMP.

CMP revocation requests are submitted using CMP protocol message types supported by the client and processed according to the CMP profile configuration.

Revocation requests in CMP are invoked with -cmd rr and need the following information and setup:

  • Existing certificate

  • Corresponding private key

  • Reason codes

  • Server support for RR

  • Correct policy handling

Nesta secção: