The Certificate Management Protocol (CMP) is an Internet protocol standardized by the IETF used for obtaining X.509 digital certificates in a public key infrastructure (PKI). CMP is a very feature-rich and flexible protocol, supporting many types of cryptography. CMP messages are self-contained, which, as opposed to EST, makes the protocol independent of the transport mechanism and provides end-to-end security. CMP messages are encoded in ASN.1, using the DER method. CMP is described in. Enrollment request messages employ the Certificate Request Message Format (CRMF), described in. The only other protocol so far using CRMF is Certificate Management over CMS (CMC), described in.

History

An obsolete version of CMP is described in, the respective CRMF version in. In November 2023, CMP Updates, CMP Algorithms, and CoAP transfer for CMP, have been published as well as the Lightweight CMP Profile focusing on industrial use.

PKI Entities

In a public key infrastructure (PKI), so-called end entities (EEs) act as CMP client, requesting one or more certificates for themselves from a certificate authority (CA), which issues the legal certificates and acts as a CMP server. None or any number of registration authorities (RA), can be used to mediate between the EEs and CAs, having both a downstream CMP server interface and an upstream CMP client interface. Using a "cross-certification request" a CA can get a certificate signed by another CA.

Features

Transport

CMP messages are usually transferred using HTTP, but any reliable means of transportation can be used. The Content-Type used is application/pkixcmp; older versions of the draft used application/pkixcmp-poll, application/x-pkixcmp or application/x-pkixcmp-poll.

Implementations