Network Working Group C. Adams
Request for Comments: 4210 University of Ottawa
Obsoletes: 2510 S. Farrell
Category: Standards Track Trinity College Dublin
T. Kause
SSH
T. Mononen
SafeNet
September 2005
Internet X.509 Public Key Infrastructure
Certificate Management Protocol (CMP)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes the Internet X.509 Public Key Infrastructure
(PKI) Certificate Management Protocol (CMP). Protocol messages are
defined for X.509v3 certificate creation and management. CMP
provides on-line interactions between PKI components, including an
exchange between a Certification Authority (CA) and a client system.
Table of Contents
1. Introduction ....................................................5
2. Requirements ....................................................5
3. PKI Management Overview .........................................5
3.1. PKI Management Model .......................................6
3.1.1. Definitions of PKI Entities .........................6
3.1.1.1. Subjects and End Entities ..................6
3.1.1.2. Certification Authority ....................7
3.1.1.3. Registration Authority .....................7
3.1.2. PKI Management Requirements .........................8
3.1.3. PKI Management Operations ..........................10
4. Assumptions and Restrictions ...................................14
4.1. End Entity Initialization .................................14
Adams, et al. Standards Track [Page 1]
RFC 4210 CMP September 2005
4.2. Initial Registration/Certification ........................14
4.2.1. Criteria Used ......................................15
4.2.1.1. Initiation of Registration/Certification ..15
4.2.1.2. End Entity Message Origin Authentication ..15
4.2.1.3. Location of Key Generation ................15
4.2.1.4. Confirmation of Successful Certification ..16
4.2.2. Mandatory Schemes ..................................16
4.2.2.1. Centralized Scheme ........................16
4.2.2.2. Basic Authenticated Scheme ................17
4.3. Proof-of-Possession (POP) of Private Key ..................17
4.3.1. Signature Keys .....................................18
4.3.2. Encryption Keys ....................................18
4.3.3. Key Agreement Keys .................................19
4.4. Root CA Key Update ........................................19
4.4.1. CA Operator Actions ................................20
4.4.2. Verifying Certificates .............................21
4.4.2.1. Verification in Cases 1, 4, 5, and 8 ......22
4.4.2.2. Verification in Case 2 ....................22
4.4.2.3. Verification in Case 3 ....................23
4.4.2.4. Failure of Verification in Case 6 .........23
4.4.2.5. Failure of Verification in Case 7 .........23
4.4.3. Revocation - Change of CA Key ......................23
5. Data Structures ................................................24
5.1. Overall PKI Message .......................................24
5.1.1. PKI Message Header .................................24
5.1.1.1. ImplicitConfirm ...........................27
5.1.1.2. ConfirmWaitTime ...........................27
5.1.2. PKI Message Body ...................................27
5.1.3. PKI Message Protection .............................28
5.1.3.1. Shared Secret Information .................29
5.1.3.2. DH Key Pairs ..............................30
datatracker.ietf.org