Jellyfish

Preparing the Environment 

Install Required Tools: 

  1. Use an OpenSSL-compatible CMPv2 client (e.g., cmpclient, cmpforopenssl, or ejbca CMP CLI). 
  2. Ensure the CA or RA supports CMPv2. 

Set Up the CMP Configuration: 

  1. Obtain the CMPv2 endpoint URL (e.g., https://<CA-server>/cmp). 
  2. Obtain authentication credentials (HMAC shared secret or an existing certificate for signature-based authentication). 
  3. Know the profile or policy name (if required by the CA) to specify enrollment parameters. 

Performing Initial Enrollment 

Step 1: Generate a Key Pair 

  • Use a cryptographic tool to generate a key pair: 

openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048 

openssl rsa -pubout -in private.key -out public.key 

  • Store the private key securely. 

Step 2: Compose the CMP IR Message 

  • Use the CMPv2 client to create a PKIMessage for initial enrollment.  

Example with HMAC authentication: 

openssl cmp -url -cmd ir https://<CA-server>/cmp \ 

-tls_used \ 

-ref <end-entity-reference> \ 

-secret pass:<shared-secret> \ 

-key private.key \ 

-subject /CN=cmp-test-cert/ \ 

-output response.pem \ 

-cacertsout cacerts.pem 

Step 3: Send the Enrollment Request

Transmit the PKIMessage to the CA or RA: 

  • Use the configured CMP endpoint. 
  • Verify the CA’s TLS certificate if HTTPS is used.

Server-side validation 

  • The server will validate the shared secret before passing the request to the CA. 

Handle asynchronous responses: 

  • If the CA requires time to process, the client and server will initiate polling automatically. 

The client will automatically validate the server’s response, and exchange confirmations. 

Performing a Subsequent Certificate Enrollment 

Step 1: Generate a Key Pair 

Step 2: Compose the CMP CR message 

Using signature-based authentication: 

openssl cmp -url -cmd cr https://<CA-server>/cmp \ 

-tls_used \ 

-cert existing-cert.pem \ 

-key existing-private.key \ 

-newkey new-private.key \ 

-subject /CN=cmp-test-cert/ \ 

-output response.pem \ 

-trusted cacerts.pem 

Step 3: Send the request 

The server will validate the provided certificate to authenticate the request, before passing it to the CA. Step 3: Create a Certificate Request (CRMF) 

Performing a PKCS#10 Certificate Enrollment 

CMP supports the use of PKCS#10 CSRs for legacy compatibility. 

Step 1: Generate the key pair 

Step 2: Generate the CSR 

Create a Certificate Signing Request (CSR): 

openssl req -new -key private.key -out request.csr \ 

-subj “/C=NZ/O=Organization/OU=Department/CN=CommonName/” 

Step 3: Compose the CMP P10CR Message 

P10CR supports HMAC or signature-based authentication. 

Example using signature-based authentication: 

openssl cmp -url -cmd p10cr https://<CA-server>/cmp \ 

-tls_used \ 

-ref <end-entity-reference> \ 

-secret pass:<shared-secret> \ 

-key private.key \ 

-csr request.csr \ 

-output response.pem \ 

-trusted cacerts.pem