Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
![]() Using the certificate management protocol (CMP) with PKI Services z/OS Cryptographic Services PKI Services Guide and Reference SA23-2286-00 |
|||||||||||||||||||
Certificate management protocol (CMP) is an internet protocol used to manage X.509 digital certificates within a PKI. It is described in RFC 4210 and uses the certificate request message format (CRMF) described in RFC 4211. A certificate request message object is used within the protocol to convey a request for a certificate to a certificate authority. CMP messages are ASN.1-encoded. PKI Services allows a CMP client to communicate with it to request, revoke, suspend and resume certificates. Restrictions: The following restrictions apply to the PKI
Services support for CMP:
PKI Services implements CMP through a CGI program. The tcp-message
is sent to the PKI CMP CGI program by HTTPS POST, as specified in Internet
X.509 Public Key Infrastructure -- Transport Protocols for CMP .
The entire POST body is the message and the mime-type for both requester
and responder (client and server) is application/pkixcmp.
Note: The application/pkixcmp mime-type
requires that the entire tcp-message be Base64-encoded.
When a CMP client sends a request to the HTTP Server, it must send the request directly to the HTTP Server (and port number) that handles the client authentication requests. The request cannot be handled by a redirect statement. Table 1 shows the format of version
10 tcp-messages (the only existing version):
The communication between the CMP client and the CGI program is over HTTPS only. Client authentication is required. The client (the CMP requester) needs to have a certificate installed in RACF® under the client’s ID. This certificate is used by the requester to authenticate itself, and its owner ID is used to access the PKI Services functions. ![]() ![]() ![]() |
![]() |