Previous topic |
Next topic |
Contact z/OS |
Using the certificate management protocol (CMP) with PKI Services
z/OS Cryptographic Services PKI Services Guide and Reference
Certificate management protocol (CMP) is an internet protocol used to manage X.509 digital certificates within a PKI. It is described in RFC 4210 and uses the certificate request message format (CRMF) described in RFC 4211. A certificate request message object is used within the protocol to convey a request for a certificate to a certificate authority. CMP messages are ASN.1-encoded. PKI Services allows a CMP client to communicate with it to request, revoke, suspend and resume certificates.
Restrictions: The following restrictions apply to the PKI Services support for CMP:
PKI Services implements CMP through a CGI program. The tcp-message is sent to the PKI CMP CGI program by HTTPS POST, as specified in Internet X.509 Public Key Infrastructure -- Transport Protocols for CMP . The entire POST body is the message and the mime-type for both requester and responder (client and server) is application/pkixcmp.
Note: The application/pkixcmp mime-type requires that the entire tcp-message be Base64-encoded.
When a CMP client sends a request to the HTTP Server, it must send the request directly to the HTTP Server (and port number) that handles the client authentication requests. The request cannot be handled by a redirect statement.
Table 1 shows the format of version 10 tcp-messages (the only existing version):
The communication between the CMP client and the CGI program is over HTTPS only. Client authentication is required. The client (the CMP requester) needs to have a certificate installed in RACF® under the client’s ID. This certificate is used by the requester to authenticate itself, and its owner ID is used to access the PKI Services functions.
Copyright IBM Corporation 1990, 2014