Enrolling in RA Mode

cmpforopenssl works with EJBCA in RA mode with the following EJBCA configuration, using for example alias "opensslra" (unmentioned configurations = default):

You can then use cmpforopenssl (as an RA):

This requests a certificate, defining the subject DN that will be used. The CA used to sign the certificate is specified in the EJBCA CMP configuration and can be taken from the keyid. EJBCA authenticated the request using the HMAC protection with the password, and accepts any request upon correct authentication.

You can request server generated keys by omitting the public key in the certificate request, using the same request as an ir, but without public key. Note however that the cmpclient cannot be used since no cmpclient parameters support omitting the public key. For example Java code, refer to the test class CrmfRequestTest.test12ServerGeneratedKeys().

Revoking a Certificate in RA Mode

To revoke an issued certificate the RA can send a CMP Revoke Request:

Note that the ref value is a random value.

Enrolling in Client Mode with HMAC Password Authentication

cmpforopenssl works with EJBCA in client mode, with HMAC password authentication, using the following EJBCA configuration with for example the alias "opensslclient" (unmentioned configurations = default):

You can now add a new user in EJBCA:

You can then use cmpforopenssl (as a client):

This requests a certificate, and the requested subject DN must match the registered subject DN. EJBCA authenticates the request using the HMAC protection with the password of the registered user. See the CMP documentation above for more advanced configuration.

Enrolling in Client Mode, Client Certificate Authentication

cmpforopenssl works with with EJBCA in client mode, with certificate authentication, using the following EJBCA configuration with alias tex. "openssleec" (unmentioned configurations = default):

You can now issue a certificate using certificate authentication in EJBCA (the end entity needs a certificate before so we re-use user1 from above):

You can then use cmpforopenssl (as a client):

This requests a certificate, and the requested subject DN must match the registered subject DN. EJBCA authenticates the request using the signature protection with the certificate of the registered user. See the CMP documentation above for more advanced configuration.

You can also use a 'cr' instead of an 'ir';

Enrolling Device with HMAC password

A typical PKI workflow using CMP involves enrolling a device with a certificate and then having the device automatically renew the certificate when it is about to expire.

1. Generate a key pair.

2. Initial enrollment of client certificate using a one-time enrollment code.

3. Generate a new key pair.

4. Renew with a new certificate for the new key pair, authenticated using the old key pair and certificate.

The above steps can be simulated in reality using the openssl and cmpforopenssl client, but also using the EJBCA cmpclient.

This works with a default cmpalias (named cmp) configured with parameters:

1. Generate a key pair:

   $ ./openssl genrsa -out certs/cl_key.pem 2048

2. Initial enrollment:
   Before initial enrollment, add a new End Entity in EJBCA, in this example with user name cmptest and subject DN 'CN=cmptest', and enrollment code 'CMP-pwd'.

   $ ./openssl cmp -cmd ir -server ejbca-server:8080 -path ejbca/publicweb/cmp -srvcert certs/3GPPCA.pem -user cmptest -pass CMP-pwd -newkey certs/cl_key.pem -certout certs/cl_cert.pem -subject "/CN=cmptest"

3. Generate a new key pair:

   $ ./openssl genrsa -out certs/cl_new_key.pem 2048

4. Renew with a new certificate:

   $ ./openssl cmp -cmd kur -server ejbca-server:8080 -path ejbca/publicweb/cmp -srvcert certs/3GPPCA.pem -key certs/cl_key.pem -cert certs/cl_cert.pem -newkey certs/cl_new_key.pem -certout certs/cl_new_cert.pem