Help Center/ Edge Data Center Management/ User Guide/ System/ About/ Certificate Authority Service/ Configuring CMP/ Configuring CMP Information
Updated on 2022-04-02 GMT+08:00
View PDF
Share

Configuring CMP Information

Prerequisites

  • In the non-multi-tenant deployment scenarios, if the port used by the CMP is not enabled, you need to enable the port on the Certificate Authority Service > Global Configuration > Port Management page.
  • In the multi-tenant deployment scenarios, if the port used by the CMP is not enabled, the system administrator needs to enable the port on the Certificate Authority Service > Global Configuration > Port Management page.

Procedure

  1. Choose System > About > Certificate Authority Service from the main menu.
  2. Choose Protocol Configuration > CMP from the navigation tree on the left.
  3. On the Protocol Configuration tab page, click Modify corresponding to a CA. On the page that is displayed, set required parameters.

    For detailed parameter descriptions, see Table 1.
    Table 1 CMP parameters

    Parameter

    Description

    Value

    CA

    Name of a CA.

    The CA name cannot be changed.

    Protocol

    You can select HTTP, one-way authentication, or two-way authentication.

    NOTE:

    HTTPS is more secure than HTTP. Therefore, you are advised to select HTTPS (One-way authentication or Two-way authentication) when configuring CMP.

    The default value is two-way authentication.

    Port

    Port number.

    If the selected port is disabled, the message "The port is disabled." is displayed. You cannot apply for a certificate using this port.
    • When HTTP is selected, the default port number is 26801 and cannot be changed.
    • When one-way authentication is selected, the default port number is 26802 and cannot be changed.
    • When two-way authentication is selected, the default port number is 26803 and cannot be changed.

    Version

    TLS version corresponding to one-way authentication and two-way authentication.

    By default, TLSv1.2 and TLSv1.3 are selected and cannot be modified.

    Send CA certificate

    Whether to send the CA certificate to the terminal.

    The default value is Yes.

    Send responder certificate

    Whether to send the response protection certificate to the terminal.

    The default value is Yes.

    Return certificate chain

    Whether to return the certificate chain to the terminal.

    The default value is Yes.

    Verify whitelist

    Whether to enable the whitelist verification function.

    NOTE:
    • If this parameter is set to Yes, the Certificate Authority Service enables the whitelist verification function. When you apply for a certificate from the Certificate Authority Service using CMP, the certificate can be successfully applied only when the common name is in the whitelist.
    • If this parameter is set to No, the Certificate Authority Service does not enable the whitelist verification function.

    The default value is No.

    Request time required

    Checks whether the time in the certificate application request is the same as the current time.

    NOTE:
    • If this parameter is set to Yes, the certificate application request must contain this parameter. The Certificate Authority Service checks whether the value of this parameter is within the Allowed message time deviation range.
    • If this parameter is set to No, the certificate application request does not need to contain this parameter. If the certificate application request contains this parameter, the Certificate Authority Service checks whether the value of this parameter is within the Allowed message time deviation range.

    The default value is No.

    Use the validity period from CMP request

    Whether to use the validity period in the CMP request packet when applying for a certificate.

    NOTE:
    • If you select Yes, the validity period of a certificate is the intersection of the following four validity periods: validity period of the CA associated with the certificate, validity period set in the certificate profile, validity period set in the associated CA, and validity period set in the CMP request.
    • If you select No, the validity period of a certificate is the intersection of the following three validity periods: validity period of the CA associated with the certificate, validity period set in the certificate profile, and validity period set in the associated CA.

    The default value is No.

    Use CA for responder

    Whether to use the CA to protect messages sent to terminals.

    NOTE:

    If this parameter is set to Yes, the CA is used for response protection. You do not need to set response protection on the Responder Configuration tab page.

    The default value is Yes.

    Allowed message time deviation

    The Certificate Authority Service checks whether the deviation between the time in the certificate application request and the current time is within the allowed time deviation range.

    The value is an integer ranging from 1 to 3600, in seconds.

    Use asynchronous polling

    After a terminal sends a certificate application request to the CA, the CA generates a certificate in asynchronous mode. The terminal must periodically and continuously send polling messages to check whether the CA has issued the certificate.

    The default value is No.

    Polling interval

    Polling interval of the terminal.

    The value is an integer ranging from 1 to 3600, in seconds.

    Certificate confirmation waiting time

    Time after which the CA revokes the certificate if the end entity receiving the certificate does not send a certificate confirmation packet to the CA, when the certificate application request is explicitly acknowledged.

    The value is an integer ranging from 1 to 3600, in seconds.

    Message protection signature algorithm

    Signature algorithm to be used. If the signature algorithm used by the terminal is not selected, the CA rejects the request sent by the terminal.

    N/A

    POP signature algorithm

    Required signature algorithm. It is used to check whether the public key submitted by the terminal has a corresponding private key.

    N/A

    CMP request URI

    A user applies for a certificate from the Certificate Authority Service using CMP. The CMP request URI has the following two formats:

    • The request URI contains the name of the CA that issues the certificate and the name of the used certificate profile, for example, https://{IP}:26802/cmp/caname?certprofile=profilename, where caname is the name of the CA that issues the certificate, and profilename is the name of the used certificate profile.

    • The request URI contains only the name of a CA that issues the certificate and does not contain the profile name parameter. The default profile of the CA is used for certificate application. An example of this request is https://{IP}:26802/cmp/caname, where caname is the name of the CA that issues the certificate.

    The CMP request URI cannot be modified.

  4. Click Submit.

Follow-up Procedure

Applying for a certificate based on the CMP request URI

On the Protocol Configuration > CMP page, click the Protocol Configuration tab. On this tab page, click on the left of a CA name, and copy the CMP request URI corresponding to the CA for use. The CMP request URIs include the following types:

  • HTTP
    • http://IP address:26801/cmp/CA name
    • http://IP address:26801/cmp/CA name?certprofile=Certificate profile name
  • One-way authentication
    • https://IP address:26802/cmp/CA name
    • https://IP address:26802/cmp/CA name?certprofile=Certificate profile name
  • Two-way authentication
    • https://IP address:26803/cmp/CA name
    • https://IP address:26803/cmp/CA name?certprofile=Certificate profile name

For example, http://IP address:26801/cmp/caname?certprofile=profilename indicates that a CMP request for applying for a certificate is sent to the Certificate Authority Service through HTTP. In the URL, the IP address indicates the IP address of the Certificate Authority Service.

  • The certprofile parameter specifies the end entity profile used for issuing certificates. This parameter is optional. If this parameter is not specified, the default CA profile is used for certificate application.
  • A CA may be associated with multiple profiles. Therefore, the CMP request URI may have multiple values. Select a value based on the site requirements.
  • The subject information in the certificate application request must be different from that of the associated CA. Otherwise, certificate application fails.

Related Tasks

  • Viewing CMP configuration

    Choose Protocol Configuration > CMP. On the Protocol Configuration tab page, click on the left of a CA name to access the details page, where you can check the CMP configuration.

  • Searching for CMP configuration

    Choose Protocol Configuration > CMP. On the Protocol Configuration tab page, enter a CA name in the search box, and click to find the specified CA and view the detailed protocol configuration of the CA. The Certificate Authority Service supports fuzzy search by CA name.

Parent topic: Configuring CMP