RFC 9480 - Certificate Management Protocol (CMP) Updates

Status: Standards Track
Published: November 2023
Updates: RFC 4210, RFC 5912, RFC 6712

Abstract

This document contains a set of updates to the syntax of Certificate Management Protocol (CMP) version 2 and its HTTP transfer mechanism. This document updates RFCs 4210, 5912, and 6712.

The aspects of CMP updated in this document are using EnvelopedData instead of EncryptedValue, clarifying the handling of p10cr messages, improving the crypto agility, as well as adding new general message types, extended key usages to identify certificates for use with CMP, and well-known URI path segments.

CMP version 3 is introduced to enable signaling support of EnvelopedData instead of EncryptedValue and signal the use of an explicit hash AlgorithmIdentifier in certConf messages, as far as needed.

Contents

• 1. Introduction
  • 1.1. Convention and Terminology
• 2. Updates to RFC 4210 - Certificate Management Protocol (CMP)
  • 2.1. New Section 1.1 - Changes Since RFC 4210
  • 2.2. New Section 4.5 - Extended Key Usage
  • 2.3. Update Section 5.1.1 - PKI Message Header
  • 2.4. New Section 5.1.1.3 - CertProfile
  • 2.5. Update Section 5.1.3.1 - Shared Secret Information
  • 2.6. Replace Section 5.1.3.4 - Multiple Protection
  • 2.7. Replace Section 5.2.2 - Encrypted Values
  • 2.8. New Section 5.2.9 - GeneralizedTime
  • 2.9. Update Section 5.3.4 - Certification Response
  • 2.10. Update Section 5.3.18 - Certificate Confirmation Content
  • 2.11. Update Section 5.3.19.2 - Signing Key Pair Types
  • 2.12. Update Section 5.3.19.3 - Encryption/Key Agreement Key Pair Types
  • 2.13. Replace Section 5.3.19.9 - Revocation Passphrase
  • 2.14. New Section 5.3.19.14 - CA Certificates
  • 2.15. New Section 5.3.19.15 - Root CA Certificate Update
  • 2.16. New Section 5.3.19.16 - Certificate Request Template
  • 2.17. New Section 5.3.19.17 - CRL Update Retrieval
  • 2.18. Update Section 5.3.21 - Error Message Content
  • 2.19. Replace Section 5.3.22 - Polling Request and Response
  • 2.20. Update Section 7 - Version Negotiation
  • 2.21. Update Section 7.1.1 - Clients Talking to RFC 2510 Servers
  • 2.22. Add Section 8.4 - Private Keys for Certificate Signing and CMP Message Protection
  • 2.23. Add Section 8.5 - Entropy of Random Numbers, Key Pairs, and Shared Secret Information
  • 2.24. Add Section 8.6 - Trust Anchor Provisioning Using CMP Messages
  • 2.25. Add Section 8.7 - Authorizing Requests for Certificates with Specific EKUs
  • 2.26. Update Appendix B - The Use of Revocation Passphrase
  • 2.27. Update Appendix C - Request Message Behavioral Clarifications
  • 2.28. Update Appendix D.1. - General Rules for Interpretation of These Profiles
  • 2.29. Update Appendix D.2. - Algorithm Use Profile
  • 2.30. Update Appendix D.4. - Initial Registration/Certification (Basic Authenticated Scheme)
• 3. Updates to RFC 6712 - HTTP Transfer for the Certificate Management Protocol (CMP)
  • 3.1. Update Section 1 - Introduction
  • 3.2. New Section 1.1 - Changes Since RFC 6712
  • 3.3. Replace Section 3.6 - HTTP Request-URI
• 4. IANA Considerations
  • 4.1. Updates to the ASN.1 Modules in RFCs 4210 and 5912
  • 4.2. Updates to the IANA Considerations of RFC 4210
  • 4.3. Updates to the IANA Considerations of RFC 6712
• 5. Security Considerations
• 6. References
  • 6.1. Normative References
  • 6.2. Informative References
• Appendix A. ASN.1 Modules
  • A.1. Update to RFC 4210 - 1988 ASN.1 Module
  • A.2. Update to RFC 5912 - 2002 ASN.1 Module
• Acknowledgements
• Authors' Addresses