CMP

Certificate Management Protocol (CMP)

CMP is a protocol for managing Public Key Infrastructures (PKI) based on X.509v3 certificates. Protocol messages are defined for certificate creation and management. CMP is used by commercial PKI products as Nexus Certificate Manager, Entrust Security Manager, Unicert, Insta Certifier and Cryptlib. An OpenSSL client side implementation is work in progress.

Protocol dependencies

Example traffic

Wireshark<span data-escaped-char>_</span>1.2.9-OpenSSL<span data-escaped-char>_</span>Cryptlib-CMP-Initial<span data-escaped-char>_</span>Registration.png

The depicted trace is available here: cmp_IR_sequence_OpenSSL-Cryptlib.pcap

Preference Settings

Wireshark<span data-escaped-char>_</span>1.2.9<span data-escaped-char>_</span>Windows-CMP<span data-escaped-char>_</span>Preferences.png

Reassemble CMP-over-TCP message spanning multiple TCP segments:

When this preference is enabled and when using TCP-Messaging protocol for transport, the CMP dissector will reassemble a CMP message transmitted over more than one TCP segment.

Alternate TCP port:

This preference can be used to set the TCP port for TCP-Messaging when it is different than the well-known TCP port (829) for transporting CMP, which is used by default. This default is used when the preference is set to 0.

Alternate HTTP port:

This preference can be used to set an alternate TCP port in case of HTTP transport. This option should be set either when a TCP port is used which is not configured to be HTTP or when the Content-Type of the transmitted HTTP header is wrongfully not set to "application/pkixcmp". This preverence is disabled when the value is set to 0.

Alternate TCP-style-HTTP port:

This preference can be used to set an alternate TCP port in case of TCP-messaging over HTTP transport. This option should be set either when a TCP port is used which is not configured to be HTTP or when the Content-Type of the transmitted HTTP header is wrongfully not set to (the unofficial) "application/pkixcmp-poll". This preference is disabled when the value is set to 0.

Example capture file

Display Filter

A complete list of CMP display filter fields can be found in the display filter reference

Show only the CMP based traffic:

 cmp 

Capture Filter

You cannot directly filter CMP while capturing. However, if you know the TCP port used (see above), you can filter on that one.

Capture only the TCP-Messaging CMP traffic over the default port (829):

 tcp port 829 

External links


Imported from https://wiki.wireshark.org/CMP on 2020-08-11 23:12:18 UTC