added link to CMPv2 sample and added a reference to the RFC4211 - CRMF
|Deletions are marked like this.||Additions are marked like this.|
|Line 28:||Line 28:|
|* attachment:SampleCaptures/cmp-in-http-with-errors-in-cmp-protocol.pcap.gz CMP version 2 encapsulated in HTTP on port 4711. Full "Initialization Request" and rejected "Key Update Request". There are some errors in the CMP packages.|
|Line 45:||Line 46:|
|* [http://www.ietf.org/rfc/rfc4211.txt RFC 4211] ''Certificate Request Message Format'' is more or less bound to CMP. This Version obsoletes RFC 2511 and is used by RFC 4210|
Certificate Management Protocol (CMP)
CMP is a protocol for managing Public Key Infrastrictures (PKI) based on X.509v3 certificates. Protocol messages are defined for certificate creation and management. It is used by commercial PKI products as Entrust Security Manager and Unicert
- ["TCP"]: CMP can use ["TCP"] or ["HTTP"] as its transport protocol. The well known TCP port for CMP traffic is 829.
TODO: Add example traffic here (as plain text or Wireshark screenshot).
Example capture file
- attachment:SampleCaptures/cmp-trace.pcap.gz CMP certificate requests
- attachment:SampleCaptures/cmp-in-http-with-errors-in-cmp-protocol.pcap.gz CMP version 2 encapsulated in HTTP on port 4711. Full "Initialization Request" and rejected "Key Update Request". There are some errors in the CMP packages.
A complete list of CMP display filter fields can be found in the [http://www.wireshark.org/docs/dfref/c/cmp.html display filter reference]
Show only the CMP based traffic:
You cannot directly filter CMP protocol while capturing. However, if you know the ["TCP"] port used (see above), you can filter on that one.
Capture only the CMP traffic over the default port (829):
tcp port 829
[http://www.ietf.org/rfc/rfc2510.txt RFC 2510] Internet X.509 Public Key Infrastructure Certificate Management Protocols - It has been replaced by [http://www.ietf.org/rfc/rfc4210.txt RFC 4210] which doesn't address transport issues.
[http://www.ietf.org/rfc/rfc4211.txt RFC 4211] Certificate Request Message Format is more or less bound to CMP. This Version obsoletes RFC 2511 and is used by RFC 4210