Certificate Management Protocol (CMP)
CMP is a protocol for managing Public Key Infrastructures (PKI) based on X.509v3 certificates. Protocol messages are defined for certificate creation and management. It is used by commercial PKI products as Entrust Security Manager, Unicert, Insta Certifier and Cryptlib. An OpenSSL client side implementation is work in progess.
- ["TCP"]: CMP can use ["TCP"] or ["HTTP"] as its transport protocol. The well known TCP port for CMP traffic is 829.
- While there is no implementation known supporting it, transporting CMP over email (["SMTP"], ["POP"] etc.) or file transfer (["FTP") is also mentioned in CMPtrans (see below).
TODO: Add example traffic here (as plain text or Wireshark screenshot).
Example capture file
- attachment:SampleCaptures/cmp-trace.pcap.gz CMP certificate requests
- attachment:SampleCaptures/cmp-in-http-with-errors-in-cmp-protocol.pcap.gz CMP version 2 encapsulated in HTTP on port 4711. Full "Initialization Request" and rejected "Key Update Request". There are some errors in the CMP packages.
A complete list of CMP display filter fields can be found in the [http://www.wireshark.org/docs/dfref/c/cmp.html display filter reference]
- Show only the CMP based traffic:
You cannot directly filter CMP while capturing. However, if you know the ["TCP"] port used (see above), you can filter on that one.
- Capture only the CMP traffic over the default port (829):
tcp port 829
[http://www.ietf.org/rfc/rfc4210.txt RFC 4210] Internet X.509 Public Key Infrastructure Certificate Management Protocols. This version obsoletes [http://www.ietf.org/rfc/rfc2510.txt RFC 2510]. According to the new RFC, the CMP transport protocol issues are handled in the separate CMPtrans document.
[http://tools.ietf.org/html/draft-ietf-pkix-cmp-transport-protocols-05 Last IETF CMPtrans draft] This draft for CMPtrans is expired, hence there is no obligatory transport protocols spec available. There are obvious mistakes in it which may cause confusion. Implementations more or less adhere to it.
[http://www.ietf.org/rfc/rfc4211.txt RFC 4211] Certificate Request Message Format is more or less bound to CMP. This Version obsoletes [http://www.ietf.org/rfc/rfc2511.txt RFC 2511] and is used by RFC 4210