Certificate Management Protocol (CMP)
CMP is a protocol for managing Public Key Infrastructures (PKI) based on X.509v3 certificates. Protocol messages are defined for certificate creation and management. It is used by commercial PKI products as Entrust Security Manager, Unicert, Insta Certifier and Cryptlib. An OpenSSL client side implementation is work in progess.
TODO: Add example traffic here (as plain text or Wireshark screenshot).
Example capture file
SampleCaptures/cmp-trace.pcap.gz CMP certificate requests
SampleCaptures/cmp-in-http-with-errors-in-cmp-protocol.pcap.gz CMP version 2 encapsulated in HTTP on port 4711. Full "Initialization Request" and rejected "Key Update Request". There are some errors in the CMP packages.
SampleCaptures/cmp_in_http_with_pkixcmp-poll_content_type.pcap.gz CMP version 2 encapsulated in HTTP. The CMP messages are of the deprecated but used content-type "pkixcmp-poll", so they are using the TCP transport style. In two of the four CMP messages, the content type is not explicitly set, thus they cannot be dissected correctly.
A complete list of CMP display filter fields can be found in the display filter reference
- Show only the CMP based traffic:
You cannot directly filter CMP while capturing. However, if you know the TCP port used (see above), you can filter on that one.
- Capture only the CMP traffic over the default port (829):
tcp port 829
RFC 4210 Internet X.509 Public Key Infrastructure Certificate Management Protocols. This version obsoletes RFC 2510. According to the new RFC, the CMP transport protocol issues are handled in the separate CMPtrans document.
Last IETF CMPtrans draft This draft for CMPtrans is expired, hence there is no obligatory transport protocols spec available. There are obvious mistakes in it which may cause confusion. Implementations more or less adhere to it.