The following covers EJBCA's interoperability with various clients, devices and libraries. For more general information about the Certificate Management Protocol (CMP) and how it works with EJBCA, see CMP.

EJBCA's cmpclient

ENTERPRISE  This is an EJBCA Enterprise feature.

EJBCA Enterprise includes a java command line client for CMP, used to request, renew and revoke certificates.

To build and run the cmpclient client, use the following:

$ ant cmpclient
$ cd dist/cmpclient
$ java -jar cmpclient.jar
$ java -jar cmpclient.jar crmf --help
$ java -jar cmpclient.jar p10cr --help

An example workflow can be done using the p10cr command, which sends a P10CR request body for the certificate creation. The below example uses an RA Mode CMP alias (cmpalias) with password authentication, and a Client Mode CMP alias (cmpupdate) with EndEntityCertificate enabled in the authentication module.

# Using a CSR created with OpenSSL.
$ openssl req -newkey rsa:2048 -keyout your-key.key -out your-request.csr
$ java -jar cmpclient.jar p10cr --dn "CN=yourCN" --csr "your-request.csr" --url http://localhost:8080/ejbca/publicweb/cmp/cmpalias --authparam password

# Or without CSR, where a signature algorithm is required to be added to the command.
$ java -jar cmpclient.jar p10cr --dn "CN=yourCN" --sigalgorithm "SHA256WithRSA" --url http://localhost:8080/ejbca/publicweb/cmp/cmpalias --authparam password

# Using update command and previously acquired certificate for authentication. 
# (End Entity status must be changed from Generated to New, Failed or In Process before this step.)
$ openssl pkcs12 -export -inkey dest/yourCN-key.pem -in dest/yourCN.pem -certfile ManagementCA.cacert.pem -name yourCN -out dest/yourCN.p12
$ java -jar cmpclient.jar update --dn "CN=yourCN" --url http://localhost:8080/ejbca/publicweb/cmp/cmpupdate --keystore dest/yourCN.p12 --keystorepwd foo123 --extraCertsFriendlyName yourCN --includepopo --reqnewkeyspec RSA2048

# Revoking the certificate
$ openssl x509 -in dest/yourCN.pem -text
$ java -jar cmpclient.jar revoke --issuer "CN=ManagementCA,O=EJBCA Sample,C=SE" --serno 17b9a7b8ce44b3fa --url http://localhost:8080/ejbca/publicweb/cmp/cmpalias --authparam password

You can use a https URL with the cmpclient, but you may need to provide a truststore to Java in order for the client to verify the server certificate. The truststore contains the Root CA certificate of the server certificate chain.

java -jar cmpclient.jar crmf --dn "CN=tomas" --url --authparam password --reqnewkeyspec RSA2048


CMP has been tested with BlueX from AET Europe. From EJBCA's point of view BlueX functions as an RA with the same configuration options as for jCert.


CMP has been tested with Aventra card management system. Same configuration as above.


CMP has been tested with BouncyCastle CMP classes, available in BC 1.46 or later. Both client and RA mode should work. For sample implementations of client messages using BouncyCastle, see the CMP Operations Guide.

CMP for OpenSSL

OpenSSL includes CMP from version 3.0, i.e. cmpforopenssl below is merged into OpenSSL main and is available in OpenSSL Git (or a release when available on your platform).

CMP has been tested with cmpforopenssl. cmpforopenssl is submitted for inclusion in OpenSSL and the code is available on GitHub on For documentation for the command, refer to and for a Quick Start guide, tested with EJBCA, refer to

The old client tool in cmpforopenssl was called cmpclient, while the new one is in the openssl command itself. Only the new one is documented here. It works with EJBCA CMP in both RA mode and client mode.

See the CMP Operations Guide for more information about commands for cmpforopenssl.


CMP has been tested with CryptLib

RSA jCert

CMP has been tested using RSA jCert toolkit for initialization requests. To run this as an RA, configure CMP according to the following:

  • CMP Operational Mode: RA Mode
  • Allow RA Verify Proof-of-Possession: enabled
  • CMP Response Protection: pbe
  • CMP Authentication Module: HMAC
  • CMP Authentication Parameters: your shared password
  • and other configurations you want for your RA.

Related Content