CMP 3GPP Operations

This page describes how to configure CMP for 3GPP and common operations and testing.

This page describes configuration and operations for using EJBCA with 3GPP. For more information on the CMP 3GPP standard and EJBCA's integration with it, see the 3GPP Overview page.

Configuring EJBCA for Direct CA - Base Station Communication

To configure EJBCA for Direct CA - Base Station Communication, click CMP Configuration under System Functions and configure a CMP Alias with the following configuration:

Configuration OptionSetting
CMP Operational ModeClient Mode
CMP Authentication ModeEndEntityCertificate
Vendor Certificate ModeUse and specify the name of the Vendor CA
Allow Automatic Key UpdateAllow
Allow Certificate Renewal with Same KeysAllow

The CMP Operational Mode Client mode works like any other enrollment in EJBCA. When a request comes in, EJBCA verifies the request (see CMP Message Authentication) and issues a certificate to a user that has been previously registered in EJBCA. For more information on CMP operational modes, see CMP.

The following displays the settings on the Edit CMP Alias page:

Note that EJBCA always authenticates an update request using only the EndEntityCertificate module, no matter how many authentication modules are configured. However, in order for the update request to authenticate successfully, EndEntityCertificate module has to be set as one of the used authentication modules.

Configuring EJBCA for CA - Base Station Communication Through an RA

To configure EJBCA for Direct CA - Base Station Communication through an RA, click CMP Configuration under System Functions and configure a CMP Alias with the following configuration:

Configuration OptionSetting
CMP Operational ModeRA Mode
CMP Authentication ModeEndEntityCertificate, and specify the issuer of the certificate in the extraCerts
field.
RA Name Generation SchemeDN and specify the DN part to be usee as the username
Allow Automatic Key UpdateAllow
RA End Entity ProfileThe name of the End Entity Profile to be used when adding Entities representing the substations
RA Certificate ProfileProfileDefault or the name of the Certificate Profile to be used when creating certificates for the substations
RA CA NameProfileDefault or the name of the CA to be used when creating End Entities and certificates for the substations
Allow Automatic Key UpdateAllow
Allow Certificate Renewal with Same KeysAllow

The CMP Operational Mode RA Mode is used when the CMP client acts as an RA to EJBCA (the RA sends a certificate request to EJBCA). No user is pre-registered in EJBCA, but when authenticated RA CMP messages arrive, a user is created in EJBCA and a certificate is issued. For more information on CMP operational modes, see CMP.

The following displays the settings on the Edit CMP Alias page:

Enrolling Device with Vendor Certificate

A PKI workflow as specified in the 3GPP standard uses CMP to enroll a device, authenticating the initial request using a Vendor certificate added to the device at manufacturing. After initial enrollment, the device can automatically renew the certificate when it is about to expire.

  1. The is a Vendor Root CA and a Vendor Sub CA that issues a Vendor Certificate to the device, with which is comes pre-provisioned from the factory.
  2. The Vendor Root CA is trusted for initial enrollment, for devices pre-registered in EJBCA with parts of the DN (usually device serial number).
  3. We want to generate two certificates for the device, one for IPSEC and one for TLS, and thus the Vendor Certificate is used for multiple authentications to different end entities.
  4. Generate two new key pairs on the device
  5. Initial enrollment of an IPSEC Certificate for the new key on the device uses certificate authentication with the Vendor Certificate on the device.
  6. Initial enrollment of a TLS Certificate for the new key on the device uses certificate authentication with the Vendor Certificate on the device.
  7. Generate two new key pairs on the device
  8. Renew the IPSEC certificate for the new key pair, authenticated using the old key pair and certificate
  9. Renew the TLS certificate for the new key pair, authenticated using the old key pair and certificate

The above steps can be simulated in reality using the cmpforopenssl client, but also using the EJBCA cmpclient.

This works with two cmpaliases configured with parameters:

CMP Alias: aliasIPSEC
CMP Operational Mode: Client
CMP Authentication Module : EndEntityCertificate
Extract Username Component : CN
RA Name Generation Postfix : _IPSEC
Vendor Certificate Mode: Use
List Of Vendor CAs: Add Vendor Root CA (imported as External CA in EJBCA)

CMP Alias: aliasTLS
CMP Operational Mode: Client
CMP Authentication Module : EndEntityCertificate
Extract Username Component : CN
RA Name Generation Postfix : _TLS
Vendor Certificate Mode: Use
List Of Vendor CAs: Add Vendor Root CA (imported as External CA in EJBCA

The Vendor Certificate is issued (suggested as a key store with the private key) from Vendor Sub CA the with subjectDN: CN=1234.primekey.com,O=PrimeKey,C=SE

  1. Generate key pairs:

    $ ./openssl genrsa -out certs/ipsec_key.pem 2048 
    $ ./openssl genrsa -out certs/tls_key.pem 2048 
  2. Initial enrollment:
    Before initial enrollment you add two new End Entities in EJBCA, in this example with user name 1234.primekey.com_IPSEC and 1234.primekey.com_TLS with subject DN 'CN=ipsec1234' resp. 'CN=hostname1234'.

    $ openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/aliasIPSEC \
    	-cert VendorCert.pem -key VendorKey.pem -certout ipsec_cert.pem -newkey ipsec_key.pem \
    	-subject "/CN=ipsec1234" -extracerts VendorExtraCerts.pem -trusted IPSECROOTRSA.cacert.pem \
    	-implicitconfirm 
    
    $ openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/aliasTLS \
    	-cert VendorCert.pem -key VendorKey.pem -certout tls_cert.pem -newkey tls_key.pem \
    	-subject "/CN=hostname1234" -extracerts VendorExtraCerts.pem -trusted TLSROOTRSA.cacert.pem \
    	-implicitconfirm 
  3. Generate new key pairs:

    $ ./openssl genrsa -out certs/ipsec_new_key.pem 2048
    $ ./openssl genrsa -out certs/tls_new_key.pem 2048
  4. Renew with new certificates: 

    $ openssl cmp -cmd kur -server localhost:8080 -path ejbca/publicweb/cmp/aliasIPSEC \
    	-cert ipsec_cert.pem -key ipsec_key.pem -certout ipsec_new_cert.pem -newkey ipsec_new_key.pem \
    	-subject "/CN=ipsec1234" -extracerts IPSECCAcerts.pem -trusted IPSECROOTRSA.cacert.pem \
    	-implicitconfirm
    
    $ openssl cmp -cmd kur -server localhost:8080 -path ejbca/publicweb/cmp/aliasTLS \
    	-cert tls_cert.pem -key tls_key.pem -certout tls_new_cert.pem -newkey tls_new_key.pem \
    	-subject "/CN=hostname1234" -extracerts TLSCAcerts.pem -trusted TLSROOTRSA.cacert.pem \
    	-implicitconfir

Testing

The following displays an example cmpforopenssl command to test Vendor CA authentication with a three level Vendor CA PKI:

./cmpclient --server 127.0.0.1 --port 8080 --path ejbca/publicweb/cmp/vendor --srvcert 3GPPCA.cacert.pem --ir --subject "C=SE,O=Test,CN=Network Element 32" --clcert nevcert.pem --newclcert nev-op-crt.der --newkey nev-op-key.pem --key nevkey.pem --extracert casubnevcert.pem