The following covers EJBCA's interoperability with various clients, devices and libraries. For more general information about the Certificate Management Protocol (CMP) and how it works with EJBCA, see CMP.

EJBCA's cmpclient

ENTERPRISE  This is an EJBCA Enterprise feature.

EJBCA Enterprise includes a java command line client for CMP, used to request, renew and revoke certificates.

To build and run the cmpclient client, use the following:

$ ant cmpclient
$ cd dist/cmpclient
$ java -jar cmpclient.jar
$ java -jar cmpclient.jar crmf --help

An example workflow when you have one CMP alias in RA mode (raalias), using password based authentication of the RA, and another CMP alias (clientupdate) in client mode allowing updates using certificate authentication.

$ java -jar cmpclient.jar crmf --dn "CN=tomas" --url --authparam password --reqnewkeyspec RSA2048
$ openssl pkcs12 -export -inkey dest/tomas-key.pem -in /dest/tomas.pem -certfile ManagementCA.cacert.pem -name tomas -out dest/tomas.p12
$ java -jar cmpclient.jar update --dn "CN=tomas" --url --keystore dest/tomas.p12 --keystorepwd foo123 --extraCertsFriendlyName tomas --includepopo --reqnewkeyspec RSA2048
$ openssl x509 -in dest/tomas.pem -text
$ java -jar cmpclient.jar revoke --issuer "CN=ManagementCA,O=EJBCA Sample,C=SE" --serno 17b9a7b8ce44b3fa --url --authparam password

You can use a https URL with the cmpclient, but you may need to provide a truststore to Java in order for the client to verify the server certificate. The truststore contains the Root CA certificate of the server certificate chain.

java -jar cmpclient.jar crmf --dn "CN=tomas" --url --authparam password --reqnewkeyspec RSA2048


CMP has been tested with BlueX from AET Europe. From EJBCA's point of view BlueX functions as an RA with the same configuration options as for jCert.


CMP has been tested with Aventra card management system. Same configuration as above.


CMP has been tested with BouncyCastle CMP classes, available in BC 1.46 or later. Both client and RA mode should work. For sample implementations of client messages using BouncyCastle, see the CMP Operations Guide.

CMP for OpenSSL

OpenSSL includes CMP from version 3.0, i.e. cmpforopenssl below is merged into OpenSSL main and is available in OpenSSL Git (or a release when available on your platform).

CMP has been tested with cmpforopenssl. cmpforopenssl is submitted for inclusion in OpenSSL and the code is available on GitHub on For documentation for the command, refer to and for a Quick Start guide, tested with EJBCA, refer to

The old client tool in cmpforopenssl was called cmpclient, while the new one is in the openssl command itself. Only the new one is documented here. It works with EJBCA CMP in both RA mode and client mode.

See the CMP Operations Guide for more information about commands for cmpforopenssl.


CMP has been tested with CryptLib

Huawei Pico 3GPP

The Huawei Pico cell is confirmed to successfully receive operator certificates using CMPv2.

In order to authenticate the Pico cell for initial enrollment the Huawei Vendor CA must be imported in EJBCA. Go to Certificate Authorities in the Admin GUI and import Huawei Equipment Root CA as External Certificate Authority by clicking Import CA Certificate.

CMP Alias Settings

  • CMP Operational Mode - Client
  • CMP Authentication Module - EndEntityCertificate only
  • Extract Username Component - CN
  • Vendor Certificate Mode - Use
  • List Of Vendor CAs - Huawei Equipment Root CA
  • CMP Response Protection - Signature
  • CMP Response Additional CA certificates - Leave blank
  • PKI Message Response Additional CA certificates - Leave blank
  • Certificate Confirmation Default CA - Use whatever CA is configure in the End Entity
  • Automatic Key Update - Checked
  • Certificate renewal with same keys - Checked
  • Allow Server Generated Keys - Unchecked
  • Nested Message Trusted Certificates Path - Leave blank

End Entity Profile Settings

  • Batch Generation - Use
  • Subject DN Attributes, CN - Required
  • Default and Available Certificate Profiles - Set to your CMP Certificate profile
  • Default and Available CAs - Set to the Issuing CA that you have set in CMP Certificate Confirmation Default CA
  • Default Token - User Generated

Certificate Profile Settings

  • Available CAs - Set to the Issuing CA that you have set in CMP Certificate Confirmation Default CA

Apache configuration

Certain Pico devices do not allow for a URL to a CMP host.  If this is the case, we recommend running apache in front of the  EJBCA JBoss/WildFly application server. You can add in this configuration to an Apache to have it redirect to the EJBCA CMP URL.

Listen 8080
<VirtualHost *:8080>
    DocumentRoot /var/www/html/
    # Disallow any HTTP method that is not HEAD, GET or POST
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} !^(HEAD|GET|POST)$ [NC]
    RewriteRule .* - [F,L]
    #Since we are adding an additional port we can redirect all traffic to the CMP alias
    ProxyPass "/"      "ajp://localhost/ejbca/publicweb/cmp/3gpp" keepalive=On ping=500ms retry=1 timeout=300
    ProxyPassReverse "/" "ajp://localhost/ejbca/publicweb/cmp/3gpp"

RSA jCert

CMP has been tested using RSA jCert toolkit for initialization requests. To run this as an RA, configure CMP according to the following:

  • CMP Operational Mode: RA Mode
  • Allow RA Verify Proof-of-Possession: enabled
  • CMP Response Protection: pbe
  • CMP Authentication Module: HMAC
  • CMP Authentication Parameters: your shared password
  • and other configurations you want for your RA.