Versions Compared
compared with
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Comment:
Updated title to say "Certificate Manager" instead of CM
To allow external clients to order certificates from Smart ID Certificate Manager (CM), the following interfaces and protocols are supported via Protocol Gateway:
- EST
The Enrollment over Secure Transport (EST) is a cryptographic protocol that describes an X.509 certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire key pairs, client certificates and associated Certification Authority (CA) certificates over https. Example of functions are initial certificate enrollment, certificate renewal, and CA rollover. EST is defined in RFC 7030. - EST-coaps
EST over secure CoAP (EST-coaps) is a protocol that can be used for secure bootstrapping and certificate enrollment to low-resource devices. Constrained devices can be battery powered and unattended for years, supporting DTLS, 6LoWPAN; IPv6 over IEEE 802.15.4 based networks. Contiki NG OS based devices is an example of clients that can use EST over coaps. - CMC
Certificate Manager supports certificate enrollment over Certificate Management over CMS (CMC) as well as Revocation Request Control, which is used to request a certificate to be revoked. The request must be signed by an authorized CM officer with the revocation role. CMC is an Internet Standard published by the IETF, defining transport mechanisms for the Cryptographic Message Syntax (CMS). It is defined in RFC 5272, its transport mechanisms in RFC 5273. - CMP
Certificate Manager supports certificate enrollment over the Certificate Management Protocol (CMP), which is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). It is defined in RFC 4210. CMP is for example used in PKI for long-term evolution (LTE) networks, together with the 3GPP specification. - SCEP
Simple Certificate Enrollment Protocol is a protocol for handling certificates for large-scale implementation to everyday users. SCEP is an Internet Draft in the Internet Engineering Task Force (IETF). It is defined here.- SCEP Intune
Certificate Manager can be used as a third-party CA with Microsoft Intune to issue and validate certificates using Simple Certificate Enrollment Protocol (SCEP). Certificate Manager supports SCEP Intune with Microsoft Azure. - SCEP NDES
Certificate Manager supports SCEP with static and dynamic challenge passwords. SCEP with dynamic challenge passwords is complying to Microsoft's Network Device Enrollment Service (NDES) implementation.
- SCEP Intune
- CM SDK proxy
The SDK Proxy service is a reverse proxy for the Certificate Manager client softwareclients. It allows CM clients to connect to the Certificate Factory (CF) service remotely over the internet without the need to expose the CF service externally. Requests from CM clients are forwarded to the CF service and responses are returned as if communicating directly with CF. - ACME
Certificate Manager supports the protocol Automatic Certificate Management Environment (ACME, read more here). The ACME protocol, as defined in RFC 8555, enables certificate automation for provisioning X.509 certificates to devices, such as web servers, printers and NAS (Network-attached storage) devices. - WinEP
Nexus Windows Enrollment Proxy (WinEP) facilitates enrollment to Microsoft Windows clients through native protocols. WinEP requires the WinEP service together with the WinEP Protocol Gateway servlet. - AST
Using the Authenticated Soft Token (AST) an end user or administrator can, while properly authenticated, request PKCS#12 Soft Tokens for signing and authentication. - Ping
The Ping service (monitoring service) is used for system health checks and can be used by load balancers to detect issues in nodes. A Ping call engages all internal components in the CA system, including HSM's. - CM WS
CM Web Services (CM WS) is a SOAP-based web service interface used for certificate management in CM. CM WS has the functionality to enroll, revoke, search and fetch certificates.
- CM REST API
Certificate Manager REST API (RESTful application programming interface) is an HTTP-based service for certificate creation, certificate searching, certificate download, certificate revocation, certificate reinstatement, creation of PKCS#12 files and token procedure listing in Certificate Manager, read more here.
The API requires client authentication over TLS using a CM officer certificate. Write operations like revoke, reinstate and certificate issuance requires the request data to be signed by a CM officer. The REST API server can also be configured to use a CM officer for signing the requests on the caller’s behalf, enabling automated services for trusted clients.
This article is valid from CM for Certificate Manager 8.3 and later.