To allow external clients to order certificates from Certificate Manager, the following interfaces and protocols are supported via Protocol Gateway:
EST The Enrollment over Secure Transport (EST) is a cryptographicprotocol that describes an X.509 certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire key pairs, client certificates and associated Certification Authority (CA) certificates over https. Example of functions are initial certificate enrollment, certificate renewal, and CA rollover. EST is defined in RFC 7030.
EST-coaps EST over secure CoAP (EST-coaps) is a protocol that can be used for secure bootstrapping and certificate enrollment to low-resource devices. Constrained devices can be battery powered and unattended for years, supporting DTLS, 6LoWPAN; IPv6 over IEEE 802.15.4 based networks. Contiki NG OS based devices is an example of clients that can use EST over coaps.
CMC Certificate Manager supports certificate enrollment over Certificate Management over CMS (CMC), which is an Internet Standard published by the IETF, defining transport mechanisms for the Cryptographic Message Syntax (CMS). It is defined in RFC 5272, its transport mechanisms in RFC 5273.
CMP Certificate Manager supports certificate enrollment over the Certificate Management Protocol (CMP), which is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). It is defined in RFC 4210. CMP is for example used in PKI for long-term evolution (LTE) networks, together with the 3GPP specification.
SCEP Simple Certificate Enrollment Protocol is a protocol for handling certificates for large-scale implementation to everyday users. SCEP is an Internet Draft in the Internet Engineering Task Force (IETF). It is defined here.
ACME Certificate Manager supports the protocol Automatic Certificate Management Environment (ACME, read more here). The ACME protocol, as defined in RFC 8555, enables certificate automation for provisioning X.509 certificates to devices, such as web servers, printers and NAS (Network-attached storage) devices.
WinEP Nexus Windows Enrollment Proxy (WinEP) facilitates enrollment to Microsoft Windows clients through native protocols. WinEP requires the WinEP service together with the WinEP Protocol Gateway servlet.
AST Using the Authenticated Soft Token (AST) an end user or administrator can, while properly authenticated, request PKCS#12 Soft Tokens for signing and authentication.
Ping The Ping service (monitoring service) is used for system health checks and can be used by load balancers to detect issues in nodes. A Ping call engages all internal components in the CA system, including HSM's.
CM WS CM Web Services (CM WS) is a SOAP-based web service interface used for certificate management in CM. CM WS has the functionality to enroll, revoke, search and fetch certificates.
CM REST API Protocol Gateway REST API (RESTful application programming interface) is an HTTP-based service for certificate creation, certificate searching, certificate download, certificate revocation, certificate reinstatement, creation of PKCS#12 files and token procedure listing in Certificate Manager, read more here. The API requires client authentication over TLS using a CM officer certificate. Write operations like revoke, reinstate and certificate issuance requires the request data to be signed by a CM officer. The REST API server can also be configured to use a CM officer for signing the requests on the caller’s behalf, enabling automated services for trusted clients.
