EST The Enrollment over Secure Transport (EST) is a cryptographicprotocol that describes an X.509 certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire key pairs, client certificates and associated Certification Authority (CA) certificates over https. Example of functions are initial certificate enrollment, certificate renewal, and CA rollover. EST is defined in RFC 7030. See also Example: EST configuration in Protocol Gateway.
EST-coaps EST over secure CoAP (EST-coaps) is a protocol that can be used for secure bootstrapping and certificate enrollment to low-resource devices. Constrained devices can be battery powered and unattended for years, supporting DTLS, 6LoWPAN; IPv6 over IEEE 802.15.4 based networks. Contiki NG OS based devices is an example of clients that can use EST over coaps.
CMC Certificate Manager supports certificate enrollment over Certificate Management over CMS (CMC) as well as Revocation Request Control, which is used to request a certificate to be revoked. The request must be signed by an authorized CM officer with the revocation role. CMC is an Internet Standard published by the IETF, defining transport mechanisms for the Cryptographic Message Syntax (CMS). It is defined in RFC 5272, its transport mechanisms in RFC 5273.
CMP Certificate Manager supports certificate enrollment over the Certificate Management Protocol (CMP), which is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). It is defined in RFC 4210. CMP is for example used in PKI for long-term evolution (LTE) networks, together with the 3GPP specification. See also Example: CMP configuration in Protocol Gateway.
SCEP Simple Certificate Enrollment Protocol is a protocol for handling certificates for large-scale implementation to everyday users. SCEP is an Internet Draft in the Internet Engineering Task Force (IETF). It is defined here. See also Example: SCEP configuration in Protocol Gateway.
SCEP Intune Certificate Manager can be used as a third-party CA with Microsoft Intune to issue and validate certificates using Simple Certificate Enrollment Protocol (SCEP). Certificate Manager supports SCEP Intune for all SCEP Intune certified devices.
SCEP NDES Certificate Manager supports SCEP with static and dynamic challenge passwords. SCEP with dynamic challenge passwords is complying to Microsoft's Network Device Enrollment Service (NDES) implementation.
CM SDK proxy The SDK Proxy service is a reverse proxy for the Certificate Manager clients. It allows CM clients to connect to the Certificate Factory (CF) service remotely over the internet without the need to expose the CF service externally. Requests from CM clients are forwarded to the CF service and responses are returned as if communicating directly with CF.
ACME Certificate Manager supports the protocol Automatic Certificate Management Environment (ACME, read more here). The ACME protocol, as defined in RFC 8555, enables certificate automation for provisioning X.509 certificates to devices, such as web servers, printers and NAS (Network-attached storage) devices. See also Example: ACME configuration in Protocol Gateway.
WinEP Nexus Windows Enrollment Proxy (WinEP) facilitates enrollment to Microsoft Windows clients through native protocols. WinEP requires the WinEP service together with the WinEP Protocol Gateway servlet.
AST Using the Authenticated Soft Token (AST) an end user or administrator can, while properly authenticated, request PKCS#12 Soft Tokens for signing and authentication.
Ping The Ping service (monitoring service) is used for system health checks and can be used by load balancers to detect issues in nodes. A Ping call engages all internal components in the CA system, including HSM's. See also Set up Protocol Gateway Ping.
CM WS CM Web Services (CM WS) is a SOAP-based web service interface used for certificate management in CM. CM WS has the functionality to enroll, revoke, search and fetch certificates.
CM REST API Certificate Manager REST API (RESTful application programming interface) is an HTTP-based service for certificate creation, certificate searching, certificate download, certificate revocation, certificate reinstatement, creation of PKCS#12 files and token procedure listing in Certificate Manager, read more here. The API requires client authentication over TLS using a CM officer certificate. Write operations like revoke, reinstate and certificate issuance requires the request data to be signed by a CM officer. The REST API server can also be configured to use a CM officer for signing the requests on the caller’s behalf, enabling automated services for trusted clients. See also Example: Certificate Manager (CM) REST API configuration in Protocol Gateway.
This article is valid for Certificate Manager 8.3 and later.
