Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Use CMP or SCEP protocol in CA mode

Owned by Karolin Hemmingsson (Unlicensed)
Last updated: Nov 13, 2023 by Josefin Klang (Deactivated)
2 min read

This article describes the CA and RA modes for enrollment used by CMP and SCEP protocols, and how to use CA mode in Protocol Gateway

Enrollment modes

The CMP and SCEP protocols specify two enrollment modes: 

  • CA mode - The CA key pair is used to protect the protocol messages.

  • RA mode - A separate device RA key pair is used to protect the protocol messages.

Protocol Gateway only supports the enrollment protocols in RA mode, that is, a device RA key pair is used to protect the protocol messages. CA mode is not supported, since the CA's private key should only be used for signing certificates and CRLs. When managing end entities, ensure that they operate in RA mode. 

However, some devices don't support RA mode and requires that the CA key pair is used to protect the protocol messages. To support these devices in Protocol Gateway, follow the instruction below to configure the CA key pair to be used as a device RA key pair. It is assumed that an HSM is used to store the CA keys.



To be able to use the CA certificate as a RA certificate in PGW, the CA certificate key usage must be complemented with Digital Signature and Key Encipherment:

  1. Copy the format file that you will use to create a CA certificate, that is found under <server_root>/config/certformats

  2. Open the new copy for editing. 

  3. Add the following code to the new format file: 

    Add code in format file

    extension.keyusage.attributes.digitalsignature=true extension.keyusage.attributes.keyencipherment=true



  4. Restart the server to make it aware of the new format file.



  1. In Administrator's Workbench, create a CA key with the new format. See Create CA key in Certificate Manager.

  2. Verify that the resulting certificate has Digital Signature and Key Encipherment as key usage as well as Certificate Signing and CRL Signing. 

  3. Put the new certificate in the HSM that is used by Protocol Gateway. See Install certificate.

  4. If you use two different HSM's for CM server and Protocol Gateway, copy the key using your HSM's own tools.



To configure Protocol Gateway to use the new CA certificate as RA: 

  1. Open the properties file for editing, for example cmp.properties

  2. Add a handler that uses the new CA certificate as RA certificate.
    Example: The handler defined below will be used when accessing <url>/cmp/example

    Example: cmp.properties

    handler.1.filter = example handler.1.ra.keyfile = handler.1.ra.certificate.subject = exampleCA handler.1.ra.password = 1234 handler.1.ra.pkcs11 = {ProgramFiles}/tomcatWorkingDirectory/cs2_pkcs11.dll







Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions