Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

raVerified CMP requests

Owned by Josefin Klang (Deactivated)
Last updated: Jun 19, 2024Version comment
2 min read

Overview

In a CMP environment where a Registration Authority (RA) is either modifying requests of an End-Entity (EE), or sending requests on behalf of an EE, there is a need for enabling the support for CMP requests which has 'raVerified' Proof-Of-Possession (POP). More information can be found in [CMP].

In CM, CMP can work in three different POP verification modes:

  • client (default): allows signature based POP.

  • ra: allows both raVerified and signature based POP.

  • ra-strict allows only raVerified POP.

Configuration

Prerequisites

 CMP configured in modes ra or ra-strict utilizes the CF Production Order service to dynamically create CMP registrations. This requires that the parameter CardProductionManager.start is set to true in cm.conf.

Procedure policy objects

  1. This step can be skipped if you already have a token procedure for CMP issuance, and you want to use it for both signature based and ra based POP.

  2. Launch the Nexus Administrators Workbench client (AWB).

  3. Create a new certificate procedure using the AWB. The certificate format must be cmpenroll.

  4. Create a new token procedure using the AWB. It should reference the created certificate procedure, have storage profile pkcs10 and the inputview GPIV 6 - Save and Search CMP Enrollment Registrations.

Handler configuration in cmp.properties

The remaining task is to configure the PGW request handler which is to receive CMP requests with raVerified POP.

The handler must have the previously created token procedure as its configured handler.<n>.tokenprocedure. By setting the mode to one of the three modes mentioned above, determines what kind of POPs the handler accepts.

In either of the two ra modes either or both certificate pining or officer validation must be specified. Certificate pining is done with ramode.certs.<n> configuration, and officer validation is done with the ramode.officervalidation configuration. If neither configuration is set and a handler is in a ra mode then PGW will abort startup.

Parameters

CMP raVerified handler

CMP raVerified filter. The request url to match this handler.

handler.4.filter = ra

CMP raVerified format. Must be set to cmp.

handler.4.format = cmp

CMP token procedure.

handler.4.tokenprocedure = CMP Registration and Enroll Procedure

CMP raVerified mode.

CMP raVerified ramode certificate pinning. A list of RA signer certificates to use when validating incoming requests.

CMP raVerified officer validation. Defines if the requesting RA certificate should be forwarded to CF for officer validation.

 



Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions