Crypto CMP Policy

About this task

Certificate Management Protocol (CMP) is an Internet protocol to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A Certificate Authority (CA) issues the certificates using the defined CMP.

Using CMP, a device can communicate to a CMP supported CA server, initiate a certificate request and download the required certificates from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire.

The CMP client on the controller, service platform or Access Point triggers a request for the configured CMS CA server. Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint. During the creation of the CMP policy the trustpoint is assigned a name and client information. An administrator can use a manually created trustpoint for one service (like HTTPs) and use the CMP generated trustpoint for RADIUS EAP certificate based authentication.

To review, create or edit a Crypto CMP policy:

Procedure

  1. Select Configuration → Network→ Crypto CMP Policy.
    The Crypto CMP Policy screen lists the policy configuration defined thus far.
    Click to expand in new window
  2. Select Add to create a new Crypto CMP policy, Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available. Existing policies can be copied or renamed as needed.
    Click to expand in new window
    Crypto CMP Policy Creation Screen
  3. If creating a new Crypto CMP policy assign it a Name up to 31 characters to help distinguish it.
  4. Set the Certificate Renewal Timeout period to trigger a new certificate renewal request with the dedicated CMP server resource. The range is 1-60 days. The default is 14 days.
    The expiration of the certificate is checked once a day. When a certificate is about to expire a certificate renewal is initiated with the server via an existing IPsec tunnel. If the tunnel is not established, the CMP renewal request is not sent. If a renewal succeeds the newly obtained certificate overwrites an existing certificate. If the renewal fails, an error is logged.
  5. Select Certificate Update to update the renewal data of the certificate. This setting is enabled by default.
  6. Select Certificate Validate to automatically validate the cross certificate with the factory certificate.
  7. Select Auto-gen Unique ID to prepend the device‘s auto-generated unique ID in the subject and sender fields
  8. Set the Certificate Key Size value. Set a value in the range 2,048 - 4,096 bits. The default value is 2048 bits. The larger the key size, the more secure the certificate.
  9. Use the Hash Algorithm drop-down menu, to set the hashing algorithm as sha1, sha256, sha384 or sha512. Hashing algorithms are mathematical functions that convert a string of characters (of indefinite length) to a fixed numerical value, much smaller than the original string. Hashing algorithms are used to sign digital certificates. The hash-algorithm type configured here is sent, in the request for certification (new or renewal), to the CA server. The CA uses the hash algorithm specified here to sign the digital certificate. The default setting is sha1.
    The sha256, sha384 and sha512 hash functions belong to the SHA-2 family of algorithms.
  10. Select + Add Row and define the following CMS Server Configuration settings for the server resource:
    Enable Use the drop-down menu to set the CMS server as either the Primary (first choice) or Secondary (secondary option) CMP server resource.
    IP Define the IP address for the CMP CA server managing digital certificate requests. CMP certificates are encrypted with CA's public key and transmitted to the defined IP destination over a typical HTTP or TLS session.
    Path Provide a complete path to the CMP CA‘s trustpoint.
    Port Provide a CMP CA port number.
  11. Set the following Trust Points settings. Use the + Add Row button to add a row to this table. The trustpoint is used for various services as specifically set the controller, service platform or access point.
    Name Enter the 32 character maximum name assigned to the target trustpoint. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. This field is mandatory.
    Subject Name Provide a subject name of up to 512 characters for the certificate template example. This field is mandatory.
    Reference ID Set the user reference value for the CMP CA trust point message. The range is 0-256. This field is mandatory.
    Secret Specify the secret used for trustpoint authentication over the designated CMP server resource.
    Sender Name Enter a sender name up to 512 characters for the trustpoint request. This field is mandatory.
    Recipient Name Enter a recipient name value of up to 512 characters for the trustpoint request.
  12. Set the following Subject Alt Name settings:
    SAN Type Use the drop-down menu to set the Subject Alt Name type as either IP Address, Distinguished Name, Email, String, or FQDN. This field is mandatory.
    SAN Value Provide a Subject Alt Name value of up to 128 characters for the certificate template example. The value provided depends on the Subject Alt Name type selected. This field is mandatory.
  13. Select OK to save the updates to the Crypto CMP policy, Reset to revert to the last saved configuration, or Exit to close the screen.
9036512-01 Rev AB