Quick Start

David von Oheimb edited this page May 2, 2018 · 31 revisions

How to obtain

git clone https://github.com/mpeylo/cmpossl.git

How to build

CMPforOpenSSL is built exactly like vanilla OpenSSL. In particular, the usual tools like make and a suitable C compiler are needed, plus a Perl 5 installation with the module Text::Template for file management scripts. For more detail see the INSTALL file.

under Linux/Cygwin

In a typical Linux shell (or Cygwin under Windows), issue the following commands.

  • cd cmpossl
  • ./config (add any options wanted/needed, such as Cygwin-x86 no-shared no-tests --debug)
  • make
  • make install (optional)

under Windows

For a Windows native build using the Microsoft Visual C/C++ compiler cl and related tools like nmake on the command line (cmd.exe), some environment variables like PATH need to be set. For instance, for a normal 32-bit build on a regular 32-bit Visual Studio version 14.0 installation, this can be achieved by invoking

  • "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x86 while for other architectures, replace the option x86 by any of amd64, arm, x86_amd64, x86_arm, amd64_x86, or amd64_arm.

Optionally the Netwide Assembler nasm may be used for the more efficient crypto algorithm implementations. See also NOTES.WIN.

Apart from that, the build commands are very similar to the ones given above:

  • cd cmpossl
  • perl Configure VC-WIN32 (or use debug-VC-WIN32 or VC-WIN64A etc.; add any further options wanted/needed, such as no-shared, no-threads, and no-tests).
  • nmake
  • nmake install (optional)

with OpenSSL 1.0.2

We made sure that the CMPforOpenSSL code also builds with OpenSSL 1.0.2 (LTS). The details how to do this can be found on a separate page.

How to use

The latest version of the documentation for the openssl cmp app may be found here.

with the EJBCA AWS instance test CA by PrimeKey

The repository contains a zip file that contains a convenient default configuration including the credentials the client needs for accessing the EJBCA test server. This file can also be downloaded directly.

Let's unpack it and enter the directory produced this way:

  • unzip test/cmp-test/EJBCA_AWS.zip
  • cd EJBCA_AWS

Typical use cases

In preparation for conveniently executing the following examples, let's set some shell environment variables:

  • export PATH=../apps:$PATH — incase the openssl CLI is not installed, make it directly usable from the EJBCA_AWS directory
  • export OPENSSL_CONF=cmp.cnf — prepare to use the given configuration; alternatively, give -config cmp.cnf as CLI argument to each invocation of openssl cmp
  • if you are in need of using an HTTP proxy, you can set it in the configuration file or give it using the -proxy option on the command line (proxy not yet supported for TLS-protected HTTP transfer, CRL downloading, or OSCP)

Initially enroll a certificate

Let's first produce an ECC key:

  • openssl ecparam -genkey -name prime256v1 -out test.ECC256p.pem

Enroll a certificate for it (where the configuration for accessing the CA is held in suitable sections of cmp.cnf):

  • openssl cmp -section ECC -newkey test.ECC256p.pem -certout test.ECCcert.pem

Now we can inspect the newly enrolled certificate:

  • openssl x509 -noout -text -in test.ECCcert.pem

We can also enroll an RSA certificate (for which EJBCA requires using a different CA instance):

  • openssl genrsa -out test.RSA2048.pem 2048
  • openssl cmp -section RSA -newkey test.RSA2048.pem -certout test.RSAcert.pem
  • openssl x509 -noout -text -in test.RSAcert.pem

Enroll, update, and revoke a further certificate

As specified in the configuration, by default the key input file test.ECC256p.pem and certificate output file test.cert.pem is used. The configuration file cmp.cnf contains pre-defined sections for performing various CMP commands.

  • openssl cmp -section cr — enroll a further ECC certificate
  • openssl cmp -section kur — update the ECC certificate
  • openssl cmp -section rr — revoke the ECC certificate

When trying to update or revoke a certificate that already has been revoked, the CA will return an error message, which is displayed by the client.

Options: use CRLs or OCSP for checking the server certificate

  • openssl cmp -section crls — use CRLs in ir transaction
  • openssl cmp -section ocsp — use OCSP in ir transaction

Note: HTTP Proxy support not yet available for CRL/OCSP options.

Option: use TLS for encrypting the channel to the server

  • openssl cmp -section tls — use TLS in ir transaction
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.