Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
How to obtain
git clone https://github.com/mpeylo/cmpossl.git
How to build
CMPforOpenSSL is built exactly like vanilla OpenSSL. In particular, the usual tools like
make and a suitable C compiler are needed, plus a Perl 5 installation with the module
Text::Template for file management scripts. For more detail see the INSTALL file.
In a typical Linux shell (or Cygwin under Windows), issue the following commands.
./config(add any options wanted/needed, such as
Cygwin-x86 no-shared no-tests --debug)
For a Windows native build using the Microsoft Visual C/C++ compiler
cl and related tools like
nmake on the command line (
cmd.exe), some environment variables like PATH need to be set. For instance, for a normal 32-bit build on a regular 32-bit Visual Studio version 14.0 installation, this can be achieved by invoking
"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x86while for other architectures, replace the option
x86by any of
Apart from that, the build commands are very similar to the ones given above:
perl Configure VC-WIN32(or use
VC-WIN64Aetc.; add any further options wanted/needed, such as
with OpenSSL 1.0.2
We made sure that the CMPforOpenSSL code also builds with OpenSSL 1.0.2 (LTS). The details how to do this can be found on a separate page.
How to use
The latest version of the documentation for the
openssl cmp app may be found here.
The repository contains a zip file that contains a convenient default configuration including the credentials the client needs for accessing the EJBCA test server. This file can also be downloaded directly.
Let's unpack it and enter the directory produced this way:
Typical use cases
In preparation for conveniently executing the following examples, let's set some shell environment variables:
export PATH=../apps:$PATH— incase the
opensslCLI is not installed, make it directly usable from the EJBCA_AWS directory
export OPENSSL_CONF=cmp.cnf— prepare to use the given configuration; alternatively, give
-config cmp.cnfas CLI argument to each invocation of
- if you are in need of using an HTTP proxy, you can set it in the configuration file or give it using the -proxy option on the command line (proxy not yet supported for TLS-protected HTTP transfer, CRL downloading, or OSCP)
Initially enroll a certificate
Let's first produce an ECC key:
openssl ecparam -genkey -name prime256v1 -out test.ECC256p.pem
Enroll a certificate for it (where the configuration for accessing the CA is held in suitable sections of
openssl cmp -section ECC -newkey test.ECC256p.pem -certout test.ECCcert.pem
Now we can inspect the newly enrolled certificate:
openssl x509 -noout -text -in test.ECCcert.pem
We can also enroll an RSA certificate (for which EJBCA requires using a different CA instance):
openssl genrsa -out test.RSA2048.pem 2048
openssl cmp -section RSA -newkey test.RSA2048.pem -certout test.RSAcert.pem
openssl x509 -noout -text -in test.RSAcert.pem
Enroll, update, and revoke a further certificate
As specified in the configuration, by default the key input file
test.ECC256p.pem and certificate output file
test.cert.pem is used. The configuration file
cmp.cnf contains pre-defined sections for performing various CMP commands.
openssl cmp -section cr— enroll a further ECC certificate
openssl cmp -section kur— update the ECC certificate
openssl cmp -section rr— revoke the ECC certificate
When trying to update or revoke a certificate that already has been revoked, the CA will return an error message, which is displayed by the client.
Options: use CRLs or OCSP for checking the server certificate
openssl cmp -section crls— use CRLs in
openssl cmp -section ocsp— use OCSP in
Note: HTTP Proxy support not yet available for CRL/OCSP options.
Option: use TLS for encrypting the channel to the server
openssl cmp -section tls— use TLS in