In a PKI, the device functions as an end entity. This section describes the end entity operations defined by CMPv2.
CMPv2 manages digital certificates for end entities, including initial request (IR), certificate request (CR), key update request (KUR), and polling.
IR is performed when an end entity applies for the first certificate from a certificate authority (CA).
The end entity can apply for a certificate manually in outband mode or online by using CMP. The former method takes a long time, and the certificate is difficult to update. Therefore, the device applies for a certificate online by using CMP.
Figure 1 shows how an end entity applies for the first certificate online by using CMP.
An end entity applies for the first certificate from a CA as follows:
During the preceding process, all packets transmitted between the end entity and the CA must be authenticated using either the end-entity-generated key pair or the supplier-provided certificate.
The device supports only authentication using the supplier-provided certificate.
The supplier-provided certificate refers to a digital certificate that uniquely identifies an end entity. This digital certificate is issued by the supplier's CA. After a customer buys the end entity, the customer does not use the supplier-provided certificate any longer. Instead, the customer applies for a new digital certificate from a trusted CA by sending an IR request defined by CMPv2.
For security consideration, a key pair needs to be changed periodically. Each certificate has a validity period. When a certificate expires, it is revoked, and you must apply for a new one. The KUR function can update key pairs and certificates.
The key update request (KUR) interaction process is the same as the initial authentication process.
After receiving a request packet (an IR, CR, or KUR packet) from an end entity, a CA sends a reply packet with the PKI status set to Waiting if it cannot respond to the request packet immediately. Then, the end entity sends polling requests to check whether a certificate is generated.