Blog | G5 Cyber Security

CMP & Mobile Device Certificates

G5 Cyber Security

TL;DR

Yes, Certificate Management Protocol (CMP) can be used to issue certificates to mobile devices, but it’s more complex than using simpler protocols like SCEP. CMP offers greater security and control, making it suitable for enterprise deployments where those features are essential.

Issuing Certificates to Mobile Devices with CMP

  1. Understand the Basics of CMP: CMP is a protocol designed for managing Public Key Infrastructure (PKI) certificates. It allows clients to request, renew, and revoke certificates in a secure manner. Unlike SCEP which often relies on HTTP, CMP uses more robust protocols like TLS.
  2. Choose a CMP Server: You’ll need a CMP server as part of your PKI infrastructure. Common options include:
    • Microsoft Certificate Services (MCS) – If you’re in a Windows environment.
    • EJBCA Community Edition or Enterprise Edition – A popular open-source option.
    • OpenSSL with CMP extensions – For more custom solutions.
  3. Configure the CMP Server: This is where things get technical. You’ll need to:
    • Define a Certificate Authority (CA) template suitable for mobile devices. Consider shorter validity periods and specific key usage flags (e.g., client authentication, digital signature).
    • Set up enrollment policies – Define who can request certificates and under what conditions.
    • Configure TLS settings – Ensure strong encryption is used for all CMP communications.
  4. Mobile Device Client Configuration: This is the most challenging part.
    • Native Support: Most mobile operating systems (iOS, Android) do not have native CMP client support. You’ll likely need a third-party application or SDK.
    • Third-Party Clients/SDKs: Several vendors offer libraries and applications that handle CMP communication for you. Research options carefully based on your platform and security requirements. Examples include solutions from Venafi, GlobalSign, and others.
    • Enrollment Process: The client application will need to:
      1. Generate a Certificate Signing Request (CSR).
      2. Communicate with the CMP server over TLS.
      3. Authenticate itself to the CA (using credentials or other methods).
      4. Receive and install the issued certificate.
  5. Security Considerations:
    • Mutual TLS Authentication: Implement mutual TLS authentication between the mobile device client and the CMP server to verify both identities.
    • Secure Key Storage: Ensure that private keys are stored securely on the mobile device (e.g., using hardware security modules or secure enclaves).
    • Enrollment Policy Enforcement: Strictly enforce enrollment policies to prevent unauthorized certificate issuance.
    • Revocation Checking: Implement a robust revocation checking mechanism (e.g., OCSP stapling) to ensure that revoked certificates are not used.
  6. Example Enrollment Request using OpenSSL (Conceptual): While you won’t directly run this on the mobile device, it illustrates the process. 
    openssl s_client -connect yourcmpserver:port -cert request.pem -key private.pem
  7. Testing and Monitoring: Thoroughly test the entire enrollment process before deploying to production. Monitor CMP server logs for any errors or security issues.
Exit mobile version