In CA Gateway, you may need to define specifications for CMPv2 enrollment. These specifications define how to process CMPv2 requests from CMPv2 clients if they do not adhere to the CMPv2 standard TS-133-310.
You do not have to define a specification for the CMPv2 "standard" as defined in TS-133-310. If the implementation field is not specified, TS-133-310 will be used.
Under Cmpv2, the Customizations section allows you to define one or more custom specifications for CMPv2 enrollment.
The following table lists the test methods that you can exclude from validation (Excluded test settings).
To exclude a test from a specific operation only, precede a test with an operation name, such as ir for Initialization Request or certConf for Certificate Confirmation). For example, ir.Protection.rejectPBM will exclude the Protection.rejectPBM test from only Initialization Request operations.
Test | Purpose | |
|---|---|---|
Message Validation | ||
Common.cmpVersion | Ensure supported CMP version is provided, i.e. CMP version 2. | |
Common.headerRecipient | Ensure a recipient was provided in the request header and its value represents a DN. | |
Common.headerSender | Ensure a sender was provided in the request header and its value represents a DN. | |
Common.headerSenderKid | Ensure a senderKID was provided in the request header. | |
Common.recipientNonce | Ensure all but initial requests in a transaction have a recipient NONCE, it is at least 16-bytes long and that it is the same value as the sender NONCE included in header of the previous response. | |
Common.requestType | Ensure the type is a known CMP type for the supported version, and, if not the initial request in a transaction, that the request type is valid at this point in the transaction. | |
Common.senderNonce | Ensure the sender NONCE is provided and that it is at least 16-bytes long. | |
Common.transactionId | Ensure all but initial requests in a transaction have a transaction ID provided. | |
RFC_4210.protectionAlgorithm | Ensure protection algorithm defined in the response header is valid signature algorithm for the supported specification. Only PBM (Shared Secret) and Signature are currently supported. | |
RFC_4210.transactionId | Ensure the transaction ID is at least 16 bytes long and does not exceed a system-imposed limit of 1024 bytes. | |
TS_33_310.certControls | Ensure OldCertId exists | |
TS_33_310.certRequestId | Ensure there is a certificate request ID provided and its value is zero (0). | |
TS_33_310.proofOfPossession | Ensure proof of possession is provided, is signature based, and is valid. | |
TS_33_310.requestCount | Ensure IR message contains one, and only one, certificate request. | |
TS_33_310.requestType | Ensure the request type is a known CMP type for the supported specification, such as IP, KUP, CERTCONF, or ERROR. | |
TS_33_310.statusCount | Ensure CERTCONF message contains no more than one certificate status. | |
TS_33_310.templateExtensions | Ensure subject alternative name extension contains a subject if one was not provided in the certificate template. | |
TS_33_310.templateHostName | Ensure the certificate template contains a subject (either in the subject field or as a subjectAltName extension), the subject is in the form of a DN, and the common name portion of the DN is a correctly-formatted DNS name. | |
TS_33_310.templatePublicKeyAlg | Ensure the algorithm used to generate the public key in the request is accepted by the server. | |
TS_33_310.templatePublicKeyLength | Ensure the length of the public key in the request meets the server defined minimum. | |
TS_33_310.templateSubject | Ensure a subject name is provided in the certificate template. If no true value exists, this field must contain the NULL-DN. | |
TS_33_310.templateVersion | Ensure the template version is correct, i.e. if provided it must be two (2). | |
TS_33_310.transactionId | Ensure the transaction ID is at least 8-bytes long and doesn't exceed a system-imposed limit of 1024-bytes. | |
Protection Validation | ||
Protection.rejectPBM | Ensure Password Based MAC (PBM) protection of messages are not allowed. | |
Protection.rejectUnprotected | Ensure unprotected messages are not allowed. | |
PasswordBasedMac.applyProtection | Ensure that the protection defined in the response header is applied to the message response. | |
PasswordBasedMac.checkApplyAlgorithm | Ensure PBM protection algorithms defined in the response header are supported by the system. | |
PasswordBasedMac.checkVerifyAlgorithm | Ensure PBM protection algorithms defined in the request header are supported by the system. | |
PasswordBasedMac.verifyProtection | Ensure that the protection defined in the request header was applied to the message and that it has been found to be applied correctly. | |
SignatureBased.applyProtection | Ensure that the protection defined in the response header is applied to the message response. | |
SignatureBased.checkApplyAlgorithm | Ensure signature protection algorithm defined in the response header is supported by the system. | |
SignatureBased.checkVerifyAlgorithm | Ensure signature protection algorithm defined in the request header is supported by the system. | |
SignatureBased.extraCertsPresent | Ensure that extraCerts field does NOT contains any certificates for follow up messages in a transaction. | |
SignatureBased.verifyProtection | Ensure that the protection defined in the request header was applied to the message and that it has been found to be applied correctly. | |