EndEntityCertificate as CMP Authentication Modul

[pragya1998hal]

I am using CMP configuration

While creating alias I am using EndEntityCertificate as CMP Authentication Module.

At the time of sending certificate creation request through my program to EJBCA server I provided CA certificate (which I created through EJBCA in certificate authority section) in cert from extraCerts.

But I am getting error :

2024-12-03 03:34:19,863+0000 DEBUG [org.cesecore.certificates.certificate.CertificateStoreSessionBean] (default task-1) Found cert with (transformed) DN: CN=TestCA
2024-12-03 03:34:19,863+0000 DEBUG [org.cesecore.certificates.ca.X509CAInfo] (default task-1) Using certificate with subject CN=TestCA, as trust anchor, removing from certlist if it is there
2024-12-03 03:34:19,865+0000 DEBUG [org.cesecore.certificates.ca.X509CAInfo] (default task-1) Using certificate with subject CN=TestCA, as trust anchor, removing from certlist if it is there
2024-12-03 03:34:19,865+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.EndEntityCertificateAuthenticationModule] (default task-1) The certificate chain attached to the PKIMessage in the extraCert field is not valid - No certificate found matching targetConstraints.: SubjectDN=CN=TestCA
2024-12-03 03:34:19,865+0000 WARN [org.ejbca.core.protocol.cmp.authentication.EndEntityCertificateAuthenticationModule] (default task-1) CertPathBuilderException: java.security.cert.CertPathBuilderException: No certificate found matching targetConstraints.

Can u help me in solving the issue or can you guide me how I can generate certificate by using EndEntityCertificate as CMP Authentication Module.

[pragya1998hal]

??

[primetomas]

What does the ?? mean?

See:
https://docs.keyfactor.com/ejbca/latest/cmp-client-support

[pragya1998hal]

Hello sir,

I am using CMP configuration

In the document : https://docs.keyfactor.com/ejbca/8.3.1/3gpp-cmp-operations

Vendor Certificate Mode check is available but in my configuration, I am not getting any check related to Vendor Certificate Mode. Can u help me how I can get Vendor Certificate Mode in My configuration I am using keyfactor/ejbca-ce:8.3.1. My screenshot:

[primetomas]

Vendor certificate mode is an Enterprise feature. It is marked here:
https://docs.keyfactor.com/ejbca/8.3.1/cmp#id-(8.3.1latest)CMP-VendorCAAuthenticationVendor_CA_Authentication
and here: https://docs.keyfactor.com/ejbca/8.3.1/using-cmp-with-3gpp

I see it's not marked as that on the 3GPP page, very sorry for that. We will fix the documentation markup.

[pragya1998hal]

Ok sir

Sir as I want to build initial trust by using EndEntityCertificate as CMP Authentication Module. So is it possible without Enterprise feature or not?

[primetomas]

Yes, but not with Vendor certificates.

[pragya1998hal]

I approach I followed is:

Steps I followed to Build Initial Trust with EndEntityCertificate

1.Create the End-Entity Certificate
• In EJBCA:
o Create an end entity under the End Entities section.
o Configure the end entity with:
 A username and password.
 An appropriate end entity profile (matching the CMP alias requirements).
 A certificate profile (allowing the desired usages like authentication).
o Issue the certificate, signed by the trusted CA in EJBCA.
• Download the certificate (along with its private key) for use in your CMP client program.
2.Configure the CMP Alias in EJBCA
• Go to CMP Configuration in EJBCA and select the CMP alias you are using.
• Set the CMP Authentication Module to EndEntityCertificate.
• Add the issuing CA certificate (the trusted CA) to the Default CA section in the alias.
3.Build and Sign the CMP Request
• In our program:
o Use the private key of the end-entity certificate to sign the CMP request (PKIMessage).
o Include the end-entity certificate in the extraCerts field of the CMP message.
4.Send the CMP Request
• When the CMP request is sent to EJBCA, the server validates the authentication by:
o Checking the extraCerts field for the end-entity certificate.
o Verifying the certificate against the trusted CA chain.
o Ensuring the request is signed using the corresponding private key.
5.EJBCA Validation Process
• EJBCA verifies:
o The end-entity certificate is issued by a trusted CA.
o The certificate matches a user in the EJBCA database.
o The certificate is valid (e.g., not expired or revoked).
• If the validation passes, the request is processed.
Key Points
• The end-entity certificate must match the user in EJBCA, and the CA that issued the certificate must be configured as a trusted CA in the CMP alias.
• The private key corresponding to the end-entity certificate is critical for signing the CMP request.
• The extraCerts field in the CMP message is used to send the end-entity certificate for validation.
This process ensures mutual trust between your client and the EJBCA server, enabling secure communication and operations like certificate issuance, revocation, and renewal.

Can you please verify is my approach correct or do I need to configure anything else

[primetomas]

This works for CMP in RA mode. You also need to configure the signing certificate with an appropriate role that has the correct access rights to issue new certificates.

[primetomas]

Renewal is a different topic. There are plenty of examples of this as well, for example using "openssl cmp".

[pragya1998hal]

Currently I am working on Client Mode. Sir can you please confirm it will work for Client mode or not. If it will work, do I need to configure anything else

[primetomas]

For client mode that is not Vendor certificate authenticated it doesn't make much sense. Initial enrollment is typically used for that, enrollment for entities that do not have a certificate already. The exception being externally issued Vendor certificates as defined in 3GPP (and re-used by some other models like Matter).
https://docs.keyfactor.com/ejbca/latest/cmp#id-(9.1.1)CMP-ClientModeforCMPClient_mode_for_CMP
https://docs.keyfactor.com/ejbca/latest/create-cas-for-matter-iot

[primetomas]

You can also see this: https://docs.keyfactor.com/ejbca/latest/cmp-operations-guide#id-(9.1.1)CMPOperationsGuide-EnrollinginClientMode,ClientCertificateAuthentication

Renewal works for client mode, but then the entity needs an initial certificate issued first.
https://docs.keyfactor.com/ejbca/latest/cmp#id-(9.1.1)CMP-KeyUpdateRequest(kur)Key_Update_Request

[pragya1998hal]

Ok sir. Thankyou sir four guidance