Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6435

CMP Vendor mode: Ability to have different requestDN from VendorCert DN

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.11.1
    • Component/s: None
    • Labels:
      None

      Description

      Vendor cert DN can map to a username, of a registered end entity, so that Vendor certificate mode can authenticate the request. Assigned by the Vendor.
      The CRMF request DN, and the DN in the registered end entity can be something else, assigned by the operator.

      Work-flow:

      • Vendor issue vendor certificate and puts it in device
      • Operator gets device. Registers end entity with a username that can be extracted from the vendor certificate DN (extract username component in CMP alias)
      • Operator sets Operator defined DN to be the DN of the reqistered end entity, this will be the DN of the issuer operator certificate.
      • CMP request comes in, CMP Vendor mode, authenticated using vendor certificate, and issue from the pre registered end entity with the operator DN.

      See 3GPP spec sections "9.4.4 Vendor Base Station Certificate" and "9.4.8 Operator Base Station Certificate".

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              anjakobs Andres Jakobs
              Reporter:
              tomas Tomas Gustavsson
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: