An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
Improve the configurability of the cert status checking code (CRL use, OCSP, stapling) such that it does not any more depend on global configuration variables but on flags and potentially further entries in the respective X509_STORE. New flags and further options needed:
Supersede legacy CLI options -crl_check and -crl_check_all and replace current options -crl_download, -ocsp_check_all, -ocsp_use_aia, and -ocsp_status by
Which allows configuring the checking individualy for the following three levels: CMP, TLS, and newly enrolled cert. The options -crls, -crl_timeout, -ocsp_url, and -ocsp_timeout should remain.
For instance: cmp -revcheck_cmp any:ocsp checks revocation using OCSP of those certs in the chain of the CMP server cert for which AIA entries are present.
Improve the configurability of the cert status checking code (CRL use, OCSP, stapling) such that it does not any more depend on global configuration variables but on flags and potentially further entries in the respective X509_STORE. New flags and further options needed:
Supersede legacy CLI options
-crl_check
and-crl_check_all
and replace current options-crl_download
,-ocsp_check_all
,-ocsp_use_aia
, and-ocsp_status
byWhich allows configuring the checking individualy for the following three levels: CMP, TLS, and newly enrolled cert. The options
-crls
,-crl_timeout
,-ocsp_url
, and-ocsp_timeout
should remain. For instance:cmp -revcheck_cmp any:ocsp
checks revocation using OCSP of those certs in the chain of the CMP server cert for which AIA entries are present.