1
/
su
9
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GM/T 0089-2020 English PDF (GMT0089-2020)
GM/T 0089-2020 English PDF (GMT0089-2020)
Prezzo di listino
$320.00 USD
Prezzo di listino
Prezzo scontato
$320.00 USD
Prezzo unitario
/
per
Spese di spedizione calcolate al check-out.
Impossibile caricare la disponibilità di ritiro
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0089-2020
Historical versions: GM/T 0089-2020
Preview True-PDF (Reload/Scroll if blank)
GM/T 0089-2020: Simple certificate enrollment protocol specification
GM/T 0089-2020
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Simple certificate enrollment protocol specification
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 6
5 SCEP function ... 7
5.1 SCEP entities ... 7
5.2 Client certification ... 9
5.3 Enrollment certification ... 9
5.4 CA/RA certificate distribution ... 10
5.5 Certificate enrollment ... 10
5.6 Certificate query ... 13
5.7 CRL query ... 14
5.8 Certificate revocation ... 14
6 SCEP security message object ... 15
6.1 Overview ... 15
6.2 SCEP message ... 15
6.3 SCEP message type ... 18
6.4 Simplified SignedData data type ... 21
7 SCEP transaction ... 21
7.1 Obtain a CA certificate ... 21
7.2 Certificate enrollment ... 22
7.3 Certificate polling ... 22
7.4 Certificate query ... 23
7.5 CRL query ... 24
7.6 Obtain the next CA certificate ... 24
8 SCEP transmission protocol ... 25
8.1 HTTP message format ... 25
8.2 SCEP message ... 25
Appendix A (Normative) GetCACaps message ... 29
Bibliography ... 30
Simple certificate enrollment protocol specification
1 Scope
This document defines a simple protocol for certificate enrollment using the
SM2 algorithm.
This document is applicable to guiding the development of a digital certificate
authentication system that provides automatic certificate enrollment, as well as
the use of SM2 algorithm for automatic enrollment of device certificates.
2 Normative references
The contents of the following documents, through normative references in this
text, constitute indispensable provisions of this document. Among them, for
dated references, only the edition corresponding to that date applies to this
document. For undated references, the latest edition (including all amendments)
applies to this document.
GB/T 20518-2018 Information security technology - Public key infrastructure
- Digital certificate format
GB/T 32918 (all parts) Information security technology - Public key
cryptographic algorithm SM2 based on elliptic curves
GB/T 35275-2017 Information security technology - SM2 cryptographic
algorithm encrypted signature message syntax specification
GM/T 0092 Specification of certificate request syntax based on SM2
cryptographic algorithm
GM/Z 4001 Cryptology Terminology
3 Terms and definitions
The terms and definitions defined by GM/Z 4001 and the following ones apply
to this document.
3.1
Client
The device which applies for certificate service.
The client shall take reliable measures to protect the integrity of this information.
The client can maintain multiple independent configurations applicable to
multiple CAs. These configurations do not affect the protocol operation.
5.1.3 CA
The CA is the entity that issues the client certificate. The name of the CA shall
appear in the issuer field of the generated certificate.
Before any PKI operation occurs, the CA shall obtain a CA certificate that
complies with the configuration of GB/T 20518-2018. It can be a CA certificate
issued by a higher-level CA.
The client shall obtain the CA certificate through the request message for
obtaining CA certificate in 7.1.1. And use the certificate hash value to
authenticate the CA certificate obtained by obtaining the CA certificate response
message.
CA shall respond to certificate query requests online or provide certificate query
results through LDAP.
CA can implement any policies and apply these policies to authenticate or deny
client requests. If the server has issued a certificate for the client, and the
certificate is still valid, the server can return the certificate previously created
for the client.
If the client enters a timeout status after polling a pending transaction, it shall
resynchronize by sending a request with the same certificate enrollment
transaction name, key and transaction ID to the server. The CA shall return the
status of certificate enrollment transaction, including issued certificates. The CA
shall not create a new transaction, unless the certificate enrolled is revoked or
the validity period has expired.
5.1.4 RA
RA is a kind of SCEP server. It performs certification and authorization checks
on SCEP clients. At the same time, the certification request is forwarded to the
CA. The name of the RA shall not appear in the issuer field of the generated
certificate.
When RA returns a certificate through the response message of CA certificate
in 7.1.2, it shall return both the RA certificate and the CA certificate. This
response includes an RA certificate, indicating that the client is making a
certificate-related request to the CA through an RA. In the subsequent secure
communication, the client shall designate this RA as the server communication.
5.4 CA/RA certificate distribution
If the client has not obtained a CA/RA certificate before, before starting any PKI
operation, it shall apply for a CA/RA certificate.
After the client obtains the CA certificate, the hash algorithm shall be used to
calculate the hash value of the received CA certificate (and the RA certificate
that may be included). If the client does not have a certificate path to the trust
anchor, by comparing the certificate hash value with the information obtained
by the locally-configured and out-of-band mode, the CA certificate is
authenticated.
Since the public key has not been exchanged between the client and CA/RA, it
is impossible to protect these messages in accordance with the syntax format
of GB/T 35275. And the data will be transmitted in plain text.
If RA is in use, according to the SignedData type format in GB/T 35275, a digital
envelope will be returned. The envelope either contains the RA and CA
certificates, or only the CA certificate itself. The transmission protocol shall
specify which one is returned.
After the client obtains the CA certificate, the hash algorithm shall be used to
calculate the hash value of the received CA certificate (and the RA certificate
that may be included). If the client does not have a certificate path to the trust
anchor, by comparing the certificate hash value with the information obtained
by the locally-configured and out-of-band mode, the CA certificate is
authenticated.
Since it may take a long time to transfer the query from the client to the CA/RA,
and the RA certificate may change at any time, it is recommended that the client
does not store the RA certificate; but shall retrieve the CA/RA certificate before
each operation.
5.5 Certificate enrollment
The client creates a certificate request according to GM/T 0092 to start the
certificate enrollment transaction; and sends it to CA/RA after encapsulating it
according to GB/T 35275.
If the automatic enrollment certification mode is adopted, according to the policy,
CA/RA returns a request response message CertRep; the status is set to
SUCCESS or FAILURE. For the definition of message types, see 6.2.2.3.
If the manual enrollment certification mode is adopted, the status of the CertRep
message returned by CA/RA is set to PENDING. The client shall enter the
polling mode by periodically sending the certificate polling GetCertInitial to
Get QUOTATION in 1-minute: Click GM/T 0089-2020
Historical versions: GM/T 0089-2020
Preview True-PDF (Reload/Scroll if blank)
GM/T 0089-2020: Simple certificate enrollment protocol specification
GM/T 0089-2020
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Simple certificate enrollment protocol specification
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 6
5 SCEP function ... 7
5.1 SCEP entities ... 7
5.2 Client certification ... 9
5.3 Enrollment certification ... 9
5.4 CA/RA certificate distribution ... 10
5.5 Certificate enrollment ... 10
5.6 Certificate query ... 13
5.7 CRL query ... 14
5.8 Certificate revocation ... 14
6 SCEP security message object ... 15
6.1 Overview ... 15
6.2 SCEP message ... 15
6.3 SCEP message type ... 18
6.4 Simplified SignedData data type ... 21
7 SCEP transaction ... 21
7.1 Obtain a CA certificate ... 21
7.2 Certificate enrollment ... 22
7.3 Certificate polling ... 22
7.4 Certificate query ... 23
7.5 CRL query ... 24
7.6 Obtain the next CA certificate ... 24
8 SCEP transmission protocol ... 25
8.1 HTTP message format ... 25
8.2 SCEP message ... 25
Appendix A (Normative) GetCACaps message ... 29
Bibliography ... 30
Simple certificate enrollment protocol specification
1 Scope
This document defines a simple protocol for certificate enrollment using the
SM2 algorithm.
This document is applicable to guiding the development of a digital certificate
authentication system that provides automatic certificate enrollment, as well as
the use of SM2 algorithm for automatic enrollment of device certificates.
2 Normative references
The contents of the following documents, through normative references in this
text, constitute indispensable provisions of this document. Among them, for
dated references, only the edition corresponding to that date applies to this
document. For undated references, the latest edition (including all amendments)
applies to this document.
GB/T 20518-2018 Information security technology - Public key infrastructure
- Digital certificate format
GB/T 32918 (all parts) Information security technology - Public key
cryptographic algorithm SM2 based on elliptic curves
GB/T 35275-2017 Information security technology - SM2 cryptographic
algorithm encrypted signature message syntax specification
GM/T 0092 Specification of certificate request syntax based on SM2
cryptographic algorithm
GM/Z 4001 Cryptology Terminology
3 Terms and definitions
The terms and definitions defined by GM/Z 4001 and the following ones apply
to this document.
3.1
Client
The device which applies for certificate service.
The client shall take reliable measures to protect the integrity of this information.
The client can maintain multiple independent configurations applicable to
multiple CAs. These configurations do not affect the protocol operation.
5.1.3 CA
The CA is the entity that issues the client certificate. The name of the CA shall
appear in the issuer field of the generated certificate.
Before any PKI operation occurs, the CA shall obtain a CA certificate that
complies with the configuration of GB/T 20518-2018. It can be a CA certificate
issued by a higher-level CA.
The client shall obtain the CA certificate through the request message for
obtaining CA certificate in 7.1.1. And use the certificate hash value to
authenticate the CA certificate obtained by obtaining the CA certificate response
message.
CA shall respond to certificate query requests online or provide certificate query
results through LDAP.
CA can implement any policies and apply these policies to authenticate or deny
client requests. If the server has issued a certificate for the client, and the
certificate is still valid, the server can return the certificate previously created
for the client.
If the client enters a timeout status after polling a pending transaction, it shall
resynchronize by sending a request with the same certificate enrollment
transaction name, key and transaction ID to the server. The CA shall return the
status of certificate enrollment transaction, including issued certificates. The CA
shall not create a new transaction, unless the certificate enrolled is revoked or
the validity period has expired.
5.1.4 RA
RA is a kind of SCEP server. It performs certification and authorization checks
on SCEP clients. At the same time, the certification request is forwarded to the
CA. The name of the RA shall not appear in the issuer field of the generated
certificate.
When RA returns a certificate through the response message of CA certificate
in 7.1.2, it shall return both the RA certificate and the CA certificate. This
response includes an RA certificate, indicating that the client is making a
certificate-related request to the CA through an RA. In the subsequent secure
communication, the client shall designate this RA as the server communication.
5.4 CA/RA certificate distribution
If the client has not obtained a CA/RA certificate before, before starting any PKI
operation, it shall apply for a CA/RA certificate.
After the client obtains the CA certificate, the hash algorithm shall be used to
calculate the hash value of the received CA certificate (and the RA certificate
that may be included). If the client does not have a certificate path to the trust
anchor, by comparing the certificate hash value with the information obtained
by the locally-configured and out-of-band mode, the CA certificate is
authenticated.
Since the public key has not been exchanged between the client and CA/RA, it
is impossible to protect these messages in accordance with the syntax format
of GB/T 35275. And the data will be transmitted in plain text.
If RA is in use, according to the SignedData type format in GB/T 35275, a digital
envelope will be returned. The envelope either contains the RA and CA
certificates, or only the CA certificate itself. The transmission protocol shall
specify which one is returned.
After the client obtains the CA certificate, the hash algorithm shall be used to
calculate the hash value of the received CA certificate (and the RA certificate
that may be included). If the client does not have a certificate path to the trust
anchor, by comparing the certificate hash value with the information obtained
by the locally-configured and out-of-band mode, the CA certificate is
authenticated.
Since it may take a long time to transfer the query from the client to the CA/RA,
and the RA certificate may change at any time, it is recommended that the client
does not store the RA certificate; but shall retrieve the CA/RA certificate before
each operation.
5.5 Certificate enrollment
The client creates a certificate request according to GM/T 0092 to start the
certificate enrollment transaction; and sends it to CA/RA after encapsulating it
according to GB/T 35275.
If the automatic enrollment certification mode is adopted, according to the policy,
CA/RA returns a request response message CertRep; the status is set to
SUCCESS or FAILURE. For the definition of message types, see 6.2.2.3.
If the manual enrollment certification mode is adopted, the status of the CertRep
message returned by CA/RA is set to PENDING. The client shall enter the
polling mode by periodically sending the certificate polling GetCertInitial to
Share
