DESCRIPTION
xxCertificate Management Protocol version 2 (CMPv2) is an Internet protocol used for obtaining X.509 digital certificates
- Defined in RFC 4210
- Updated by RFC 6712 (CMP over HTTP)
CMPv2 specifies following features:
- Certificate enrollment
- Certificate update
- Own certificate revocation
- Cross certification request
- Key pair recovery
CMPv2 support in ONAP consists of 2 components:
- CertService (server)
- CertService client
A single CertService (server) instance is expected to be deployed, and CertService client(s) are expected to be used as init containers within Pods of certain ONAP Bordering components
For testing/validation purpose open source CMPv2 server (EJBCA) is provided. Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair or self signed. It ensures certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
Together with ONAP Honolulu, plugin for Cert-Manager (officially called CMPv2 external issuer) is deployed which extends Cert-Manager with the ability to enroll certificates using CMPv2 protocol
DCAE collectors (VES, HV-VES (RTPM use case) && DFC (BulkPM use case) and SDNC (NetConf over TLS use case) are able to acquire certificate from CMPv2 server. The same CMPv2 message (Initialization Request (IR)) is used currently in ONAP to get and update certificate. This is not inline with RFC and will be addressed in Istanbul release
ROADMAP - Use Case Evolution per Release
...