Cmp4j, A Simplified CMP Library for Java

Mar 19, 2019

I’ve done a fair bit of work with the CMP protocol, and the complexity of getting it to work has often caused issues. I recently had a reason to use EJBCA PKI server again, and thought it’d be a great opportunity to write a simple CMP library for Java.

In its present state, the Cmp4j library will interface with, for example, EJBCA, and request public key certificates using the CMP protocol. Here’s an example of it in use:

  CmpServer server = new CmpServer(
  CmpRequest request = new CmpRequest(
          "CN=testCN, O=testOrg",
          "CN=test, O=test",
  byte[] nonce = {1, 1, 1, 1, 1, 1};
  byte[] transactionId = new byte [1];
  CmpProtectedRequest protectedRequest = new CmpProtectedRequest(
  CmpResponse cmpResponse = CmpSender.send(protectedRequest, server);
  CmpHelper.writePem( "CERTIFICATE", cmpResponse.response);

So what’s this doing?

  1. It sets up a server definition for the EJBCA server (or other CMP definition)
  2. It creates a standard PKIMessage, a certificate request, the core of a CMP request.
  3. After creating a nonce and transaction ID, we protect the request using a shared secret.
  4. HTTP is used to connect to EJBCA and request the certificate.
  5. Finally, we grab the cert which we were sent by EJBCA and print out its PEM.

You may notice that we’re not generating a keypair anywhere in this demo. The library will actually do it automatically if you don’t specify one, which is helpful for testing purposes, but you absolutely can specify a public key manually!

If you’re reading this and find it useful, let me know. There are plenty of features I could add, and pull requests are most welcome.

<a href=””</a>