Siemens AG | SI DG EA-R&D | 2021-10
Unrestricted | © Siemens 2021 5
Technical realization RA/CA connection
The certificate enrollment between devices and RA is implemented by using EST
published in [RFC7030] and used with the support of certificate based mutual
authentication in SICAM GridPass.
The connection between the RA and CA works over the CMP lightweight profile. CMP
is published in [RFC4210] and CRMF in [RFC4211], followed by a document specifying
a transfer mechanism for CMP messages using HTTP [RFC6712]. CMP lightweight is a
profiling to simplify the CMP variances.
SICAM GridPass supports one variance to send the CSR to the CMP server. The CSR
from RA to the CA for receiving an operational certificate is transmitted over a
certificate based mutual authenticated https connection to the CMP server. Offline or
http-based transmission is not supported. Additionally, this CSR is signed by a RA
client certificate which is trusted by the CA. To accept an CA issued operational
certificate on RA site the issuer of the CMP server certificate must be trusted also by
the RA. No other variance is supported.
For the devices this works completely transparent because of using the EST protocol is
used in the same way in case SICAM GridPass acts as an RA/CA in combination. Issuing
certificates from an external CA is implemented for the automated certificate
enrollment over EST and the manual certificate creation over the SICAM GridPass UI.
A revocation request over CMP protocol to the external CA is also supported.
Workflow
1. The device has a manual imported or during manufacturing phase imprinted
certificate which is used for the mutual authenticated EST client connection
to the SICAM GridPass RA.
a. Additionally, the device has imported and trusted the CA certificate
which has issued the SICAM GridPass RA EST server certificate.
b. Additionally, the SICAM GridPass RA has imported and trusted the
CA certificate which has issued the device EST client certificate.
2. The device generates a public/private key pair and a Certificate Signing
Request (CSR) to request a certificate for e.g., to secure the IEC 61850-8-1
MMS connection according to IEC 62351-4. The device signs the CSR which
includes the generated public key with the generated private key.
3. The device connects to the SICAM GridPass RA over EST which is a mutual
authenticated TLS connection and sends the signed CSR to the SICAM
GridPass RA.
4. SICAM GridPass RA checks the Proof of Possession (PoS) of the device private
key with verifying the signature.
5. SICAM GridPass RA add optional parameters to the CSR and rebuild and signs
the CSR conforming to the CMP standard.
6. SICAM GridPass RA connects to the CMP server of the external CA over https
which is a mutual authenticated TLS connection and sends the SICAM
GridPass signed CSR to the authenticated CMP server.
7. The CMP server forwards the CSR to the external CA which signs the CSR
which results in a certificate.
8. The CMP server sends the certificate back over the https connection to
SICAM GridPass RA. Afterwards SICAM GridPass RA send the certificate back
to the device over the EST connection.
9. The device can use the certificate for the secured IEC 61850-8-1 connection.