News 01 Mar, 2022

Tech update – Security in mobile networks enabled with enterprise-grade PKI and 3GPP CMP profile

Mobile networks are part of our society’s critical infrastructure and as such the security requirements are high. The flexible and scalable PKI platform EJBCA Enterprise supports the 3GPP CMP profile for enrolling and managing certificates to telecom infrastructure components.

Being a critical part of our modern society, mobile networks have become a target for cyberattacks and must be properly secured to ensure availability and avoid eavesdropping. With 5G, the number of vendors and devices are quickly multiplying, leading to more complex security management. Mobile Network Operators (MNOs) have adopted a standard-based approach with 3GPP for the development and integration of solutions for digital identities for infrastructure components across the national and international networks.

3GPP makes use of Certificate Management Protocol (CMP) [RFC4210] in its Technical Specification 33.310 [ETSI-3GPP.33.310] for certificate enrollment and management in 3G, LTE, and 5G networks. The main purpose of using 3GPP CMP is to allow an eNodeB to automatically provision itself with an operator certificate from the MNO without the eNodeB manufacturer and the MNO sharing PKIs. This is done by the eNodeB using a vendor-issued certificate from the manufacturer’s PKI, to authenticate to the MNO upon installation, authorizing issuance of an operator certificate from the MNOs PKI. The operator certificate is then used to connect the eNodeB to the MNOs network. The model is highly reusable for other IoT use cases where devices from different manufacturers are used in a vendor’s IoT network.

Use EJBCA with the 3GPP CMP profile

The 3GPP CMP profile is supported by EJBCA Enterprise operating in Client mode. In this case, devices are in direct contact with EJBCA and each device has a corresponding end entity in EJBCA.

Additionally, there is an option to use EJBCA in RA mode, for indirect communication between EJBCA and the device via a third entity acting as an RA. In this case, the RA has a corresponding end entity in EJBCA and is given the necessary privileges to process CMP requests on behalf of the device.

EJBCA Enterprise offers many integration and automation possibilities and is proven with large-scale operators worldwide, in integration with eNodeBs, security gateways and other devices from multiple vendors, using standard protocols including CMP. EJBCA can be deployed as it suits your environment, as software or hardware appliances, or as SaaS or cloud-based PKI. For cost-effective deployment and secure alignment of policies, multiple tenants can be logically separated in one system. Automated operations, software deployment and configuration are possible, for example via Ansible playbooks and import and export of EJBCA configurations.

For more information

See our documentation for details on the 3GPP CMP solution with EJBCA.

Read the tech update on CMP support in EJBCA and Bouncy Castle.

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.
Confirm choices Accept all