News 01 Mar, 2022

Tech update – Security in mobile networks enabled with enterprise-grade PKI and 3GPP CMP profile

Mobile networks are part of our society’s critical infrastructure and as such the security requirements are high. The flexible and scalable PKI platform EJBCA Enterprise supports the 3GPP CMP profile for enrolling and managing certificates to telecom infrastructure components.

Being a critical part of our modern society, mobile networks have become a target for cyberattacks and must be properly secured to ensure availability and avoid eavesdropping. With 5G, the number of vendors and devices are quickly multiplying, leading to more complex security management. Mobile Network Operators (MNOs) have adopted a standard-based approach with 3GPP for the development and integration of solutions for digital identities for infrastructure components across the national and international networks.

3GPP makes use of Certificate Management Protocol (CMP) [RFC4210] in its Technical Specification 33.310 [ETSI-3GPP.33.310] for certificate enrollment and management in 3G, LTE, and 5G networks. The main purpose of using 3GPP CMP is to allow an eNodeB to automatically provision itself with an operator certificate from the MNO without the eNodeB manufacturer and the MNO sharing PKIs. This is done by the eNodeB using a vendor-issued certificate from the manufacturer’s PKI, to authenticate to the MNO upon installation, authorizing issuance of an operator certificate from the MNOs PKI. The operator certificate is then used to connect the eNodeB to the MNOs network. The model is highly reusable for other IoT use cases where devices from different manufacturers are used in a vendor’s IoT network.

Use EJBCA with the 3GPP CMP profile

The 3GPP CMP profile is supported by EJBCA Enterprise operating in Client mode. In this case, devices are in direct contact with EJBCA and each device has a corresponding end entity in EJBCA.

Additionally, there is an option to use EJBCA in RA mode, for indirect communication between EJBCA and the device via a third entity acting as an RA. In this case, the RA has a corresponding end entity in EJBCA and is given the necessary privileges to process CMP requests on behalf of the device.

EJBCA Enterprise offers many integration and automation possibilities and is proven with large-scale operators worldwide, in integration with eNodeBs, security gateways and other devices from multiple vendors, using standard protocols including CMP. EJBCA can be deployed as it suits your environment, as software or hardware appliances, or as SaaS or cloud-based PKI. For cost-effective deployment and secure alignment of policies, multiple tenants can be logically separated in one system. Automated operations, software deployment and configuration are possible, for example via Ansible playbooks and import and export of EJBCA configurations.

For more information

See our documentation for details on the 3GPP CMP solution with EJBCA.

Read the tech update on CMP support in EJBCA and Bouncy Castle.