2025-10-08 –, Krakow/ Business Value & Enterprise Adoption
The OpenSSL library implements the Certificate Management Protocol CMP [RFC 9483 etc.]
and Bouncy Castle contains support for CMP and CRMF messages [RFCs 4210 and 4211].
At Siemens both libraries interoperate by making use of CMP for managing product certificates.
Among others, this is used by the CoreShield S2L2 Linux platform, which is also applied in the Civil Infrastructure Platform.
In this talk I'm going to give technical insight which features of the two libraries we use with CMP
and how they interoperate in which OSS components in end entities, registration authorities (RAs), and CAs.
Their interaction via CMP provides secure and flexible enrollment, update, and revocation of X.509 certificates,
both at the device level and for services and applications running on various platforms.
Currently support for PQC (ML-DSA, SLH-DSA, optionally ML-KEM) and remote attestation is being added.
Insight on the interoperation of the OpenSSL and Bouncy Castle libraries for managing product-related public-key certificates using CMP. Due to product development, security architecture, and business requirements, this typically ranges end-to-end from devices, developed using C, via one or more RA to a CA, usually developed in Java.
Computer scientist with a PhD from TU Munich on programming language semantics and theorem proving.
Senior consultant on IT security architecture and expert on PKI technologies at Siemens Foundational Technologies.
Lead on PKI component development, OpenSSL Committer, contributor to IETF standardization on X.509 topics.