Using OpenSSL and Bouncy Castle for OT PKI solutions

The OpenSSL library implements the Certificate Management Protocol CMP [RFC 9483 etc.] and Bouncy Castle contains support for CMP and CRMF messages [RFCs 4210 and 4211]. At Siemens both libraries interoperate by making use of CMP for managing product certificates. Among others, this is used by the CoreShield S2L2 Linux platform, which is also applied in the Civil Infrastructure Platform. In this talk I'm going to give technical insight which features of the two libraries we use with CMP and how they interoperate in which OSS components in end entities, registration authorities (RAs), and CAs. Their interaction via CMP provides secure and flexible enrollment, update, and revocation of X.509 certificates, both at the device level and for services and applications running on various platforms. Currently support for PQC (ML-DSA, SLH-DSA, optionally ML-KEM) and remote attestation is being added.