According to TS 33.501, use of mutual TLS for authentication of NF requires compliance to clause 6.1.3c of TS 33.310 for TLS client and TLS server certificate profiles in addition to TLS profile compliance with clause 6.2a of TS 33.310. The use of TLS certificates in 5G SBA is ubiquitous. However, unlike standardised model using CMPv2 in RAN, SBA does not have a standardised model and set of procedures for automated certificate management. SBA also does not have a standardised protocol for managing life cycle events of the certificates, e.g., bootstrap, request, issue, enrolment, revocation, renewal etc.

• Lack of standardisation has resulted into number of bespoke methodologies and varying choices of certificate management protocols resulting into inconsistent model.
• Once service slicing and NPN are introduced in service provider network, manual management or lack of standardised procedures for life cycle management of TLS certificates belonging to separate legal entities could further complicate the architecture.

All the above have potential of increasing the security risk and impact the deployment and availability of operators' 5G SBA network. RAN has benefitted from the standardisation of CMPv2 to be used for eNodeB/gNodeB automated certificate management. The specification defined a bootstrap procedure based on the use of vendor certificate for requesting an operator certificate for the set-up of IPSec IKE2 towards the SeGW. 5G SBA is within the operator core network domain that could benefit from a study that leads to the standardisation of an automated certificate management procedure using a standardised protocol that fits for purpose to serve the 5G Core Network.

The objectives of this study are to identify key issues, potential security and privacy requirements and solutions with respect to

• Standardise the use of a single automated certificate management protocol and procedures for certificate life cycle events within intra-PLMN 5G SBA (i.e. to be used by all 5GC NFs including NRF, SCP, SEPP etc.).
• Study the impact of service mesh in certificate management within 5G SBA.
• Study which lifecycle events (e.g., enrolment, renewal, revocation (e.g., OCSP, CRLs), status monitoring) of a certificate need to be covered.
• Study the relation between certificate management lifecycle and NF management lifecycle.
• Study to reference at minimum following principles:
  • Principle to be reusable when 5G SBA is for NPN (standalone and PNI)
  • Principles standardised to be able to support NFs doing mutual TLS in Slicing.
  • Principles standardised to support both intra and inter PLMN, in the latter referring to SEPP certificates in N32 interfaces and potential cross-certification considerations.
  • Principles involving 'Chain of Trust' of Certificate Authorities hierarchies.
  • Principles for security of CA's cryptographic private key.