5G Service Based Architecture (SBA) is secured using X.509 certificates across the large number of SBA components and corresponding Network Functions (NFs). Virtualization and increased modularity of NFs has resulted in multi-vendor environments becoming more prevalent. It is now common for NFs to come from different vendors and for the cloud native environment in which they run to come from yet another vendor and for all of these to be independent of the Certificate Authority that is authoritative for the certificates used to secure communications. In such deployments, it is impractical to manage certificates manually. Automated Certificate Management Environment (ACME) [2] was defined specifically for automated certificate management and is particularly well suited for some scenarios. Infrastructure deployment such as NFs deployed on cloud native platforms often have built-in support for ACME, so it is a natural fit. Another important benefit of ACME is automated validation of authority to represent an identifier (i.e., to be authoritative for the resource for which the certificate is issued). This is particularly helpful for multi-vendor environments and in cross-carrier scenarios. Additional work is required to determine the feasibility of the use of ACME in 5G SBA.

The scope of this document is to identify key issues and study solutions addressed using ACME for automated certificate management in SBA. Areas of study include:

• Automated certificate management protocol and procedures for certificate life cycle events (i.e., enrolment, renewal, and revocation) within 5G SBA (i.e., to be used by operator CAs and all 5GC NFs including NRF, SCP, SEPP, etc.), including the following:
  • ACME transport and request/response messages for 5G SBA use cases
  • ACME certificate profiles for all 5G SBA entities
• Mechanisms for establishing initial trust and chain of trust of Certificate Authority hierarchies, including the following:
  • Existing ACME challenge types and if any new challenge types are needed for 3GPP use cases:
    • Creation, deletion, rotation, revocation and storage of the certificates
  • Ability to automate ACME challenge validation
  • Suitability of existing mechanisms when 5G SBA is for standalone NPN (SNPN)
• Call flow of the messages exchanged between different entities in the chain of trust.

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.

• References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
• For a specific reference, subsequent revisions do not apply.
• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.

Clause 10 of TS 33.310 specifies a framework for certificate provisioning and managements for 5G NFs. Though the enrolment protocol is CMPv2, many of the procedures, such as those for initial trust establishment and for certificate revocation status verification, are independent of the enrolment protocol. Therefore, many of the procedures are expected to be re-used.