Port 223: Certificate Distribution Center — The Ghost Protocol

Port 223 sits in the well-known ports range with an official IANA assignment, but it's essentially a ghost. The registration says "Certificate Distribution Center" (CDC). The reality is that nobody uses it, nobody remembers it, and nobody wrote down how it worked.¹²

What CDC Was Supposed to Be

The Certificate Distribution Center was meant to handle certificate distribution for cryptographic operations. That's all we know. There's no RFC specification. No protocol documentation. No surviving implementations. Just a name in a registry and a port number that was reserved decades ago.³

This was likely an early attempt at solving certificate management before protocols like SCEP (Simple Certificate Enrollment Protocol), CMP (Certificate Management Protocol), and ACME (Automated Certificate Management Environment) came along and did it properly. Those protocols have RFCs, documentation, active implementations, and real deployments. CDC has none of that.

The Well-Known Ports Range

Port 223 falls in the well-known ports range (0-1023), also called system ports. These ports are assigned by IANA through formal processes that require IETF review or IESG approval.⁴ Getting a well-known port assignment is difficult and reserved for protocols that are expected to become Internet standards.

Someone went through that formal process for CDC. They got the port assignment. And then the protocol disappeared anyway.

What Actually Listens on Port 223

In practice: probably nothing. Modern certificate management uses different protocols entirely:

• ACME (port 80/443) for automated certificate issuance (Let's Encrypt)
• SCEP (typically port 80/443) for certificate enrollment
• CMP for comprehensive certificate management
• OCSP (port 80/443) for certificate status checking

These protocols solved the certificate distribution problem while CDC faded into obscurity. The port is reserved but unused—a memorial to a protocol that didn't survive.

Checking What's Listening

If you want to see if anything is actually using port 223 on your system:

# On Linux/macOS
sudo lsof -i :223
netstat -an | grep 223

# On Windows
netstat -an | findstr :223

You'll almost certainly find nothing. Port 223 is a placeholder in the registry, not an active part of the Internet's infrastructure.

Why Ghost Ports Matter

Port 223 represents something real about how the Internet evolves. Not every protocol succeeds. Not every port assignment leads to widespread adoption. The well-known ports range is full of experiments that didn't work out, early protocols that were replaced by better ones, and services that made sense in 1990 but not in 2026.

The port remains assigned because removing port assignments is complicated and risky. Better to leave port 223 registered to a dead protocol than to reassign it and potentially cause conflicts with legacy systems that might still have CDC hardcoded somewhere in a forgotten configuration file.

This is how protocol evolution works. Better solutions replace older ones. The port numbers stay behind like fossils in sediment—evidence that someone tried something once, even if we no longer remember exactly what.

Related Ports

• Port 80: HTTP, where ACME and SCEP typically run
• Port 443: HTTPS, the modern home for certificate management protocols
• Port 88: Kerberos, another authentication protocol from the same era
• Port 464: Kerberos Change/Set Password, still actively used