Versions Compared

Old Version 24

changes.mady.by.user Ajay Deep Singh

Saved on

compared with

New Version 25

changes.mady.by.user Pawel Baniewski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Gliffy Diagram
macroId992e69e0-eba0-4ee9-a266-ea3ee9c09ae1
namecertservice_high_level
pagePin3


Simplified certificate enrollment flow

Gliffy Diagram
sizeM
namecertService_cert_enrollment_flow
pagePin2

Components description

CertService

...

Parameter nameRequiredSyntaxDescriptionValidation rules
CA NameYesString (1-128)The CA name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate.
  1. String (1-128)
URLYesSchema + IPv4/FQDN + port + path

Url to CMPv2 server; includes mandatory parts: schema (http://) and IPv4/FQDN and optional parts: port and path (alias); e.g. http://127.0.0.1:8080/pkix or http://127.0.0.1/ejbca/publicweb/cmp/cmp


NOTE: If FQDN is given ONAP must be able to resolve it

  1. Must be correct URL
  2. Must start with http:// schema
  3. If port given, port from 1-65535 range
Issuer DNYesString (4-256)Distinguished Name of the CA that will sign the certificate on the CMPv2 server side. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user.
  1. String (4-256)
  2. Correct DN
CA ModeYesEnum (CLIENT|RA)Issuer mode (either Registration Authority (RA) or client mode)
  1. Value from predefined set
Authentication data::IAKYesString (1-256)Initial authentication key, used, together with RV, to authenticate request in CMPv2 server
  1. String (1-256)
Authentication data::RVYesString (1-256)Reference value, used, together with IAK, to authenticate request in CMPv2 server
  1. String (1-256)

Simplified certificate enrollment flow from CertService's perspective

...

...



CMPv2 client


CertService's client

...

GroupParameter nameRequiredDefaultSyntaxDescriptionOrigin

TimeoutNo30s
Timeout for REST API callsApplication helm chart

PathYes

Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and main applicationend componentApplication helm chart

CA nameYes

Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API callsOOM global value





CSR details

Common NameYes

Common name for which certificate from CMPv2 server should be issuedApplication helm chart
OrganizationYes

Organization for which certificate from CMPv2 server should be issuedOOM global value
Organization UnitNo

Organization unit for which certificate from CMPv2 server should be issuedOOM global value
LocationNo

Location for which certificate from CMPv2 server should be issuedOOM global value
StateYes

State for which certificate from CMPv2 server should be issuedOOM global value
CountryYes

Country for which certificate from CMPv2 server should be issuedOOM global value
SANsNo

Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issuedApplication helm chart

...






Input Table for CMPV2 client:

...