Versions Compared

Old Version 30

changes.mady.by.user Pawel Baniewski

Saved on

compared with

New Version 31

changes.mady.by.user Pawel Baniewski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Parameter nameRequiredSyntaxDescriptionValidation rules
CA NameYesString (1-128)The CA name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate.
  1. String (1-128)
URLYesSchema + IPv4/FQDN + port + path

Url to CMPv2 server; includes mandatory parts: scheme (http://) and IPv4/FQDN and optional parts: port and path (alias); e.g. http://127.0.0.1:8080/pkix or http://127.0.0.1/ejbca/publicweb/cmp/cmp


NOTE: If FQDN is given ONAP must be able to resolve it

  1. Must be correct URL
  2. Must start with http:// scheme
  3. If port given, port from 1-65535 range
Issuer DNYesString (4-256)Distinguished Name of the CA that will sign the certificate on the CMPv2 server side. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user.
  1. String (4-256)
  2. Correct DN
CA ModeYesEnum (CLIENT|RA)Issuer mode (either Registration Authority (RA) or client mode)
  1. Value from predefined set
Authentication data::IAKYesString (1-256)Initial authentication key, used, together with RV, to authenticate request in CMPv2 server
  1. String (1-256)
Authentication data::RVYesString (1-256)Reference value, used, together with IAK, to authenticate request in CMPv2 server
  1. String (1-256)

CMPv2 client

Input Table for CMPV2 client

...

Currently the POC for CMPv2 client is working based on the inputs below.

Input Values

Input Type

Description

Usage

csrMetaobjectcsrMeta object from aaf, would contain values needed for certificate request. any needed values that should be stored in the csrMeta will be mentioned below.stores all pertinent values for certificate request - these will be detailed below, and should be set before being passed to the cmpv2 client.
csrMeta:IssuerDnorg.bouncycastle.asn1.x500.X500Namedistinguished name of the CA we're receiving certificate from. Cannot be nullused in the creation of the cert on EJBCA server
csrMeta: SubjectDnorg.bouncycastle.asn1.x500.X500NameDistinguished name of the Entity the certificate is being issued to/ Certificate Requesting Entity. Cannot be null.used in the creation of the cert on EJBCA server
csrMeta: KeyPairjava.security.KeyPairKeyPair associated with the entity the certificate is being issued to. Cannot be nullused to create proof of possession for request to EJBCA server
csrMeta: Passwordobject which contains iak/rv?secret password value shared by EJBCA server. Cannot be nullused to authenticate ourselves to the EJBCA serve

csrMeta: CA Details

objectCertification Authority Details ( Http address, Port number and Path (which includes alias if used)). Cannot be nullused to Post Http request to External CA.

.cer file

java.security.cert.X509Certificate.cer (CSR) generated by Cert-man using Key-pair. Cannot be null.

used to validate response (.crt)/ certificate send from EJBCA server

caNamestringthe name which is a general description of the external CAused for debugging purposes
caModeenumstring noting whether the server we are contacting will be operating in either client or RA modeused for debugging purposes

Relevant values in Certificate Request message to EJBCA:

Value

Description

Information Included

PKIHeaderContains information common to many PKI messages.
  • SenderDN
  • IssuerDN
  • ProtectionAlgorithm(used for PkiProtection below)
PKIBodycontains message-specific information ie. certificate request message
  • CertificateRequestMessage, which includes:
    • SubjectDN
    • IssuerDN
    • SubjectPublicKey
PKIProtectioncontains bits that protect PKImessage (Specifically the iak/rv)

Test code for running cmpv2 client against EJBCA server through unit test

Code Block
@Test
    public void testServerWithRealUrl()
        throws CmpClientException {

        setValidCsrMetaValuesAndDateValues();

        csrMeta.externalCaUrl("http://127.0.0.1/ejbca/publicweb/cmp/cmpSubRA");
        csrMeta.password("mypassword");

        CmpClientImpl cmpClient = new CmpClientImpl();
        try {
            cmpClient.createCertRequest("data", "RA", csrMeta, cert, notBefore, notAfter);
        } catch (CAOfflineException e) {
            e.printStackTrace();
        }
    }

    private void setValidCsrMetaValuesAndDateValues() {
        ArrayList<RDN> rdns = new ArrayList<>();
        try {
            rdns.add(new RDN("O=CommonCompany"));
        } catch (CertException e) {
            e.printStackTrace();
        }
        csrMeta = new CSRMeta(rdns);
        csrMeta.cn("Node123");
        csrMeta.san("CommonName.com");
        csrMeta.password("password");
        csrMeta.email("CommonName@cn.com");
        csrMeta.issuerCn("subCA");
        when(kpg.generateKeyPair()).thenReturn(keyPair);
        csrMeta.keypair(trans);
        csrMeta.externalCaUrl("http://127.0.0.1/ejbca/publicweb/cmp/cmp");

        try {
            notBefore =  Optional.ofNullable(new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").parse("2019/11/11 12:00:00"));
            notAfter =  Optional.ofNullable(new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").parse("2020/11/11 12:00:00"));
        } catch (ParseException e) {
            e.printStackTrace();
        }
    }

...

Within you K8s workload add CertService's client as init container.:


Make sure you pass as ENV variables all required parameters.

...