...
Components description
CertService
REST API
Method | Endpoint | Parameter | Returned values | ||||||
---|---|---|---|---|---|---|---|---|---|
Name | Is required? | Transfer method | Description | Name | Always returned? | Transfer method | Description | ||
GET | /certificate/{caName} | CA name | Yes | Path parameter | Name of Certificate Authority which should sign sent CSR. Must match CertService's CMPv2 servers configuration. | Certificate chain | Yes | Body (JSON) | Signed certificate with whole certificate chain (intermediate CA certificates). |
Base64 encoded CSR (Certificate Signing Request) | Yes | Header | Certificate Signing Request for given component | Trusted certificates | Yes | Body (JSON) | Trusted certificates. In other words list of root CAs which should be treated as trust anchors. Must contain root CA which was used to sign certificate and may contain other root CAs. | ||
Base64 encoded private key | Yes | Header | Private key. Needed to create proof of possession (PoP) |
CMPv2 server properties
CertService contains configuration of CMPv2 servers. To enroll certificate at least one CMPv2 server has to be configured. CMPv2 server configuration is read during CertService startup and runtime changes require CertService restart.
Section holds all properties which are planned to be supported by CertService for CMPv2 based server.
Parameter name | Required | Syntax | Description | Validation rules |
---|---|---|---|---|
CA Name | Yes | String (1-128) | The CA name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate. |
|
URL | Yes | Schema + IPv4/FQDN + port + path | Url to CMPv2 server; includes mandatory parts: scheme (http://) and IPv4/FQDN and optional parts: port and path (alias); e.g. http://127.0.0.1:8080/pkix or http://127.0.0.1/ejbca/publicweb/cmp/cmp NOTE: If FQDN is given ONAP must be able to resolve it |
|
Issuer DN | Yes | String (4-256) | Distinguished Name of the CA that will sign the certificate on the CMPv2 server side. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user. |
|
CA Mode | Yes | Enum (CLIENT|RA) | Issuer mode (either Registration Authority (RA) or client mode) |
|
Authentication data::IAK | Yes | String (1-256) | Initial authentication key, used, together with RV, to authenticate request in CMPv2 server |
|
Authentication data::RV | Yes | String (1-256) | Reference value, used, together with IAK, to authenticate request in CMPv2 server |
|
...
Value | Description | Information Included |
---|---|---|
PKIHeader | Contains information common to many PKI messages. |
|
PKIBody | contains message-specific information ie. certificate request message |
|
PKIProtection | contains bits that protect PKImessage (Specifically the iak/rv) |
EJBCA SETUP SCRIPT
View file | ||||
---|---|---|---|---|
|
Test code for running cmpv2 client against EJBCA server through unit test
...
CertService's client properties
Group | Parameter name | ENV parameter variable name | Required | Default | Syntax | Description | Origin |
---|---|---|---|---|---|---|---|
Timeout | No | 30s | Timeout for REST API calls | Application helm chart | |||
Path | Yes | Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end component | Application helm chart | ||||
CA name | Yes | Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls | OOM global value | ||||
CSR details | Common Name | Yes | Common name for which certificate from CMPv2 server should be issued | Application helm chart | |||
Organization | Yes | Organization for which certificate from CMPv2 server should be issued | OOM global value | ||||
Organization Unit | No | Organization unit for which certificate from CMPv2 server should be issued | OOM global value | ||||
Location | No | Location for which certificate from CMPv2 server should be issued | OOM global value | ||||
State | Yes | State for which certificate from CMPv2 server should be issued | OOM global value | ||||
Country | Yes | Country for which certificate from CMPv2 server should be issued | OOM global value | ||||
SANs | No | Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued | Application helm chart |
...