Versions Compared

Old Version 34

changes.mady.by.user Pawel Baniewski

Saved on

compared with

New Version 35

changes.mady.by.user Pawel Baniewski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Components description

CertService

REST API

MethodEndpointParameterReturned values


NameIs required?Transfer methodDescriptionNameAlways returned?Transfer methodDescription
GET

/certificate/{caName}

CA nameYesPath parameterName of Certificate Authority which should sign sent CSR. Must match CertService's CMPv2 servers configuration.Certificate chainYesBody (JSON)Signed certificate with whole certificate chain (intermediate CA certificates).
Base64 encoded CSR (Certificate Signing Request)YesHeaderCertificate Signing Request for given componentTrusted certificatesYesBody (JSON)Trusted certificates. In other words list of root CAs which should be treated as trust anchors. Must contain root CA which was used to sign certificate and may contain other root CAs.
Base64 encoded private keyYesHeaderPrivate key. Needed to create proof of possession (PoP)




CMPv2 server properties

CertService contains configuration of CMPv2 servers. To enroll certificate at least one CMPv2 server has to be configured. CMPv2 server configuration is read during CertService startup and runtime changes require (question) CertService restart.

Section holds all properties which are planned to be supported by CertService for CMPv2 based server.

Parameter nameRequiredSyntaxDescriptionValidation rules
CA NameYesString (1-128)The CA name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate.
  1. String (1-128)
URLYesSchema + IPv4/FQDN + port + path

Url to CMPv2 server; includes mandatory parts: scheme (http://) and IPv4/FQDN and optional parts: port and path (alias); e.g. http://127.0.0.1:8080/pkix or http://127.0.0.1/ejbca/publicweb/cmp/cmp


NOTE: If FQDN is given ONAP must be able to resolve it

  1. Must be correct URL
  2. Must start with http:// scheme
  3. If port given, port from 1-65535 range
Issuer DNYesString (4-256)Distinguished Name of the CA that will sign the certificate on the CMPv2 server side. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user.
  1. String (4-256)
  2. Correct DN
CA ModeYesEnum (CLIENT|RA)Issuer mode (either Registration Authority (RA) or client mode)
  1. Value from predefined set
Authentication data::IAKYesString (1-256)Initial authentication key, used, together with RV, to authenticate request in CMPv2 server
  1. String (1-256)
Authentication data::RVYesString (1-256)Reference value, used, together with IAK, to authenticate request in CMPv2 server
  1. String (1-256)

...

Value

Description

Information Included

PKIHeaderContains information common to many PKI messages.
  • SenderDN
  • IssuerDN
  • ProtectionAlgorithm(used for PkiProtection below)
PKIBodycontains message-specific information ie. certificate request message
  • CertificateRequestMessage, which includes:
    • SubjectDN
    • IssuerDN
    • SubjectPublicKey
PKIProtectioncontains bits that protect PKImessage (Specifically the iak/rv)

EJBCA SETUP SCRIPT

View file
nameejbcaSetup.sh
height250

Test code for running cmpv2 client against EJBCA server through unit test

...

CertService's client properties

GroupParameter nameENV parameter variable nameRequiredDefaultSyntaxDescriptionOrigin

Timeout
No30s
Timeout for REST API callsApplication helm chart

Path
Yes

Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end componentApplication helm chart

CA name
Yes

Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API callsOOM global value





CSR details

Common Name
Yes

Common name for which certificate from CMPv2 server should be issuedApplication helm chart
Organization
Yes

Organization for which certificate from CMPv2 server should be issuedOOM global value
Organization Unit
No

Organization unit for which certificate from CMPv2 server should be issuedOOM global value
Location
No

Location for which certificate from CMPv2 server should be issuedOOM global value
State
Yes

State for which certificate from CMPv2 server should be issuedOOM global value
Country
Yes

Country for which certificate from CMPv2 server should be issuedOOM global value
SANs
No

Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issuedApplication helm chart

...