Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Parameter nameRequiredSyntaxDescriptionValidation rules
CA NameYesString (1-128)The CA name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate.

String (1-128)

URLYesSchema + IPv4/FQDN + port + path

Url to CMPv2 server; includes mandatory parts: scheme (http://) and IPv4/FQDN and optional parts: port and path (alias); e.g. http://127.0.0.1:8080/pkix or http://127.0.0.1/ejbca/publicweb/cmp/cmp


NOTE: If FQDN is given ONAP must be able to resolve it

Must be correct URL

Must start with http:// scheme

If port given, port from 1-65535 range

Issuer DNYesString (4-256)Distinguished Name of the CA that will sign the certificate on the CMPv2 server side. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user.

String (4-256)

Correct DN

CA ModeYesEnum (CLIENT|RA)Issuer mode (either Registration Authority (RA) or client mode)

Value from predefined set

Authentication data::IAKYesString (1-256)Initial authentication key, used, together with RV, to authenticate request in CMPv2 server

String (1-256)

Authentication data::RVYesString (1-256)Reference value, used, together with IAK, to authenticate request in CMPv2 server

String (1-256)


Example

Code Block
Example CMPv2 server configuration will be here. Probably it will be JSON based to easy read and map to object.


CMPv2 client

Input table for CMPv2 client

CMPv2 will get two POJOs: first with CSR, plain fields extracted from CSR (like plain Common Name, Country, etc), private key and CA name (in general data mapped from passed via REST API call) and second with CMPv2 server details.

...

Value

Description

Information Included

PKIHeaderContains information common to many PKI messages.

SenderDN

IssuerDN

ProtectionAlgorithm (used for PkiProtection below)

PKIBodycontains message-specific information ie. certificate request message

CertificateRequestMessage, which includes:

SubjectDN

IssuerDN

SubjectPublicKey

PKIProtectioncontains bits that protect PKImessage (Specifically the iak/rv)



Test code for running cmpv2 client against EJBCA server through unit test

Code Block
@Test
    public void testServerWithRealUrl()
        throws CmpClientException {

        setValidCsrMetaValuesAndDateValues();

        csrMeta.externalCaUrl("http://127.0.0.1/ejbca/publicweb/cmp/cmpSubRA");
        csrMeta.password("mypassword");

        CmpClientImpl cmpClient = new CmpClientImpl();
        try {
            cmpClient.createCertRequest("data", "RA", csrMeta, cert, notBefore, notAfter);
        } catch (CAOfflineException e) {
            e.printStackTrace();
        }
    }

    private void setValidCsrMetaValuesAndDateValues() {
        ArrayList<RDN> rdns = new ArrayList<>();
        try {
            rdns.add(new RDN("O=CommonCompany"));
        } catch (CertException e) {
            e.printStackTrace();
        }
        csrMeta = new CSRMeta(rdns);
        csrMeta.cn("Node123");
        csrMeta.san("CommonName.com");
        csrMeta.password("password");
        csrMeta.email("CommonName@cn.com");
        csrMeta.issuerCn("subCA");
        when(kpg.generateKeyPair()).thenReturn(keyPair);
        csrMeta.keypair(trans);
        csrMeta.externalCaUrl("http://127.0.0.1/ejbca/publicweb/cmp/cmp");

        try {
            notBefore =  Optional.ofNullable(new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").parse("2019/11/11 12:00:00"));
            notAfter =  Optional.ofNullable(new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").parse("2020/11/11 12:00:00"));
        } catch (ParseException e) {
            e.printStackTrace();
        }
    }

...