...
| Input value | Input type | Description | Usage |
|---|---|---|---|
| CSRModelCsrModel | Object | POJO which transfers sent CSR, plain fields extracted from CSR (like Common Name, Country, etc) | |
| CSRModelCsrModel:: csr | org.bouncycastle.pkcs.PKCS10CertificationRequest | Certificate Signing Request received via REST API | |
| CSRModelCsrModel:: subjectDN | org.bouncycastle.asn1.x500.X500Name | SubjectDN retrieved from sent CSR | |
| CSRModelCsrModel:: privateKey | Either org.bouncycastle.util.io.pem.PemObject or java.security.PrivateKey | Private key received via REST API | |
| CSRModelCsrModel:: publicKey | Either org.bouncycastle.util.io.pem.PemObject or java.security.PublicKey | Public key retrieved from sent CSR | |
| CsrModel:: ???? |  Others if needed | ||
| CMPv2ServerDetails | Object | POJO which transfers CMPv2 server properties | |
| CMPv2ServerDetails:: CA name | String | CA name as configured in CMPv2 server properties | |
| CMPv2ServerDetails:: URL | URL or String | ||
| CMPv2ServerDetails:: IssuerDN | org.bouncycastle.asn1.x500.X500Name | ||
| CMPv2ServerDetails:: CA mode | ENUM | ||
| CMPv2ServerDetails:: IAK | String | ||
| CMPv2ServerDetails:: RV | String | ||
| CA name | String | CA name received via REST API |
...
| Code Block |
|---|
@Test
public void testServerWithRealUrl()
throws CmpClientException {
setValidCsrMetaValuesAndDateValues();
csrMeta.externalCaUrl("http://127.0.0.1/ejbca/publicweb/cmp/cmpcmpRA");
csrMeta.password("mypassword");
CmpClientImpl cmpClient = new CmpClientImpl();
try {
cmpClient.createCertRequest("data", "RA", csrMeta, cert, notBefore, notAfter);
} catch (CAOfflineException e) {
e.printStackTrace();
}
}
private void setValidCsrMetaValuesAndDateValues() {
ArrayList<RDN> rdns = new ArrayList<>();
try {
rdns.add(new RDN("O=CommonCompany"));
} catch (CertException e) {
e.printStackTrace();
}
csrMeta = new CSRMeta(rdns);
csrMeta.cn("Node123");
csrMeta.san("CommonName.com");
csrMeta.password("password");
csrMeta.email("CommonName@cn.com");
csrMeta.issuerCn("ManagementCA");
when(kpg.generateKeyPair()).thenReturn(keyPair);
csrMeta.keypair(trans);
csrMeta.externalCaUrl("http://127.0.0.1/ejbca/publicweb/cmp/cmpcmpRA");
try {
notBefore = Optional.ofNullable(new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").parse("2019/11/11 12:00:00"));
notAfter = Optional.ofNullable(new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").parse("2020/11/11 12:00:00"));
} catch (ParseException e) {
e.printStackTrace();
}
} |
...
| Group | Parameter name | ENV variable name | Required | Default | Syntax | Description | Origin | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Url | TimeoutURL | No | http(s)://cert-service:8080/certificate/ | URL | URL to Cert Service. Default value will be aligned with ONAP K8s deployment (Cert Service's K8s service name and port) | ||||||
| Timeout | TIMEOUT | No | 30s | Timeout for REST API calls | Application helm chart | ||||||
| Path | OUTPUT_PATH | 30s | Timeout for REST API calls | Application helm chart | Path | Yes | Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end component | Application helm chart | |||
| CA name | CA_NAME | Yes | Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls | OOM global value | |||||||
CSR details | Common Name | COMMON_NAME | Yes | Common name for which certificate from CMPv2 server should be issued | Application helm chart | ||||||
| Organization | ORGANIZATION | Yes | Organization for which certificate from CMPv2 server should be issued | OOM global value | |||||||
| Organization Unit | ORGANIZATION_UNIT | No | Organization unit for which certificate from CMPv2 server should be issued | OOM global value | |||||||
| Location | LOCATION | No | Location for which certificate from CMPv2 server should be issued | OOM global value | |||||||
| State | STATE | Yes | State for which certificate from CMPv2 server should be issued | OOM global value | |||||||
| Country | COUNTRY | Yes | Country for which certificate from CMPv2 server should be issued | OOM global value | |||||||
| SANs | SANS | No | Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued | Application helm chart |
...
Cause ONAP is deployed in K8s, CertService's client will be delivered as independent container and should run as init container for end component. Both init container and end component must mount the same volume (persistent or ephemeral) to transfer generated artifacts.Within you K8s workload add CertService's client as init container:
Volume to transfer generated artifacts should be mounted to application container:
| Code Block |
|---|
...
kind: Deployment
metadata:
...
spec:
...
template:
...
spec:
initContainers:
...
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
resources:
{{ include "common.resources" . | indent 12 }}
volumeMounts:
- mountPath: /certificates/external
name: {{ include "common.fullname" . }}-cmpv2-certs
readOnly: true
...
volumes:
- name: {{ include "common.fullname" . }}-cmpv2-certs
emptyDir: {} |
Within K8s workload, CertService's client as init container should be added:
| Code Block |
|---|
...
kind: Deployment
metadata:
...
spec:
...
template:
...
spec:
initContainers:
- name: cert-service-client
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
resources:
{{ include "common.resources" . | indent 12 }}
volumeMounts:
- mountPath: /certificates/external
name: {{ include "common.fullname" . }}-cmpv2-certs
readOnly: true
...
volumes:
- name: {{ include "common.fullname" . }}-cmpv2-certs
emptyDir: {} |
Make sure you pass as ENV variables all required parameters.
...