Overview
The goal of this requirement is to implement new adapter within AAF's Certificate Manager (aka CertMan) which will request certificates signed by external Certificate Authority (CA) using CMPv2 over HTTP protocol. New adapter can be used together with already existing adapters: LocalCA and JScepCA. To proof that new adapter works Open Source CMPv2 server (EJBCA) will be deployed and used in E2E tests.
It is planned that Network Functions (aka xNFs) will get certificates from the same Certificate Authority, but will use own means to get such certificates. Cause xNFs and ONAP will get certificates signed by the same root CA and will trust such root CA, both parties will automatically trust each other and can communicate with each other.
CMPv2 adapter properties:
Section holds all properties which are planned to be supported by CertService for CMPv2 based CA. Some parameters are planned to be processed before sending to CMPv2 client.
| Parameter name | Required | Default | Syntax | Description |
|---|---|---|---|---|
| IP | Yes | IPv4 | ||
| Port | Yes | 8080 | Port number (1-65535) | |
| Path | Yes | /pkix | ||
| Issuer DN | Yes | String (3-256) | Distinguished Name of the CA that will sign the certificate on the external CA server. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user. | |
| Authentication data | Yes | |||
| CA Name | No | String (1-128) | The Ca Name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate. | |
| CA Mode | No | String from predefined set: CLIENT_MODE and RA_MODE |
Input Table for CMPV2 client:
Currently the POC for CMPv2 client is working based on the inputs below.
Input Values | Input Type | Description | Usage |
|---|---|---|---|
| csrMeta | object | csrMeta object from aaf, would contain values needed for certificate request. any needed values that should be stored in the csrMeta will be mentioned below. | stores all pertinent values for certificate request - these will be detailed below, and should be set before being passed to the cmpv2 client. |
| csrMeta:IssuerDn | org.bouncycastle.asn1.x500.X500Name | distinguished name of the CA we're receiving certificate from. Cannot be null | used in the creation of the cert on EJBCA server |
| csrMeta: SubjectDn | org.bouncycastle.asn1.x500.X500Name | Distinguished name of the Entity the certificate is being issued to/ Certificate Requesting Entity. Cannot be null. | used in the creation of the cert on EJBCA server |
| csrMeta: KeyPair | java.security.KeyPair | KeyPair associated with the entity the certificate is being issued to. Cannot be null | used to create proof of possession for request to EJBCA server |
| csrMeta: Password | object which contains iak/rv? | secret password value shared by EJBCA server. Cannot be null | used to authenticate ourselves to the EJBCA serve |
csrMeta: CA Details | object | Certification Authority Details ( Http address, Port number and Path (which includes alias if used)). Cannot be null | used to Post Http request to External CA. |
.cer file | java.security.cert.Certificate | .cer (CSR) generated by Cert-man using Key-pair. Cannot be null. | used to validate response (.crt)/ certificate send from EJBCA server |
| caName | string | the name which is a general description of the external CA | used for debugging purposes |
| caMode | enum | string noting whether the server we are contacting will be operating in either client or RA mode | used for debugging purposes |
Relevant values in Certificate Request message to EJBCA:
Value | Description | Information Included |
|---|---|---|
| PKIHeader | Contains information common to many PKI messages. |
|
| PKIBody | contains message-specific information ie. certificate request message |
|
| PKIProtection | contains bits that protect PKImessage (Specifically the iak/rv) |