Certification authority [ca]
Building the module
The CA module is now only for private access and it isn't possible to download the module from the CzechIdM repository directly.
Go to your module folder:
cd Realization/backend/ca
And just execute the build process with maven:
mvn clean install
After the build process completes, the resulting JAR file will be placed in target folder and also in the local maven repository (by default ~/.m2).
Development
For easy development, import all projects from github repository (core, acc, parent, app, …) and then import the CA module. Insert this dependency into app pom.xml file (into your active spring profile, for example dev):
<dependencies> ... <dependency> <groupId>${project.groupId}</groupId> <artifactId>idm-ca</artifactId> <version>1.0.0-SNAPSHOT</version> </dependency> ... </dependencies>
Installing the CA module
After successful build of the CA module, it is necessary to copy resulting JAR file into CzechIdM WAR file (folder: <war_file_root>/WEB-INF/lib/).
CA settings
Setting the CA up is done by configuration properties. Every instance of the driver (= every instance of the CA which is to be managed) has its own unique identifier (<CA_INSTANCE>). Unique identifier cannot contain dot .
character - is used as internal configuration separator.
Property file:
# identifier idm.sec.ca.authority.<CA_INSTANCE>.identifier=<CA_INSTANCE> # DN for CAW idm.sec.ca.authority.<CA_INSTANCE>.dn # Complete path to CAW implementation idm.sec.ca.authority.<CA_INSTANCE>.script.path
Suppose we have two CAW-managed certificate authorities "CA1\_users", which we alias "users" in the module, and "CA2\_web\_servers" which we alias "web". Those names are then used in the RESTful API. The configuration is as follows:
# CA1_users idm.sec.ca.authority.users.identifier=users idm.sec.ca.authority.users.dn="C=CZ, ST=Czech Republic, L=Prague, O=BCV, OU=TEST, CN=CA1_users" idm.sec.ca.authority.users.script.path="/path/to/users/ca/caw" # CA2_web_servers idm.sec.ca.authority.web.identifier=web idm.sec.ca.authority.web.dn="C=CZ, ST=Czech Republic, L=Prague, O=BCV, OU=TEST, CN=CA2_web_servers" idm.sec.ca.authority.web.script.path="/path/to/web/servers/ca/caw"
REST api
method | ENDPOINT | description |
---|---|---|
GET | /ca/authorities | All available certification authorities |
GET | /ca/authorities/<CA\_INSTANCE>/search/quick | List of all certificate by given certification authority |
DELETE | /ca/authorities/<CA\_INSTANCE>/certs/<CERT-SERIAL-NUMBER> | Revoke given certificate by serial number |
POST | /ca/authorities/<CA\_INSTANCE>/certs/<CERT-SERIAL-NUMBER>/get | Return certificate as PEM |
GET | /ca/authorities/<CA\_INSTANCE>/certs/<CERT-SERIAL-NUMBER>/renew | Renew given certificate by serial number |
GET | /ca/authorities/<CA\_INSTANCE>/certs/<CERT-SERIAL-NUMBER>/status | Get status for certificate by serial number |
POST | /ca/authorities/<CA\_INSTANCE>/generatePair | Generate certificate by given information in DTO, return serial number |
POST | /ca/authorities/<CA\_INSTANCE>/signCSR | Sign given certificate CSR, return serial number |
POST | /ca/authorities/<CA\_INSTANCE>/validateCert | Validate given certificate |
More information about CA module REST can be found in swagger documentation.
In next version there will be FE configuration implemented (every driver will have its own configuration properties).