Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
devel:documentation:modules_crt [2023/03/01 07:41]
doischert 		devel:documentation:modules_crt [2024/04/22 10:55] (current)
cem [Admin tutorials]
Line 1: Line 1:
-<- .:modules_reports | ^ .:start | Documentation ^ .:modules_rec | ->+<- .:modules_reports | ^ .:start | Documentation ^ .:modules_rec | 
  
 ====== Modules - Certificates [crt] ====== ====== Modules - Certificates [crt] ======
Line 18: Line 18:
   * **Cancel request**  - Certificate request can be canceled, when request is in concept state.   * **Cancel request**  - Certificate request can be canceled, when request is in concept state.
   * **Download certificate**  - Public certificate and private key (if exists) can be downloaded. Private key can be downloaded just by certificate owner.   * **Download certificate**  - Public certificate and private key (if exists) can be downloaded. Private key can be downloaded just by certificate owner.
 +  * **Download secret**  - Secret to any certificate can be downloaded by user with permissions CERTIFICATE_READ and CERTIFICATE_DOWNLODSECRET, it is meant to be used by external app signing documents on behalf of users
 ===== Architecture ===== ===== Architecture =====
  
Line 43: Line 44:
   * [[:tutorial:adm:modules_crt|Modules - Certificates]]   * [[:tutorial:adm:modules_crt|Modules - Certificates]]
   * [[:tutorial:adm:modules_crt_approving_request|Modules - Approving certificate requests]]   * [[:tutorial:adm:modules_crt_approving_request|Modules - Approving certificate requests]]
-  * [[:tutorial:adm:modules_crt_lrt_notification|Modules - Scheduled tasks and notifications]]+  * [[:tutorial:adm:modules_crt_lrt_notification|Modules - Scheduled tasksnotifications and automatic certificate renew, generating or revocation]] 
  
 ===== Devel guide ===== ===== Devel guide =====
  
   * [[.:modules_crt:dev:certificate_manager|]]   * [[.:modules_crt:dev:certificate_manager|]]
 +
 +===== Download secret =====
 +
 +Secret to any certificate can be downloaded by user with permissions **CERTIFICATE_READ**  and **CERTIFICATE_DOWNLOADSECRET**. Secret is encrypted by RSA **public key**  **stored in**  configuration item **idm.sec.crt.secret.pub**, length is arbitrary (2048 and more is recomended). Secret key is stored in external app and is used to decrypt secret. Key pair can be generated by these commands (you can change 2048 to 4096, 8192...)
 +<code>
 +openssl genrsa -out private.key 2048
 +openssl rsa -in private.key -outform PEM -pubout -out public.key
 +
 +
 +</code>
 +
 +Public key to be stored in IdM configuration is in file public.key, save it without lines starting with ----- and joined to one line (without spaces), private key to be used by external app for decrypting secret is in file private.key.
 +
 +URL for secret download is **/api/v1/crt/certificates/{certificateId}/download-secret**, where certificateId is UUID of certificate in IdM, response is JSON with this structure:
 +
 +<code>{
 +  "certificate_id": "certificateId from URL",
 +  "secret": "Base64 encoded RSA encrypted certificate secret by public key in idm.sec.crt.secret.pub"
 +}
 +
 +
 +</code>
  
  
  • by doischert