9.1:documentation:modules_ca:dev:certification_authority

Certification authority [ca]

The CA module is now only for private access and it isn't possible to download the module from the CzechIdM repository directly.

Go to your module folder:

cd Realization/backend/ca

And just execute the build process with maven:

mvn clean install

After the build process completes, the resulting JAR file will be placed in target folder and also in the local maven repository (by default ~/.m2).

For easy development, import all projects from github repository (core, acc, parent, app, …) and then import the CA module. Insert this dependency into app pom.xml file (into your active spring profile, for example dev):

<dependencies>
	...
	<dependency>
		<groupId>${project.groupId}</groupId>
		<artifactId>idm-ca</artifactId>
		<version>1.0.0-SNAPSHOT</version>
	</dependency>
	...
</dependencies>

After successful build of the CA module, it is necessary to copy resulting JAR file into CzechIdM WAR file (folder: <warfileroot>/WEB-INF/lib/).

Setting the CA up is done by configuration properties. Every instance of the driver (= every instance of the CA which is to be managed) has its own unique identifier (<CA_INSTANCE>). Unique identifier cannot contain dot . character - is used as internal configuration separator.

Property file:

# identifier
idm.sec.ca.authority.<CA_INSTANCE>.identifier=<CA_INSTANCE>
# DN for CAW
idm.sec.ca.authority.<CA_INSTANCE>.dn
# Complete path to CAW implementation
idm.sec.ca.authority.<CA_INSTANCE>.script.path

Suppose we have two CAW-managed certificate authorities "CA1_users", which we alias "users" in the module, and "CA2_web_servers" which we alias "web". Those names are then used in the RESTful API. The configuration is as follows:

# CA1_users
idm.sec.ca.authority.users.identifier=users
idm.sec.ca.authority.users.dn="C=CZ, ST=Czech Republic, L=Prague, O=BCV, OU=TEST, CN=CA1_users"
idm.sec.ca.authority.users.script.path="/path/to/users/ca/caw"
# CA2_web_servers
idm.sec.ca.authority.web.identifier=web
idm.sec.ca.authority.web.dn="C=CZ, ST=Czech Republic, L=Prague, O=BCV, OU=TEST, CN=CA2_web_servers"
idm.sec.ca.authority.web.script.path="/path/to/web/servers/ca/caw"
method ENDPOINT description
GET /ca/authorities All available certification authorities
GET /ca/authorities/<CA_INSTANCE>/search/quick List of all certificate by given certification authority
DELETE /ca/authorities/<CA_INSTANCE>/certs/<CERT-SERIAL-NUMBER> Revoke given certificate by serial number
POST /ca/authorities/<CA_INSTANCE>/certs/<CERT-SERIAL-NUMBER>/get Return certificate as PEM
GET /ca/authorities/<CA_INSTANCE>/certs/<CERT-SERIAL-NUMBER>/renew Renew given certificate by serial number
GET /ca/authorities/<CA_INSTANCE>/certs/<CERT-SERIAL-NUMBER>/status Get status for certificate by serial number
POST /ca/authorities/<CA_INSTANCE>/generatePair Generate certificate by given information in DTO, return serial number
POST /ca/authorities/<CA_INSTANCE>/signCSR Sign given certificate CSR, return serial number
POST /ca/authorities/<CA_INSTANCE>/validateCert Validate given certificate

More information about CA module REST can be found in swagger documentation.

In next version there will be FE configuration implemented (every driver will have its own configuration properties).