Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  OPENXPKI::SERVER::WORKFLOW::NICE (3)

.ds Aq ’





NICE ist the Nice Interface for Certificate Enrollment. This class is just a stub to be inherited by your specialised backend class.

The mandatory input parameters are directly passed to the methods while the mandatory return values should be returned as a hash ref by the method call and are written to the context by the surrounding activity functions. The implementations are free to access the context to transport internal parameters.

API Functions


Submit a certificate request for a new certificate. The certificate request entry from the database is passed in as hashref.

Note that it highly depends on the implementation what properties are taken from the pkcs10 container and what can be overridden by other means. PKCS10 is the default format which should be supported by any backend, the default local backend also supports SPKAC. You might implement any own format. See documentation of the used backend for details.

csr - hashref containing the database entry from the csr table
cert_identifier - the identifier of the issued certificate or pending
csr attributes

Besides the properties of the csr, following attributes should be processed where applicable.
custom_requester_{name|gname|email} - information about the requester
cert_subject_alt_name - Nested Array with attributes for SAN section
notbefore|notafter - special validity


Submit a certificate renewal request. Same as issueCertificate but receives the certificate identifier of the originating certificate as second parameter.

csr - hashref containing the database entry from the csr table
cert_identifier - identifier of the originating certificate
cert_identifier - the identifier of the issued certificate or pending


This is only valid if issueCertificate or renewCertificate returned with a pending request and tries to fetch the requested certificate. If successful, the cert_identifier context parameter is populated with the identifier, otherwise the pending marker remains in the context. If the fetch finally failed, it should unset the cert_identifier.

cert_identifier - the identifier of the issued certificate


Request the ca to add this certificate to its revocation list. Expects the serial of the certificate revocation request. If the given reason is not supported by the backend, unspecified should be used.

crr_serial - the serial number of the certificate revocation request


Only valid after calling revokeCertificate. Check if the certificate revocation request was processed and set the status field in the certificate table to REVOKED/HOLD. The special state HOLD must be used only if the certificate is marked as certificateHold on the issued CRL or OCSP.



Remove a formerly revoked certifiate from the revocation list. Expects the certificate identifier. Only allowed after certificateHold, sets the status field of the certificate status table back to ISSUED immediately.



Trigger issue of the crl and write it into the crl parameter. The parameter ca_alias contains the alias name of the ca token.

crl_serial - the serial number (key of the crl database) of the created crl or pending


Only valid after calling issueCRL, tries to fetch the new CRL. See issue/fetchCertificate how to use the pending marker.

internal helper functions


Expect the name of the context field as parameter and returns the appropriate context value. Does <B>notB> deserialize the content.


Expect the name of the context field, and its new value.
Does <B>notB> serialize the content.


Persist a certificate into the certificate table and store implementation specific information in the datapool. The first parameter is mandatory with all fields given below. The second parameter is serialized as is and stored in the datapool and can be retrieved later using __fetchPersistedCertificateInformation.

certificate - the PEM encoded certificate
ca_identifier - the identifier of the issuing ca
csr_serial - serial number of the processed csr
The certificate is expected to be a x509 structure. A pkcs7 container with the entity certificate and its chain is also accepted.

If the ca_identifier is not set, we try to autodetect it by searching the certificate table for a certificate which matches the authority key identifier. If the certificate has no authority key identifier set, the lookup is done on the the issuer dn.


Return the hashref for a given certificate identifiere stored within the datapool using __persistCertificateInformation.

Implementors Guide

The NICE API implements every operation in two individual steps to support asynchronus operating backends. If you are building a synchronus backend, you can ommit the implementation of the second steps.

The activity definitions in OpenXPKI::Server::Workflow::Activity::NICE::* show the expected usage of the API functions.

issue/renew Certificate

The request information must be taken from the csr and csr_attributes t

The method must persist the certificate by calling __persistCertificateInformation and write the certificates identifier into the context parameter cert_identifier.

If the request was dispatched but is still pending, the must be written into the cert_identifier context value. If cert_identifier is not set after execution, the workflow will call this method again.

Search for    or go to Top of page |  Section 3 |  Main Index

perl v5.20.3 OPENXPKI::SERVER::WORKFLOW::NICE (3) 2016-04-03

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.