GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  OPENXPKI::SERVER::WORKFLOW::NICE (3)

.ds Aq ’

Name

OpenXPKI::Server::Workflow::NICE

CONTENTS

Description

NICE ist the Nice Interface for Certificate Enrollment. This class is just a stub to be inherited by your specialised backend class.

The mandatory input parameters are directly passed to the methods while the mandatory return values should be returned as a hash ref by the method call and are written to the context by the surrounding activity functions. The implementations are free to access the context to transport internal parameters.

API Functions

    issueCertificate

Submit a certificate request for a new certificate. The certificate request entry from the database is passed in as hashref.

Note that it highly depends on the implementation what properties are taken from the pkcs10 container and what can be overridden by other means. PKCS10 is the default format which should be supported by any backend, the default local backend also supports SPKAC. You might implement any own format. See documentation of the used backend for details.

Input
csr - hashref containing the database entry from the csr table
Output
cert_identifier - the identifier of the issued certificate or pending
csr attributes

Besides the properties of the csr, following attributes should be processed where applicable.
custom_requester_{name|gname|email} - information about the requester
cert_subject_alt_name - Nested Array with attributes for SAN section
notbefore|notafter - special validity

    renewCertificate

Submit a certificate renewal request. Same as issueCertificate but receives the certificate identifier of the originating certificate as second parameter.

Input
csr - hashref containing the database entry from the csr table
cert_identifier - identifier of the originating certificate
Output
cert_identifier - the identifier of the issued certificate or pending

    fetchCertificate

This is only valid if issueCertificate or renewCertificate returned with a pending request and tries to fetch the requested certificate. If successful, the cert_identifier context parameter is populated with the identifier, otherwise the pending marker remains in the context. If the fetch finally failed, it should unset the cert_identifier.

Output
cert_identifier - the identifier of the issued certificate

    revokeCertificate

Request the ca to add this certificate to its revocation list. Expects the serial of the certificate revocation request. If the given reason is not supported by the backend, unspecified should be used.

Input
crr_serial - the serial number of the certificate revocation request

    checkForRevocation

Only valid after calling revokeCertificate. Check if the certificate revocation request was processed and set the status field in the certificate table to REVOKED/HOLD. The special state HOLD must be used only if the certificate is marked as certificateHold on the issued CRL or OCSP.

Input
cert_identifier

    unrevokeCertificate

Remove a formerly revoked certifiate from the revocation list. Expects the certificate identifier. Only allowed after certificateHold, sets the status field of the certificate status table back to ISSUED immediately.

Input
cert_identifier

    issueCRL

Trigger issue of the crl and write it into the crl parameter. The parameter ca_alias contains the alias name of the ca token.

Input
ca_alias
Output
crl_serial - the serial number (key of the crl database) of the created crl or pending

    fetchCRL

Only valid after calling issueCRL, tries to fetch the new CRL. See issue/fetchCertificate how to use the pending marker.

internal helper functions

    _get_context_param

Expect the name of the context field as parameter and returns the appropriate context value. Does <B>notB> deserialize the content.

    _set_context_param

Expect the name of the context field, and its new value.
Does <B>notB> serialize the content.

    __persistCertificateInformation

Persist a certificate into the certificate table and store implementation specific information in the datapool. The first parameter is mandatory with all fields given below. The second parameter is serialized as is and stored in the datapool and can be retrieved later using __fetchPersistedCertificateInformation.

certificate_information
certificate - the PEM encoded certificate
ca_identifier - the identifier of the issuing ca
csr_serial - serial number of the processed csr
The certificate is expected to be a x509 structure. A pkcs7 container with the entity certificate and its chain is also accepted.

If the ca_identifier is not set, we try to autodetect it by searching the certificate table for a certificate which matches the authority key identifier. If the certificate has no authority key identifier set, the lookup is done on the the issuer dn.

    __fetchPersistedCertificateInformation

Return the hashref for a given certificate identifiere stored within the datapool using __persistCertificateInformation.

Implementors Guide

The NICE API implements every operation in two individual steps to support asynchronus operating backends. If you are building a synchronus backend, you can ommit the implementation of the second steps.

The activity definitions in OpenXPKI::Server::Workflow::Activity::NICE::* show the expected usage of the API functions.

issue/renew Certificate

The request information must be taken from the csr and csr_attributes t

The method must persist the certificate by calling __persistCertificateInformation and write the certificates identifier into the context parameter cert_identifier.

If the request was dispatched but is still pending, the must be written into the cert_identifier context value. If cert_identifier is not set after execution, the workflow will call this method again.

Search for    or go to Top of page |  Section 3 |  Main Index


perl v5.20.3 OPENXPKI::SERVER::WORKFLOW::NICE (3) 2016-04-03

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.