Hi Vamsi,
I still have not had the chance to check the patch (GERONIMO-2413) but I do
have a few questions form your first note.
4. can you select JKS or p12 in this step? I'm thinking in client certificates
-> HTTPS with Client Authentication scenario
5. in addition on entering the serial #, any chance to list the existing
certificates in the CertificateStore? maybe CN + Alias
N1. does that mean that the CSR will be provided as a text file (on a specific
location) and the portlet will pick them up and list them? if so, that would be
great and a similar structure should be in place for already signed
certificates.
N2. could you expand?
As for IE, I can't find a nice way to say what I think about IE and VBScripts. All I can
say is that probaly 80% or more ( just a wild guess ) of the users are using IE. Using
another browser to create/retrieve/export the certificate and then import it into IE does
not look like a healthy workaround. Can we add something else on the server side to
"fill-in-the-blanks" from IE?
Cheers!
Hernan
Vamsavardhana Reddy wrote:
Hi All,
I have not seen any replies to my last post :(
I have identified a few more function required. These are for the
work-flow a CA might want to follow:
1. List Requests: There should be two pages instead of one.
A) Listing of requests that are received and need to be
verified (once verified, the request will reach a second list)
B) Listing of requests that are verified and ready to be fulfilled.
2. Logging: CA should have a separate log of requests received,
verified, fulfilled, certificates revoked etc.
Comments? Suggestions? Pointers?
Thanks,
Vamsi
---------- Forwarded message ----------
From: *Vamsavardhana Reddy* < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
Date: Oct 6, 2006 11:59 AM
Subject: Certification Authority (CA) portlet
To: dev@geronimo.apache.org <mailto:dev@geronimo.apache.org>
Hi All,
I have uploaded a minimal version of Certification Authority (CA)
portlet to the JIRA. See
http://issues.apache.org/jira/browse/GERONIMO-2413 . The JIRA also has
some screenshots. I do not know if anyone has got a chance to try out
the portlet. Here is an overview of this portlet's functions.
1. Setup Certification Authority: The "CA home" page checks if the CA
has already been initialized. If not, it will provide access to only
this function viz. " Setup Certification Authority". This function
enables the user to provide details of CA's identity, algorithm
parameters for CA's keypair & signature algorithm, a serial number for
CA's self-signed certificate, validity period for CA's keypair and a
password to protect CA's privatekey. Once the details are submitted, a
keypair and self-signed certificate are generated and stored in
"ca-keystore". CA portlet uses KeyStoreGBean to manage its own keypair
and certificate.
2. Lock and Unlock CA: Once the CA is setup, upon a fresh login to
Geronimo Console, users will notice that the CA is in locked state.
"Unlock CA" function lets the user unlock the CA by providing CA's
privatekey password (provided at the time of CA setup). Once unlocked,
the user will have access to the CA functions. "Lock CA" function locks
the CA.
3. View CA Details: This function enables the user to see the details
of CA' certificate and the highest serial number used to by the CA.
Base 64 encoded certificate text on this screen can be copy+pasted into
a text file and sent to the requestor to designate this CA as trusted CA
in their software.
(Note: CA stores the serial number used at the time of setup and
increments it each time a certificate is to be issued.)
4. Issue New Certificate: This functions lets the CA issue a new
certificate by processing the Certificate Signing Request (CSR) text.
Upon pasting the CSR text into a textarea and submitting, a screen will
show the requestor name and public key details from the CSR and lets the
user enter validity period and select the signature algorithm. The next
screen will show all details and ask for confirmation. Once confirmed,
a certificate is issued and stored in a "CertificateStore". The screen
will show the details of the certificate issued. Base 64 encoded
certificate text on this screen can be copy+pasted into a text file and
sent back to the requestor.
5. View Issued Certificate: This function lets the user view a
previously issued certificate by providing the certificate serial number.
More work on the way:
After posting the patch to JIRA, I have found the necessity for a few
other functions:
N1. List Requests: This function will list all the certificate
requests that are waiting to be fulfilled and provide a link on each
request-id so that the user can click on the links (instead of entering
the csr text in a textarea) and proceed directly to entering certificate
validity details etc.
N2. Process a certificate request based on (Name Attributes +
SignedPublicKeyAndChallenge): Users requesting a certificate through
web browsers may not be able to submit a PKCS10 Certificate Request.
Netscape, Firefox (and other browsers??) support a KEYGEN form tag that
will let the browser, upon form submission, generate a key pair, combine
the PublicKey & a Challenge string and sign (this is the
SignedPublicKeyAndChallenge), encode this information in base64 and send
it along with other form fields. In this case, name attributes are not
part of a "signed" request and need to be collected separately.
N3. CA helper application: This application will be the interface for
users using their web browsers to request a certificate from the CA.
This application will have
a) A page with KEYGEN tag to receive SignedPublicKeyAndChallenge along
with name attribute values from the requestor.
b) A link using which the users can download and install CA's
certificate into their browsers as a trusted certificate.
c) A page from which the users can download and install the
certificate issued to them by the CA.
This application can store the requests so that the CA portlet can
pickup these and show in "List Requests" page.
To be explored:
How to do this KEYGEN equivalent through Internet Explorer? I know that
it requires some VBScript to generate a (PKCS10?) certificate request
through Internet Explorer. I have done this way back in 1998 and don't
remember any details now :o(
A work around would be to make the users use a browser supporting KEYGEN
tag to request and download their certificate. The certificate and
privatekey can then be exported and imported into IE. (I don't like
this work around. Or should this be the only option we provide??)
For later:
CRLs etc.
Any suggestions, comments? Anything I am missing? Am I heading in the
correct direction?
Thanks,
Vamsi
