certmonitor - Automatic issuance/renewal (Re: [Openca-Users] Local CA server + java clients)

[Martin Bartosch]

Hi,

> Thanks! I'm on parole, horrible programming will put
> me back in jail though.
>
> Just checked SCEP, though I'm not too sure how to use
> it - routers, etc. use it, but what about Java
> applications? I found this: http://www.urut.ch/scep -
> how did you do it?

I checked it out and encountered a problem: the current Java code does
not handle chunked encoding. I was too lazy to fix it; at least
I filed a bug report to the developer but he did not answer at all.

Currently I am using sscep together with the OpenCA SCEP server.

I wrote a stand-alone Perl engine around sscep and OpenSSL that
will take care of automatically renewing (not requesting) already
existing certificates. It may be extended to support initial enrollment,
too.
It uses a object-oriented abstraction of "keystores", meaning the
collection of certificate and private key to be used by an application.
New keystore implementations can be created easily by writing a simple
Perl module that handles this keystore type.

It's in the testing phase and I am going to release it as
Open Source within the next weeks. The script engine will run
asynchronously to the main application and should be invoked once a
day (e. g. by cron). It will monitor the configured keystores and
take care of automatically replacing the keystore with renewed
certificates.

The script engine will run cross-platform on Unix, Windows, very likely
Tandem, and probably even zOS. The design is modular and allows easy
extension for new keystore formats. Currently it supports OpenSSL and
IBM GSKit keystores, soon I will implement Java Keystore and Microsoft
certificate keystore format.
If possible, I'll try to add a RACF backend driver for the IBM
Mainframe platform as well, but I am scared to hell of this... :-)

> Have you heard of EJBCA? Or can Apache + mod_ssl act
> as a CA server?

Nope, haven't heard of it. mod_ssl cannot act as a CA, it only provides
SSL encryption for HTTP.

If you want to integrate automatic certificate request into an
EJB framework I think you will have to write the stuff yourself in
Java. The Java SCEP client should be a good starting point.

Consider if it's possible to have an asynchronous process (outside
the EJB system) running the renewal, but if you are within an EJB
system, you may not have access to the file system at all, right?

cheers

Martin



-------------------------------------------------------
SF.Net email is sponsored by: Tell us your software development plans!
Take this survey and enter to win a one-year sub to SourceForge.net
Plus IDC's 2005 look-ahead and a copy of this survey
Click here to start!  http://www.idcswdc.com/cgi-bin/survey?id5hix
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users