From: Martin B. <vc...@cy...> - 2005-04-27 14:01:37
|
Hi, > Thanks! I'm on parole, horrible programming will put > me back in jail though. > > Just checked SCEP, though I'm not too sure how to use > it - routers, etc. use it, but what about Java > applications? I found this: http://www.urut.ch/scep - > how did you do it? I checked it out and encountered a problem: the current Java code does not handle chunked encoding. I was too lazy to fix it; at least I filed a bug report to the developer but he did not answer at all. Currently I am using sscep together with the OpenCA SCEP server. I wrote a stand-alone Perl engine around sscep and OpenSSL that will take care of automatically renewing (not requesting) already existing certificates. It may be extended to support initial enrollment, too. It uses a object-oriented abstraction of "keystores", meaning the collection of certificate and private key to be used by an application. New keystore implementations can be created easily by writing a simple Perl module that handles this keystore type. It's in the testing phase and I am going to release it as Open Source within the next weeks. The script engine will run asynchronously to the main application and should be invoked once a day (e. g. by cron). It will monitor the configured keystores and take care of automatically replacing the keystore with renewed certificates. The script engine will run cross-platform on Unix, Windows, very likely Tandem, and probably even zOS. The design is modular and allows easy extension for new keystore formats. Currently it supports OpenSSL and IBM GSKit keystores, soon I will implement Java Keystore and Microsoft certificate keystore format. If possible, I'll try to add a RACF backend driver for the IBM Mainframe platform as well, but I am scared to hell of this... :-) > Have you heard of EJBCA? Or can Apache + mod_ssl act > as a CA server? Nope, haven't heard of it. mod_ssl cannot act as a CA, it only provides SSL encryption for HTTP. If you want to integrate automatic certificate request into an EJB framework I think you will have to write the stuff yourself in Java. The Java SCEP client should be a good starting point. Consider if it's possible to have an asynchronous process (outside the EJB system) running the renewal, but if you are within an EJB system, you may not have access to the file system at all, right? cheers Martin |