Hi,
We have following practice as Goverment CA:
We revoke some certificates with reason "certificate hold" and after 48 hours we reactivate these certificates, because we have not reason to revoke them for ever. We make this manualy.
I have a question:
Is it possible to setup EJBCA to reactivate automaticaly holded certificates after 48 hours?
May be We can develop some custom worker or script, which to use "ejbcaClientToolBox.sh"?
Please give me advice or help me to do that!
Best Regards,
Plamen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@primekey.se for more information.
<a href="http://www.primekey.se/Services/Support/">www.primekey.se/Services/Support/</a>
<a href="http://www.primekey.se/Services/Training/">www.primekey.se/Services/Training/</a>
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You need to query the database for all revoked certificates with status on hold that have a revocationDate older than 48 hours.. This is easiest to implement as a new Service Worker. Take a look at the existing workers in src/java/org.ejbca.core.model.services.workers/ for some examples. You can create an EJBCA Service with Custom Worker in the Admin GUI to avoid having to mess with the graphical interface.
Best Regards,
Johan
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Tomas,
I've checked ejbcaClientToolBox.sh (WS cli) and I've found out that command revokecert has option "REMOVEFROMCRL".
May be this is a way for reactivate a hold certificate. I think it is not posible to check for all hold certifcates with sub command "checkrevokationstatus", because this command use Serial Number of certificate.
I think custom worker is better idea.
Johan, thanks! Unfortunatelly I can't develop with java :-) I have to find a java developer.
Regards,
Plamen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
We have following practice as Goverment CA:
We revoke some certificates with reason "certificate hold" and after 48 hours we reactivate these certificates, because we have not reason to revoke them for ever. We make this manualy.
I have a question:
Is it possible to setup EJBCA to reactivate automaticaly holded certificates after 48 hours?
May be We can develop some custom worker or script, which to use "ejbcaClientToolBox.sh"?
Please give me advice or help me to do that!
Best Regards,
Plamen
Hi as far as I can see the ejbcaClientToolBox.sh (WS cli) does not have the functionality to unrevoke a certificate (am I wrong?).
The regular cli (bin/ejbca.sh ra) have this functionality though. You can use this to create a service.
You can also create a custom service worker (http://ejbca.org/manual.html#Writing%20Customized%20Services) to create a service that runs in EJBCA and "unrevokes" certificate on hold after 48 hours.
Cheers,
Tomas
PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@primekey.se for more information.
<a href="http://www.primekey.se/Services/Support/">www.primekey.se/Services/Support/</a>
<a href="http://www.primekey.se/Services/Training/">www.primekey.se/Services/Training/</a>
Hi Plamen,
You need to query the database for all revoked certificates with status on hold that have a revocationDate older than 48 hours.. This is easiest to implement as a new Service Worker. Take a look at the existing workers in src/java/org.ejbca.core.model.services.workers/ for some examples. You can create an EJBCA Service with Custom Worker in the Admin GUI to avoid having to mess with the graphical interface.
Best Regards,
Johan
Hi Tomas,
I've checked ejbcaClientToolBox.sh (WS cli) and I've found out that command revokecert has option "REMOVEFROMCRL".
May be this is a way for reactivate a hold certificate. I think it is not posible to check for all hold certifcates with sub command "checkrevokationstatus", because this command use Serial Number of certificate.
I think custom worker is better idea.
Johan, thanks! Unfortunatelly I can't develop with java :-) I have to find a java developer.
Regards,
Plamen
removefromcrl might be possible. Haven't tried it but test.
Cheers,
Tomas