Re: [Ejbca-develop] Require approval for certificate creation when sending a CSR

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 2013-07-16 11:05, Henrik wrote:
> Hi Anders,
> 
> Thanks for the fast response!
> 
>> AFAIK there is no such function since it is only applicable to low-volume certification systems.
> 
> I got a use case where it would be very convenient, even for a high-volume PKI.

Hi Henrik,

I can only speak for myself but adding tons of RA functionality to EJBCA is maybe
not the right way because RA schemes tend to be driven by local demands and associated
"business logic".  PrimeKey has developed several special-purpose RA systems and they
appear all quite different.  To configure

If you have an Android phone you may even try one of them: https://mobilepki.org/scc

> Actually, I'm not sure that I understand the way EJBCA is supposed to be used for server certificates.
> So every End Entity is a server, hence needs an EJBCA user with login credentials. But if servers are administered by more than one administrator and if these administrators change continuously (someone leaves, someone joins), it would require to share and manage login credentials for the EJBCA users that belong to these machines.

Yes, but doesn't that problem belong to any scheme requiring administrators?

> 
> I'm currently "solving" this by building an external RA that uses the SOAP API of EJBCA.
> However, I find myself giving the RA more and more privileges, making it too complex and powerful.

In most scenarios an RA needs to be able to create and optionally revoke certificates.

However, an RA does typically not have to adjust CA parameters or creating new profiles (=policies).

In most real-world usages, EJBCA administrators are more like system administrators who creates
CAs, profiles and integrates various RA stuff (and limiting access from these).

> What I'm currently having is an interface that allows a user to log in and see a list of all EJBCA End Entities administered by that user.
> The user can then upload a new public key (as part of a CSR) to request a cert, which sends a request to EJBCA and also opens a ticket in our JIRA.
> *IF* EJBCA would require approval for that new public key, an EJBCA admin could now look at the JIRA ticket, review and approve the action in EJBCA and leave the ticket number as a comment in the approval (for reference). That way, it would be clear who requested which certificate and who approved the action.
> Though it seems I have to rework that workflow, in case I don't want to build the approval step into the external application as well.
> 
> How would the official/intended way of requesting and signing server certificates look like, 
> for machines that can be administrated by multiple changing administrators?

There's no official solution but it is common having a group of trusted people who are allowed to issue
server certificates.  This is similar to having a group of administrators managing enterprise users in AD.

Cheers
Anders
tech support

> 
> Kind regards,
> henrik
> 
> 
> 
> On Mon, Jul 15, 2013 at 8:34 PM, ejbca-support <ejb...@pr... <mailto:ejb...@pr...>> wrote:
> 
>     On 2013-07-15 18:30, Henrik wrote:
>     > Hello,
>     >
>     > is it possible to configure EJBCA so it requires an admin to approve certificate creation when receiving a CSR?
>     > So when an approved user requests a certificate, I want to have an approval step for the public key in the CSR.
>     > (I'm not referring to the approval of the End Entity, which can be configured via the certificate profile.)
> 
>     Hi,
>     AFAIK there is no such function since it is only applicable to low-volume certification systems.
>     However, you can inspect CSRs before using them with EJBCA.
> 
>     EJBCA can though automatically test public keys with respect to length if that is what you aim to do.
> 
>     Cheers
>     Anders
>     tech support
> 
>     >
>     > Kind regards,
>     > Henrik
>     >
>     >
>     > ------------------------------------------------------------------------------
>     > See everything from the browser to the database with AppDynamics
>     > Get end-to-end visibility with application monitoring from AppDynamics
>     > Isolate bottlenecks and diagnose root cause in seconds.
>     > Start your free trial of AppDynamics Pro today!
>     > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>     >
>     >
>     >
>     > _______________________________________________
>     > Ejbca-develop mailing list
>     > Ejb...@li... <mailto:Ejb...@li...>
>     > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>     >
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> 
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 