Menu
▾
▴
Re: [Ejbca-develop] Require approval for certificate creation when sending a CSR
|
From: Tomas G. <to...@pr...> - 2013-07-16 12:11:32
|
Hi, The username/password on the public web is not a login that can be shared. It is a one time enrollment code (password). Perhaps the self registration is something for you? http://ejbca.org/adminguide.html#Self%20Registration EJBCA can encompass almost any workflows. Most of them are not implemented directly in the gui, its too complicated for the users. If not available out of the box, you can easily implement it using the plug in mechanism. http://ejbca.org/adminguide.html#EJBCA%20Plugins Cheers, Tomas Henrik <Hen...@Go...> skrev: >Hi Anders, > >Thanks for the fast response! > >> AFAIK there is no such function since it is only applicable to >low-volume >certification systems. > >I got a use case where it would be very convenient, even for a >high-volume >PKI. > >Actually, I'm not sure that I understand the way EJBCA is supposed to >be >used for server certificates. >So every End Entity is a server, hence needs an EJBCA user with login >credentials. But if servers are administered by more than one >administrator >and if these administrators change continuously (someone leaves, >someone >joins), it would require to share and manage login credentials for the >EJBCA users that belong to these machines. > >I'm currently "solving" this by building an external RA that uses the >SOAP >API of EJBCA. >However, I find myself giving the RA more and more privileges, making >it >too complex and powerful. > >What I'm currently having is an interface that allows a user to log in >and >see a list of all EJBCA End Entities administered by that user. >The user can then upload a new public key (as part of a CSR) to request >a >cert, which sends a request to EJBCA and also opens a ticket in our >JIRA. >*IF* EJBCA would require approval for that new public key, an EJBCA >admin >could now look at the JIRA ticket, review and approve the action in >EJBCA >and leave the ticket number as a comment in the approval (for >reference). >That way, it would be clear who requested which certificate and who >approved the action. >Though it seems I have to rework that workflow, in case I don't want to >build the approval step into the external application as well. > >How would the official/intended way of requesting and signing server >certificates look like, for machines that can be administrated by >multiple >changing administrators? > >Kind regards, >henrik > > > >On Mon, Jul 15, 2013 at 8:34 PM, ejbca-support ><ejb...@pr...>wrote: > >> On 2013-07-15 18:30, Henrik wrote: >> > Hello, >> > >> > is it possible to configure EJBCA so it requires an admin to >approve >> certificate creation when receiving a CSR? >> > So when an approved user requests a certificate, I want to have an >> approval step for the public key in the CSR. >> > (I'm not referring to the approval of the End Entity, which can be >> configured via the certificate profile.) >> >> Hi, >> AFAIK there is no such function since it is only applicable to >low-volume >> certification systems. >> However, you can inspect CSRs before using them with EJBCA. >> >> EJBCA can though automatically test public keys with respect to >length if >> that is what you aim to do. >> >> Cheers >> Anders >> tech support >> >> > >> > Kind regards, >> > Henrik >> > >> > >> > >> >------------------------------------------------------------------------------ >> > See everything from the browser to the database with AppDynamics >> > Get end-to-end visibility with application monitoring from >AppDynamics >> > Isolate bottlenecks and diagnose root cause in seconds. >> > Start your free trial of AppDynamics Pro today! >> > >> >http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> > >> > >> > >> > _______________________________________________ >> > Ejbca-develop mailing list >> > Ejb...@li... >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > >> >> > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------------ >See everything from the browser to the database with AppDynamics >Get end-to-end visibility with application monitoring from AppDynamics >Isolate bottlenecks and diagnose root cause in seconds. >Start your free trial of AppDynamics Pro today! >http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > >------------------------------------------------------------------------ > >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
