xca / Feature Requests / #86 batch mode

#86 batch mode

Milestone: Next_Release_(example)

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2015-10-26

Created: 2015-09-30

Creator: Sébastien WENSKE

Private: No

As we have a huge amount of certificate to sign, I would request some features to add to this great tool:

It could be great to add the ability to sign multi CSR based on a template (GUI or CLI).
In addition, to avoid multiple certificates expiration at same time, it could be nice to add a delta on the expire date (in day) between each certificate in the batch mode.
Last point, as we use security token, the PIN should be ask only one time before the batch begin.

Best Regards,
And thanks for your great work!
Sébastien W.

Discussion

Christian Hohnstaedt - 2015-10-02

This sounds like a bigger feature.
There are already some requests to automatically issue certificates/CRLs
probably via CMD-line.

Can you tell me more details and background?
Where do the CSR come from? (What is the workflow?)
How do you check that the requestor is permitted to receive a certificate?
Why is it a problem that multiple certificates expire at same time?
Is it sufficient to remember the PIN until the database gets closed?
Is a CMD-Line tool sufficient? and if yes, will you use it on windows, linux or Mac?

Christian

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Sébastien WENSKE - 2015-10-02

Hi Christian

Where do the CSR come from? (What is the workflow?)
CSR files comes from an USB key, and are imported in the database (which can be done in one time :)).

How do you check that the requestor is permitted to receive a certificate?
We sign only internal certificates.

Why is it a problem that multiple certificates expire at same time?
We had a big worry when the old certificates have expired (minutes of interval). The crt and key files have been renewed, but not our combined files (crt + key), I let you imagine the consequences ... :)

Is it sufficient to remember the PIN until the database gets closed?
I prefer when the batch is done.

Is a CMD-Line tool sufficient? and if yes, will you use it on windows, linux or Mac?
We plan to use XCA on a Linux live distro (Uuntu/Debian), CLI could be sufficient if it can be easly put in a script.

Best Regards,
Sébastien W.

Last edit: Sébastien WENSKE 2015-10-02

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Christian Hohnstaedt - 2015-10-26

After thinking a little bit about this feature,
I think I'm going to implement sort of "Policy signing":
The CA owner once configures how the subject and extensions of PKCS#10 requests shall be handled and then you may batch sign more than one PKCS#10 requests.

I will inform you when a pre- version is ready for testing.
It will take some time. Maybe December or so.
I Don't know how much time I'll have in the next weeks to code on xca.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Sébastien WENSKE - 2015-10-26

Thanks Christian, this is good news!
Did you received my email (02 Oct.) ?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.