batch mode
Brought to you by:
chris2511
As we have a huge amount of certificate to sign, I would request some features to add to this great tool:
It could be great to add the ability to sign multi CSR based on a template (GUI or CLI).
In addition, to avoid multiple certificates expiration at same time, it could be nice to add a delta on the expire date (in day) between each certificate in the batch mode.
Last point, as we use security token, the PIN should be ask only one time before the batch begin.
Best Regards,
And thanks for your great work!
Sébastien W.
This sounds like a bigger feature.
There are already some requests to automatically issue certificates/CRLs
probably via CMD-line.
Can you tell me more details and background?
Where do the CSR come from? (What is the workflow?)
How do you check that the requestor is permitted to receive a certificate?
Why is it a problem that multiple certificates expire at same time?
Is it sufficient to remember the PIN until the database gets closed?
Is a CMD-Line tool sufficient? and if yes, will you use it on windows, linux or Mac?
Christian
Hi Christian
Where do the CSR come from? (What is the workflow?)
CSR files comes from an USB key, and are imported in the database (which can be done in one time :)).
How do you check that the requestor is permitted to receive a certificate?
We sign only internal certificates.
Why is it a problem that multiple certificates expire at same time?
We had a big worry when the old certificates have expired (minutes of interval). The crt and key files have been renewed, but not our combined files (crt + key), I let you imagine the consequences ... :)
Is it sufficient to remember the PIN until the database gets closed?
I prefer when the batch is done.
Is a CMD-Line tool sufficient? and if yes, will you use it on windows, linux or Mac?
We plan to use XCA on a Linux live distro (Uuntu/Debian), CLI could be sufficient if it can be easly put in a script.
Best Regards,
Sébastien W.
Last edit: Sébastien WENSKE 2015-10-02
After thinking a little bit about this feature,
I think I'm going to implement sort of "Policy signing":
The CA owner once configures how the subject and extensions of PKCS#10 requests shall be handled and then you may batch sign more than one PKCS#10 requests.
I will inform you when a pre- version is ready for testing.
It will take some time. Maybe December or so.
I Don't know how much time I'll have in the next weeks to code on xca.
Thanks Christian, this is good news!
Did you received my email (02 Oct.) ?