Ejbca and CSR Approbation

> Hello,
>
> I'm currently working on an ejbca demonstration.
>
> The CSR approbation is a feature I would like to demonstrate, but I do not
> know if it's possible to do so with EJBCA (at least I do not know how to do
> it).
>
> I have created and end entity profile and a certificate profile to manage
> server certificates.
>
> I would like that the certificate requesters have their request being
> approved by an ejbca administrator before they could download their new
> certificate.
>
> Currently, when I'm testing it, I go to the public pages == > create
> certificate from CSR, use my end entity user credentitials, add the csr, and
> when I click on the "OK button", I get directly the certificate file ".pem".
>
> How could I add a validation (approbation) step between the csr submission
> and the certificate download ?
>
> Thanks in advance for your help !
>
> Regards,
>
> Maxime

> Hello Maxime,
>
> EJBCA has a concept called approvals that I think is similar but not
> exactly what you are looking for:
> http://www.ejbca.org/manual.html#Approving%20Actions
>
> You could then configure the certificate profile to require approval
> when adding an end entity. The request for adding a new end entity will
> then have to be approved by another administrator and first after that
> can the certificate be downloaded by the user.
>
> However this validation step is before the end entity is created and not
> after the CSR is submited.
>
> What do you want to have validated at the time of CSR submission?
>
> The parts that will go into the certificate is taken from the
> certificate profile and only the public key is read from the CSR so I am
> not sure if there are anything more to validate.
>
>
> Best Regards,
> Markus
>
>
> Maxime_V wrote:
>> Hello,
>>
>> I'm currently working on an ejbca demonstration.
>>
>> The CSR approbation is a feature I would like to demonstrate, but I do not
>> know if it's possible to do so with EJBCA (at least I do not know how to do
>> it).
>>
>> I have created and end entity profile and a certificate profile to manage
>> server certificates.
>>
>> I would like that the certificate requesters have their request being
>> approved by an ejbca administrator before they could download their new
>> certificate.
>>
>> Currently, when I'm testing it, I go to the public pages == > create
>> certificate from CSR, use my end entity user credentitials, add the csr, and
>> when I click on the "OK button", I get directly the certificate file ".pem".
>>
>> How could I add a validation (approbation) step between the csr submission
>> and the certificate download ?
>>
>> Thanks in advance for your help !
>>
>> Regards,
>>
>> Maxime
>
>

> Ok, thanks for your explanation.
>  
> So if I understand well, this let me two options :
>  
> 1) Tweak a bit the certificate issuance process :
> - Step 1 : the server responsible has a browser certificate to access an administration page of ejbca (with rights limited to create/edit end-entity). He creates an end-entity corresponding to its server.
> - Step 2 : an administrator of EJBCA validates the end-entity creation.
> - Step 3 : the server responsible authenticates to the ejbca public pages with the end entity credentials and can then generate a certificate while providing the public key in a csr, or generate a PKCS12 and let EJBCA create and store the bi-key.
>  
> 2) Modify the code to implement the csr validation workflow.
>  
> The first option seems easier, I have to see now how I can handle the other processes : renewal (with approbation), revokation and regeneration...
>  
> Let me know if I'm wrong.
>  
> Regards,
> Maxime VERAC
>  
> ________________________________
>
> De: Tomas Gustavsson [mailto:tomas@...]
> Date: lun. 26/10/2009 12:45
> À: ejbca-develop@...
> Objet : Re: [Ejbca-develop] Ejbca and CSR Approbation
>
>
>
>
> It is also possible to build custom workflows using the approval
> mechanism. We have done such work-flows before where the actual CSR is
> submitted as a first step and kept across when the administrator
> approves the addition of the end entity.
>
> (this was done in a project and we never got clearence to release the
> external code under lgpl unfortunately).
>
> It wasn't much though and simply demonstrates that you can custom build
> almost any work-flow with a jsp page and a servlet.
>
> /Tomas
>
> Markus Kilås wrote:
>> Hello Maxime,
>>
>> EJBCA has a concept called approvals that I think is similar but not
>> exactly what you are looking for:
>> http://www.ejbca.org/manual.html#Approving%20Actions
>>
>> You could then configure the certificate profile to require approval
>> when adding an end entity. The request for adding a new end entity will
>> then have to be approved by another administrator and first after that
>> can the certificate be downloaded by the user.
>>
>> However this validation step is before the end entity is created and not
>> after the CSR is submited.
>>
>> What do you want to have validated at the time of CSR submission?
>>
>> The parts that will go into the certificate is taken from the
>> certificate profile and only the public key is read from the CSR so I am
>> not sure if there are anything more to validate.
>>
>>
>> Best Regards,
>> Markus
>>
>>
>> Maxime_V wrote:
>>> Hello,
>>>
>>> I'm currently working on an ejbca demonstration.
>>>
>>> The CSR approbation is a feature I would like to demonstrate, but I do not
>>> know if it's possible to do so with EJBCA (at least I do not know how to do
>>> it).
>>>
>>> I have created and end entity profile and a certificate profile to manage
>>> server certificates.
>>>
>>> I would like that the certificate requesters have their request being
>>> approved by an ejbca administrator before they could download their new
>>> certificate.
>>>
>>> Currently, when I'm testing it, I go to the public pages == > create
>>> certificate from CSR, use my end entity user credentitials, add the csr, and
>>> when I click on the "OK button", I get directly the certificate file ".pem".
>>>
>>> How could I add a validation (approbation) step between the csr submission
>>> and the certificate download ?
>>>
>>> Thanks in advance for your help !
>>>
>>> Regards,
>>>
>>> Maxime
>>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
>
>
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop