Cert Safe Publisher for a HTTPS Server

ENTERPRISE This is an EJBCA Enterprise feature.

The CertSafePublisher publishes certificate issuance and life cycle events (revoke and unrevoke) to a HTTPS server. The HTTPS request body is a JSON object with the fields: status, revocationReason and pem.

images/download/attachments/26772233/Screen_Shot_2018-10-25_at_15.22.49.png

Example of the JSON object:

{                                                                       
	"status": "revoked",                                              
	"revocationReason": "keyCompromise",                             
	"pem": "-----BEGIN CERTIFICATE-----\n                             
	MIIDWTCCAkGgAwIBAgIIAZmQ+6dVVfgwDQYJKoZIhvcNAQEFBQAwOzEVMBMGA1UE\n
	AwwMTWFuYWdlbWVudENBMRUwEwYDVQQKDAxFSkJDQSBTYW1wbGUxCzAJBgNVBAYT\n
    	AlNFMB4XDTE0MDMwNDEwNTEyM1oXDTE2MDMwMzEwNTEyM1owETEPMA0GA1UEAwwG\n
	    c3NsZm9vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2nqbOm3ocTTm\n
    	jU49UgP7ugnhg427zHaPdJjWuMt1ZopVzF/46EEsHIfxyGL59J3otgMEXXBJgJwC\n
    	QuZgtqfByAgKIWvrgcxBhvkCe6NRjNAJv0DPaxsEJRqpQEFxV3Eo24eOpN+mxWIm\n
    	6h3N3vTgaaDBQTQMvcb3MndJDWte4+HoBwMtuJdfRapIjcCIkyfiNJKkS4NMvYGw\n
    	G+lrReq4Za0Qhyqejjf4BB+QdE7xetZAtck9HAUlM28/zUuilPNeyftK7lR1Qcyp\n
    	MxIYo6YI2mDbSDre7pr21srZB5lBdOP3dAb5B5MFZ7d4qqljygEb0HuUXedqu4pj\n
    	8e4VNtv7EwIDAQABo4GKMIGHMB0GA1UdDgQWBBR3QlV5l7AvnfNN7D6sILhjMNHs\n
    	LTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMIAelgt0T0LdOBNNFKBKb5rcu4V\n
    	MA4GA1UdDwEB/wQEAwIF4DAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIG\n
    	CCsGAQUFBwMEMA0GCSqGSIb3DQEBBQUAA4IBAQADfEI0DgJVBHe63YCC8AhLo+VX\n
    	Fudi97WmCJGfHMx42HaaQvHtIvvpCw8TUZ08k49gUv+qtRlznaKFQb02DjbWgyeY\n
    	TKuCwueiXhMIb7i4Af1+cMFrajBGOYrjYkbGGOwfyN8KcOrQxQk30vBf47DGRtX8\n
    	80fV12f1NWng1KD3ye7VcTnFQTkbwvZAT2aDQorqND8c7Pn8dEpPNnpP67EsLIvH\n
    	biLb4qeaMa0pr21cE2LMV7ZhdyNbziiITB2oNsrdLIcKeTGKqmGSLDec6N0DPnmb\n
    	NlJNaBcs77G2JSJfh908HEtaVqH+u5cKElV3pRSBbS9Z6DcAlwaC64G6tKs0\n    
    	-----END CERTIFICATE-----"                                        
} 

The revocationReason is optional.

To use the Cert Safe Publisher, do the following:

Select Edit Publishers in the Administration GUI, create a new publisher and edit the settings:

Setting	Description
Publisher type	CertSafe Publisher
Class Path (not editable)	org.ejbca.core.model.ca.publisher.CertSafePublisher
Publisher Properties
CertSafe Server URL	URL in the format https://HOST:PORT/RELATIVE_PATH For example:https://certsafe.host.domain/PrimeKey/certificates
Authentication Key Binding for Connection	Name of the Authentication Key Binding used to authenticate (TLS) against the CertSafe server.
HTTPS connection timeout	Connection timeout. Default 10s.

The Authentication Key Binding token should be created to specify the parameters used to establish a connection to the HTTPS server. For instructions on how to create an Authentication Key Binding, see Managing Internal Key Bindings.

Click Save and Test Connection to store and validate the configuration. Select the publisher in the certificate profiles.
If an error occurs in the server, EJBCA can expect an error message sent inside a JSON object with the keyword error. The error message will be visible in the log file and the following shows an example of the error JSON object:

{

"error": "An error message from the server.",

}
To avoid that certificates go missing in the CertSafe server if publishing fails (if for example, the network is down), it's recommended to configure a Publish Queue process service. For more information, see Publishers.