Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-2172

Storing of a secret not allowed to be in certificate in a DB with mapping to a fieald in the certificate.

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 4.0.2
    • Component/s: PKI core
    • Labels:
      None

      Description

      Currently there is an extension in the EJBCA OCSP responder that fetches a secret from a DB with the SN in the DN of the certificate
      This functionality is called UNID (unique ID) lookup.
      The secret called FNR is not allowed to be in the certificate for some user integrity reason.

      This feature will write FNR mapped to UNID to a DB when certificates are produced by the CMP protocol.

      Requirements:

      1. The table is assumed to be identical to that of the OCSP UNID/FNR implementation

      2. The certificate request is assumed to be performed with CMP

      3. The UNID feature is activated through the following settings in "cmp.properties":

      cmp.ra.certificateprofile=KeyId
      cmp.uniddatasource=[as in OCSP]

      4. The EJBCA UNID feature is tested through an external JUnit test in the
      same way as the OCSP UNID feature.

      5. Detailed operation:

      • A CMP Certificate Request is performed with KeyId holding a Certificate
        Profile with name "pppp-pppp-..."
      • The Certificate Request contains a DN serialNumber attribute holding
        the ll-digit FNR + 5-digt LRA according to the following:

      Subject DN: CN=Alexander Rybak, serialNumber=fffffffffff-lllll, C=NO

      • Now EJBCA is supposed to create a random 6-character alphanumeric
        string "rrrrrr" and rewrite the Subject DN so that the resulting certificate will be like:

      Subject DN: CN=Alexander Rybak, serialNumber=pppp-pppp-lllllrrrrrr, C=NO

      In the database FNR is set to "fffffffffff" and UNID to "pppp-pppp-lllllrrrrrr"

      UNID is a primary key in the DB to guarantee that it is unique.

        Attachments

          Activity

            People

            Assignee:
            lars Lars Silvén
            Reporter:
            lars Lars Silvén
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: