An issue tracking system (also ITS, trouble ticket system, support ticket, request management or incident ticket system) is a computer software package that manages and maintains lists of issues, as needed by an organization.
EJBCA can be configured in a million ways but not all configurations make sense. We should implement an issue tracking system which scans for known misconfigurations to help administrators detect problems with their EJBCA installation. Issues can be shown in the CA Web (e.g. as notifications), be provided over the REST API or logged using Log4j.
An issue checker can be represented with the following interfaces:
Examples of issues we could implement are:
- Warn if CT is not enabled
- Warn if the minimum number of SCTs for a certificate profile is less than the value mandated by Google's CT policy
- Warn if ECC or RSA key validators are missing
- Warn if there is no CRL Updater Service
- Warn if there are External VAs present but no Validation Authority Peer Publisher
- Warn if the queue of a publisher is filling up
- Warn if there are missing indices in the database (is this possible?)
- Warn if database protection is disabled or a test key is used
- Warn if a root CA is not offline (exclude Management CA)
- Warn if the disk is filling up
- Warn if the server certificate is about to expire.
- Warn about role members (that are matching by serial numbers) whose certificates are about to expire, and there's no more recent certificate with the same Subject DN or username.
- Warn about Internal Key Bindings' bound certificates that are about to expire
- Warn if the server certificate does not have a DNS Name, or if the hostname is "localhost", and incoming peer connections are enabled.
There should be some smart strategy to apply filtering, test for high-priority issues first and do some caching in the UI to avoid scanning for issues to often.