Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
OpenXPKI::Server::WorkUser:Contributed PerlOpenXPKI::Server::Workflow::NICE(3)


       NICE ist	the Nice Interface for Certificate Enrollment.	This class is
       just a stub to be inherited by your specialised backend class.

       The mandatory input parameters are directly passed to the methods while
       the mandatory return values should be returned as a hash	ref by the
       method call and are written to the context by the surrounding activity
       functions.  The implementations are free	to access the context to
       transport internal parameters.

API Functions
       Submit a	certificate request for	a new certificate. The certificate
       request entry from the database is passed in as hashref.

       Note that it highly depends on the implementation what properties are
       taken from the pkcs10 container and what	can be overridden by other
       means.  PKCS10 is the default format which should be supported by any
       backend,	the default local backend also supports	SPKAC. You might
       implement any own format.  See documentation of the used	backend	for


       csr - hashref containing	the database entry from	the csr	table


       cert_identifier - the identifier	of the issued certificate or pending

       csr attributes

       Besides the properties of the csr, following attributes should be
       processed where applicable.

       custom_requester_{name|gname|email} - information about the requester
       cert_subject_alt_name - Nested Array with attributes for	SAN section
       notbefore|notafter - special validity

       Submit a	certificate renewal request. Same as issueCertificate but
       receives	the certificate	identifier of the originating certificate as
       second parameter.


       csr - hashref containing	the database entry from	the csr	table
       cert_identifier - identifier of the originating certificate


       cert_identifier - the identifier	of the issued certificate or pending

       This is only valid if issueCertificate or renewCertificate returned
       with a pending request and tries	to fetch the requested certificate. If
       successful, the cert_identifier context parameter is populated with the
       identifier, otherwise the pending marker	remains	in the context.	 If
       the fetch finally failed, it should unset the cert_identifier.


       cert_identifier - the identifier	of the issued certificate

       Request the ca to add this certificate to its revocation	list. Expects
       the serial of the certificate revocation	request.  If the given reason
       is not supported	by the backend,	"unspecified" should be	used.


       crr_serial - the	serial number of the certificate revocation request

       Only valid after	calling	revokeCertificate.  Check if the certificate
       revocation request was processed	and set	the status field in the
       certificate table to REVOKED/HOLD. The special state HOLD must be used
       only if the certificate is marked as "certificateHold" on the issued
       CRL or OCSP.



       Remove a	formerly revoked certifiate from the revocation	list. Expects
       the certificate identifier. Only	allowed	after "certificateHold", sets
       the status field	of the certificate status table	back to	ISSUED



       Trigger issue of	the crl	and write it into the "crl" parameter.	The
       parameter ca_alias contains the alias name of the ca token.




       crl_serial - the	serial number (key of the crl database)	of the created
       crl or pending

       Only valid after	calling	issueCRL, tries	to fetch the new CRL.  See
       issue/fetchCertificate how to use the pending marker.

internal helper	functions
       Expect the name of the context field as parameter and returns the
       appropriate context value. Does not deserialize the content.

       Expect the name of the context field, and its new value.
	Does not serialize the content.

       Persist a certificate into the certificate table	and store
       implementation specific information in the datapool. The	first
       parameter is mandatory with all fields given below. The second
       parameter is serialized "as is" and stored in the datapool and can be
       retrieved later using "__fetchPersistedCertificateInformation".


       certificate - the PEM encoded certificate
       ca_identifier - the identifier of the issuing ca
       csr_serial - serial number of the processed csr

       The certificate is expected to be a x509	structure. A pkcs7 container
       with the	entity certificate and its chain is also accepted.

       If the ca_identifier is not set,	we try to autodetect it	by searching
       the certificate table for a certificate which matches the authority key
       identifier.  If the certificate has no authority	key identifier set,
       the lookup is done on the the issuer dn.

       Return the hashref for a	given certificate identifiere stored within
       the datapool using "__persistCertificateInformation".

Implementors Guide
       The NICE	API implements every operation in two individual steps to
       support asynchronus operating backends. If you are building a
       synchronus backend, you can ommit the implementation of the second

       The activity definitions	in
       OpenXPKI::Server::Workflow::Activity::NICE::* show the expected usage
       of the API functions.

issue/renew Certificate
       The request information must be taken from the csr and csr_attributes t

       The method must persist the certificate by calling
       __persistCertificateInformation and write the certificates identifier
       into the	context	parameter cert_identifier.

       If the request was dispatched but is still pending, the	must be
       written into the	cert_identifier	context	value. If cert_identifier is
       not set after execution,	the workflow will call this method again.

perl v5.24.1			  2017-07-0OpenXPKI::Server::Workflow::NICE(3)

Name | Description | API Functions | internal helper functions | Implementors Guide | issue/renew Certificate

Want to link to this manual page? Use this URL:

home | help