CA Management Overview

This section details the comprehensive Certificate Authority (CA) management features of the system, covering the full lifecycle of Root and Intermediate CAs.

Key Functionalities

CA Listing and Filtering

  • Endpoint: /ca
  • Description: Displays a paginated list of Certificate Authorities.
  • Filters:
    • type: Filter by CA type (root or intermediate).
    • status: Filter by CA status (active or inactive).
    • search: Search by CA name or common_name.
  • Access Control: Non-admin users can only view CAs they have explicit access to.

CA Creation

  • Endpoints:
    • GET /ca/create: Displays the CA creation form.
    • POST /ca: Submits data to create a new CA.
  • CA Types: Supports creation of both Root and Intermediate CAs.
  • Intermediate CA Requirements:
    • Must specify a parent_ca_id.
    • If the parent CA's private key is password-protected, parent_ca_password is required for decryption during intermediate CA creation.
  • Cryptographic Options:
    • Key Algorithms: rsa-3072, rsa-4096, ecc-p256, ecc-p384.
    • Hash Algorithms: sha256, sha384.
    • Private Key Encryption: aes128, aes256.
  • Validity Period: Configurable in days, with predefined presets.
  • Initial Password: An optional initial_password can be set for the new CA, which implies a "very secure" trust level for its private key.
  • Audit Logging: Records CA creation and initial password setup events.

CA Details and Statistics

  • Endpoint: /ca/{ca}
  • Description: Displays detailed information about a specific CA, including its parent and child CAs, and associated certificates.
  • Statistics: Provides counts for total, active, revoked, and expired certificates issued by the CA.

CA Updates

  • Endpoints:
    • GET /ca/{ca}/edit: Displays the CA editing form.
    • PUT/PATCH /ca/{ca}: Submits data to update an existing CA.
  • Updatable Fields:
    • name
    • crl_distribution_points (URL)
    • ocsp_url (URL)
    • estimated_certificate_count
    • certificate_warning_threshold
  • Feature Toggles:
    • is_active: Activate or deactivate the CA.
    • requires_manual_approval: Enable/disable manual approval for certificates issued by this CA.
    • acme_public_enabled: Enable/disable public ACME issuance for this CA.
    • auto_renewal_enabled: Enable/disable automatic certificate renewal.
    • auto_renewal_days_before: Number of days before expiration to attempt auto-renewal.
    • auto_renewal_max_attempts: Maximum attempts for auto-renewal.
  • Audit Logging: Records CA update events.

CA Asset Downloads

  • Download Certificate: GET /ca/{ca}/download-certificate - Downloads the CA's public certificate (.crt file).
  • Download Certificate Chain: GET /ca/{ca}/download-certificate-chain - Downloads the full certificate chain (.crt file).
  • Download CRL: GET /ca/{ca}/download-crl - Generates and downloads the Certificate Revocation List (.pem file) for the CA, listing all revoked certificates. The CRL includes a Next Update field set to 30 days from generation.

CA Revocation

  • Endpoint: POST /ca/{ca}/revoke
  • Description: Marks a CA as inactive (is_active = false).
  • Precondition: An active CA cannot be deleted; it must be revoked first.
  • Audit Logging: Records CA revocation events.

CA Deletion

  • Endpoint: DELETE /ca/{ca}
  • Description: Permanently deletes a CA from the system.
  • Strict Deletion Policy:
    • The CA must be inactive (is_active = false).
    • The CA must not have any active or non-soft-deleted revoked certificates. All associated certificates must be soft-deleted first.
    • The CA must not have any child CAs.
  • Audit Logging: Records CA deletion events.

Inferred Specifications

  • CA Hierarchy: Supports Root and Intermediate CAs, forming a chain of trust.
  • Cryptographic Standards: Adheres to common cryptographic standards for key generation, hashing, and certificate signing.
  • Security Levels: The presence of an initial_password for a CA implies a mechanism for managing different trust security levels for private keys, likely detailed in CA_TRUST_FLAGS_SPECIFICATION.md.
  • CRL Management: CRLs are generated on demand and include a 30-day validity period for the next update.
  • Data Integrity: Strict deletion policies ensure that CAs with active or associated certificates (even revoked ones not soft-deleted) or child CAs cannot be accidentally removed, preserving the integrity of the PKI.
  • Auditing: Comprehensive audit logging provides a clear trail of all significant CA management actions.

Vous n'avez pas envie de la manager ?

Découvrir notre offre PKI As A Service