Certificate Issuance via CSR

This section describes the process of issuing certificates using Certificate Signing Requests (CSRs), allowing users to generate their own private keys and submit them for signing by a Certificate Authority.

Key Functionalities

CSR Upload Form

  • Endpoint: /csr/upload
  • Description: Provides a web interface for users to upload their generated CSRs.
  • CA Selection: The form lists active Intermediate CAs available for signing. Direct signing with Root CAs is not permitted through this interface.

Process CSR

  • Endpoint: POST /csr/process
  • Description: This is the primary API endpoint for processing uploaded CSRs and issuing certificates.
  • Workflow:
    1. Request Validation: Validates the incoming request parameters (e.g., csr_data, common_name, validity_days).
    2. CA Selection:
      • If a ca_id is provided in the request, the system attempts to use that specific CA, verifying the user's access permissions to it.
      • If no ca_id is provided, the CASelectionService automatically selects the most suitable CA based on criteria such as tenant_id, purpose_category, the requesting user's email, and client IP address.
    3. Approval Requirements Check:
      • If the selected CA is configured to requiresManualApproval(), the system checks for an approval_password in the request.
      • If the password is missing or invalid, a PendingCertificateRequest is created. The request is then submitted for manual approval by an administrator, and relevant notifications are sent.
    4. CSR Validation and Information Extraction: The uploaded CSR's format is validated, and key information (e.g., common name, organization, country, key size, key type) is extracted. The common_name in the CSR must match the common_name provided in the request.
    5. Certificate Generation: If all validations pass and no manual approval is required (or after approval), the CryptoService is invoked to issue the certificate based on the CSR.
    6. Logging: All significant steps, including certificate creation, are logged.
    7. Response: Returns a JSON response indicating success or failure, along with relevant messages and details of the issued certificate (if successful).

Get CA Template Configuration

  • Endpoint: GET /csr/ca-template/{caId}
  • Description: Provides configuration details for a specific Certificate Authority, which can be used by client applications or users to generate CSRs that are compatible with the CA's policies.
  • Returned Information: Includes:
    • id, name, common_name, organization, country of the CA.
    • requires_manual_approval: Indicates if this CA requires manual approval for certificate requests.
    • max_validity_days: The maximum allowed validity period for certificates issued by this CA (default 3650 days / 10 years).
    • allowed_key_sizes: A list of supported key sizes (e.g., 2048, 4096).
    • allowed_extensions: A list of supported certificate extensions (e.g., server_auth, client_auth, email_protection, code_signing).
  • Access Control: Access to this endpoint is restricted to users with permissions to the specified CA.

Inferred Specifications

  • CSR-Centric Issuance: The system prioritizes and fully supports certificate issuance based on externally generated CSRs, empowering users to manage their private keys securely.
  • Flexible CA Assignment: Certificates can be issued by a user-specified CA (with access control) or automatically assigned to a suitable CA based on request metadata.
  • Mandatory Manual Approval Workflow: CAs can be configured to require manual approval for certificate requests, introducing a human review step for sensitive operations. This workflow includes a PendingCertificateRequest model and notification system.
  • Robust CSR Validation: Comprehensive validation ensures that uploaded CSRs are well-formed and that their content (e.g., common name) aligns with the request, preventing malformed or malicious requests.
  • Configurable CA Policies: CAs can define their own policies regarding maximum certificate validity, allowed key sizes, and supported certificate extensions, which are exposed via the /csr/ca-template/{caId} endpoint.
  • Supported Key Sizes for CSRs: Common key sizes supported for CSRs include 2048 and 4096 bits.
  • Supported Certificate Extensions: Common extensions supported for CSRs include server_auth, client_auth, email_protection, code_signing.
  • Maximum Certificate Validity for CSRs: Certificates issued via CSRs can have a maximum validity of 3650 days (10 years).
  • Comprehensive Audit Trail: All stages of CSR processing, including validation, CA selection, pending requests, and certificate issuance, are logged for security and compliance purposes.
  • Access Control: User permissions are strictly enforced at various stages, from CA selection to accessing CA template information.
  • Notification System: An integrated notification system informs users and administrators about the status of pending certificate requests.

Vous n'avez pas envie de la manager ?

Découvrir notre offre PKI As A Service