Certificate Management Overview

This section details the comprehensive management of individual certificates within the system, covering their issuance, viewing, downloading, revocation, and deletion.

Key Functionalities

Certificate Listing and Filtering

  • Endpoint: /certificates
  • Description: Displays a paginated list of all managed certificates.
  • Filters:
    • type: Filter by certificate type (server, client, email, code_signing).
    • status: Filter by certificate status (active, revoked, expired). Defaults to active if not specified.
    • ca_id: Filter by the issuing Certificate Authority.
    • search: Search by certificate common_name or serial_number.
  • Access Control: Non-admin users can only view certificates issued by CAs they have access to.

Certificate Issuance

  • Endpoints:
    • GET /certificates/create: Displays the certificate issuance form.
    • POST /certificates: Submits data to issue a new certificate.
  • Certificate Types: Supports various types, including server, client, email, code_signing, openvpn_server, openvpn_client, and windows_802_1x.
  • Issuing CA: Requires selection of an active CertificateAuthority.
  • CA Password: If the selected CA's private key is password-protected, the ca_password is required for decryption during issuance.
  • Subject Details: Configurable fields for the certificate subject, including common_name (required), organization, organizational_unit, country, state, and locality.
  • Subject Alternative Names (SANs): Supports adding multiple domain names or IP addresses as SANs.
  • Cryptographic Options:
    • Key Algorithms: RSA (2048, 3072, 4096 bits) and ECC (p256, p384, p521 curves).
    • Validity Period: Configurable in days, with a maximum of 3650 days (10 years), or via predefined presets.
  • Key Usage & Extended Key Usage: Automatically set based on the chosen certificate type to ensure appropriate functionality (e.g., serverAuth for server certificates, clientAuth for client certificates).
  • Audit Logging: Records certificate issuance events.

Certificate Details and Validation

  • Endpoint: /certificates/{certificate}
  • Description: Displays detailed information about a specific certificate, its issuing CA, and current revocation status.
  • Real-time Validation: Performs a real-time validation of the certificate against its issuing CA using the CryptoService.

Certificate Downloads

  • Endpoint: /certificates/{certificate}/download/{format}
  • Description: Allows downloading the certificate and its associated components in various formats.
  • Available Formats:
    • pem: Downloads the public certificate in PEM format (.crt).
    • chain: Downloads the full certificate chain in PEM format (.crt).
    • pkcs12: Downloads a PKCS#12 bundle (.p12), which can optionally be password-protected.
    • key: Downloads the decrypted private key in PEM format (.key).
  • Audit Logging: Records certificate download events.

Certificate Revocation

  • Endpoint: POST /certificates/{certificate}/revoke
  • Description: Marks an active certificate as revoked.
  • Requirements:
    • reason_code: A required integer representing the revocation reason (e.g., 0 for unspecified, 1 for key compromise, 3 for certificate hold). Supported codes are 0, 1, 2, 3, 4, 5, 6, 8, 9, 10.
    • reason_note: An optional string for additional details about the revocation.
  • Process: Updates the certificate's status, records revoked_at timestamp, and adds an entry to the issuing CA's revocation list for CRL generation.
  • Audit Logging: Records certificate revocation events.

Certificate Deletion (Soft Delete)

  • Endpoint: DELETE /certificates/{certificate}
  • Description: Performs a soft deletion of a certificate, meaning its record is marked as deleted but retained in the database.
  • Deletion Policy: Only revoked or expired certificates can be soft-deleted. Active certificates cannot be deleted to prevent accidental removal of operational certificates and to maintain CRL integrity.
  • Purpose of Soft Delete: Retaining revoked certificate data is crucial for accurate Certificate Revocation List (CRL) generation.
  • Audit Logging: Records soft deletion events with detailed metadata.

Inferred Specifications

  • Supported Certificate Types: server, client, email, code_signing, openvpn_server, openvpn_client, windows_802_1x.
  • Key Algorithm Support: RSA (2048, 3072, 4096 bits) and ECC (P256, P384, P521 curves) for certificate key generation.
  • Maximum Certificate Validity: Certificates can be issued with a maximum validity period of 3650 days (10 years).
  • SANs Support: Certificates can include Subject Alternative Names for multiple hostnames or IP addresses.
  • Dynamic Key Usage: key_usage and extended_key_usage extensions are automatically configured based on the certificate type to ensure proper application.
  • Standard Revocation Reasons: Utilizes a predefined set of standard revocation reason codes.
  • CRL Integrity: The soft deletion mechanism for certificates ensures that revoked certificate information is preserved for accurate CRL generation and distribution.
  • Strict Deletion Rules: Active certificates cannot be deleted, enforcing a security measure to prevent disruption of services.
  • Role-Based Access Control: Access to certificate management functionalities and visibility of certificates are controlled by user roles and their assigned CA permissions.
  • Comprehensive Audit Trail: All significant certificate lifecycle events are logged, providing a detailed audit trail for security, compliance, and operational monitoring.

Vous n'avez pas envie de la manager ?

Découvrir notre offre PKI As A Service