π CA Password Management & Approval Workflow - SpΓ©cification
Date: 2025-09-28 Status: π‘ EN CONCEPTION PrioritΓ©: π‘ IMPORTANTE
π― OBJECTIF
Implémenter un système complet de gestion des mots de passe pour les CAs critiques (Root CA + Intermediate critiques) avec workflow d'approbation pour les CSRs.
π FONCTIONNALITΓS
1. GESTION MOTS DE PASSE CA
Règles Métier
- Root CAs: Mot de passe OBLIGATOIRE
- Intermediate critiques: Mot de passe selon choix admin
- Standard CAs: Pas de mot de passe (optionnel)
- Auto-dΓ©tection: Utiliser champ existant
type(root/intermediate)
Database Schema β οΈ SIMPLIFIΓ
-- Utiliser le champ 'type' existant au lieu de 'critical_level'
-- Pas de redondance avec ENUM
-- Seulement ajouter:
ALTER TABLE certificate_authorities ADD COLUMN password_required BOOLEAN DEFAULT FALSE;
-- Logique:
-- type='root' β password_required automatiquement TRUE
-- type='intermediate' β password_required selon choix admin
2. INTERFACE CRΓATION/ΓDITION CA
// Page: /ca/create + /ca/{id}/edit
Form Fields:
ββ CA Configuration ββββββββββββββββββββββββββ
β Type: [Root CA βΌ] β
β β
β π Private Key Security: β
β β‘ Password Required for Signing β
β (β Automatically enabled for Root CAs) β
β β
β IF password_required: β
β ββ Set Password: [______________] β
β ββ Confirm: [______________] β
β ββ Strength: ββββββββββ (Strong) β
ββββββββββββββββββββββββββββββββββββββββββββββ
3. CERTIFICATE SIGNING - PASSWORD PROMPT
// Page: /certificates/create
// Quand CA.password_required = true:
ββ Certificate Signing βββββββββββββββββββββββ
β CA: Root CA (π Password Protected) β
β β
β β οΈ This CA requires password for signing β
β β
β CA Private Key Password: β
β [_________________________] [π Unlock] β
β β
β [ ] Remember for this session (15 min) β
β β
β [Generate Certificate] [Cancel] β
ββββββββββββββββββββββββββββββββββββββββββββββ
4. CSR APPROVAL WORKFLOW
CSR Submission Interface
// Page: /csr/upload
ββ CSR Upload & Approval Request ββββββββββββ
β Certificate Signing Request: β
β [Upload .csr file] or [Paste CSR content] β
β β
β Target CA: [Root CA βΌ] β
β Purpose: [Web Server βΌ] β
β Validity: [365 days βΌ] β
β β
β Approval Status: β
β β Automatic (Standard CA) β
β β Manual Approval Required (Root/Critical) β
β β
β IF manual approval: β
β Justification (required): β
β [___________________________________] β
β β
β [Submit for Approval] [Generate Now] β
ββββββββββββββββββββββββββββββββββββββββββββββ
Admin Approval Dashboard
// Page: /admin/pending-approvals
ββ Pending Certificate Approvals ββββββββββββ
β β
β π‘ 3 CSRs awaiting approval β
β β
β ββ CSR #001 ββββββββββββββββββ β
β β Subject: *.example.com β β
β β CA: Root CA (π Critical) β β
β β Requested by: user@co.com β β
β β Date: 2025-09-28 14:30 β β
β β Justification: "Production β β
β β web server certificate" β β
β β β β
β β [π View CSR] [β
Approve] β β
β β [β Reject] [π¬ Comment] β β
β ββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββ
π API ENDPOINTS
CA Password Management
POST /api/v1/ca/{id}/password/validate // Valider mot de passe
POST /api/v1/ca/{id}/password/unlock // DΓ©verrouiller pour session
GET /api/v1/ca/{id}/password/status // Status verrouillage
PUT /api/v1/ca/{id}/password/require // Activer/dΓ©sactiver password
CSR Approval Workflow
POST /api/v1/csr/submit // Soumettre CSR pour approbation
GET /api/v1/csr/pending // Liste CSRs en attente (admin)
POST /api/v1/csr/{id}/approve // Approuver CSR (admin)
POST /api/v1/csr/{id}/reject // Rejeter CSR (admin)
GET /api/v1/csr/{id}/status // Status CSR pour user
Certificate Signing with Password
POST /api/v1/certificates/sign-with-password
Body: {
"csr": "-----BEGIN CERTIFICATE REQUEST-----...",
"ca_id": 3,
"ca_password": "secure_password",
"remember_session": true,
"bypass_approval": false // Si admin et approval workflow
}
ποΈ DATABASE SCHEMA
Modification CAs (SimplifiΓ©e)
-- Seulement ajouter password_required (pas de critical_level)
ALTER TABLE certificate_authorities ADD COLUMN password_required BOOLEAN DEFAULT FALSE;
-- Logique application:
-- IF type = 'root' THEN password_required = TRUE automatiquement
-- IF type = 'intermediate' THEN password_required selon choix admin
Table CSR Approvals (Nouvelle)
CREATE TABLE pending_certificate_requests (
id BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
ca_id BIGINT UNSIGNED NOT NULL,
user_id BIGINT UNSIGNED NOT NULL,
csr_content TEXT NOT NULL,
common_name VARCHAR(255) NOT NULL,
subject_alt_names JSON NULL,
purpose_category VARCHAR(100),
validity_days INTEGER DEFAULT 365,
justification TEXT,
status ENUM('pending', 'approved', 'rejected', 'signed') DEFAULT 'pending',
approved_by BIGINT UNSIGNED NULL,
approved_at TIMESTAMP NULL,
rejection_reason TEXT NULL,
signed_certificate_id BIGINT UNSIGNED NULL, -- Link to final certificate
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
FOREIGN KEY (ca_id) REFERENCES certificate_authorities(id),
FOREIGN KEY (user_id) REFERENCES users(id),
FOREIGN KEY (approved_by) REFERENCES users(id),
FOREIGN KEY (signed_certificate_id) REFERENCES certificates(id),
INDEX idx_status (status),
INDEX idx_ca_user (ca_id, user_id),
INDEX idx_pending (status, created_at)
);
π WORKFLOW COMPLET
graph TD
A[User uploads CSR] --> B{CA type check}
B -->|Root/Critical| C[Require approval workflow]
B -->|Standard| D{Password protected?}
C --> E[Submit to approval queue]
E --> F[Email notification to admins]
F --> G[Admin reviews CSR]
G --> H{Approved?}
H -->|Yes| D
H -->|No| I[Reject with reason + email user]
D -->|Yes| J[Prompt for CA password]
D -->|No| K[Sign certificate immediately]
J --> L{Password valid?}
L -->|Yes| K
L -->|No| M[Error + retry]
K --> N[Certificate issued]
N --> O[Email confirmation + audit log]
π‘οΈ SΓCURITΓ & AUDIT
Password Security
- BCrypt hashing pour stockage
- Rate limiting: 3 tentatives / 15 minutes
- Session unlock: 15 minutes max
- IP tracking des tentatives
- Audit log complet
Approval Security
- Permission admin requise
- Audit trail CSR β Certificate
- Email notifications
- Justification obligatoire
- Horodatage complet
Audit Events
// Events to log:
- ca_password_set / ca_password_removed
- ca_password_unlock_success / ca_password_unlock_failed
- csr_submitted / csr_approved / csr_rejected
- certificate_signed_with_password
- approval_workflow_bypassed (admin)
π― PHASES IMPLΓMENTATION
Phase 1: CA Password Management (1 semaine)
- Migration database (password_required field)
- API endpoints password validation
- UI password prompts
- Session unlock mechanism
Phase 2: CSR Approval Workflow (1 semaine)
- Table pending_certificate_requests
- CSR submission interface
- Admin approval dashboard
- Email notifications
Phase 3: Integration & Polish (3 jours)
- Workflow integration complet
- Tests unitaires & sΓ©curitΓ©
- Documentation utilisateur
- Audit logging
β CRITΓRES DE SUCCΓS
- [ ] Root CAs protΓ©gΓ©es par mot de passe obligatoire
- [ ] Interface intuitive crΓ©ation/gestion passwords
- [ ] Workflow approbation CSR fonctionnel
- [ ] Dashboard admin pour approvals
- [ ] API complète pour intégration
- [ ] Audit trail complet
- [ ] Email notifications automatiques
- [ ] Tests sΓ©curitΓ© validΓ©s
π Note: Cette spΓ©cification utilise les champs existants (type) pour Γ©viter la redondance et se base sur l'architecture PKI existante.