This module provides a set of hooks that allow different hook implementations to be plugged as required to build up a working certificate authority.
Each hook implementation is a piece of a puzzle, the pieces of which can be swapped out to meet the exact needs of a given certificate authority. Only the hook implementations needed to meet a specific objective need be deployed, and the configuration can be hardened down to only those implementations required.
Redwax Server modules come in two different types. To create a working certificate authority, you need at least one frontend module, and at least one backend module.
Modules that implement specific web based protocols like SCEP or OCSP
are termed frontend modules and hook themselves into the
Apache httpd request hook.
At key points in the protocol, like signing a certificate sign request,
or returning the time, the frontend modules call hooks to plug
in the desired implementations to perform each step.
These hook implementations are provided in backend modules.
Modules that implement low level functions like signing a certificate sign
request or returning the time are termed backend modules and
hook themselves into frontend modules. Some
backend modules may choose to hook in other
backend modules depending on the application.
To build a certificate authority, combine frontend modules
with suitably configured backend modules to meet the objectives
needed.
Frontend and backend modules are linked to one another using hooks. The following hooks are provided by this module.
Signs the certificate sign request.
This hook receives a certificate sign request, and has the option to the process the certificate sign request immediately and return a signed certificate, or set aside the certificate sign request for later processing, and return confirmation that the certificate sign request was accepted.
This hook is typically mandatory, in that if a hook implementation is not supplied, the request will fail.
This hook will stop when the first configured implementation has handled the request.
Returns a given certificate, either by transactionID or serial number.
Protocols that need to request and return a given certificate will call this hook.
This hook will stop when the first configured implementation has handled the request.
Returns the certificate authority certificate used to sign the request.
This is the last certificate in the certificate chain, and is usually the root certificate.
This hook will stop when the first configured implementation has handled the request.
Returns the next certificate authority certificate that will be used to sign
future requests.
For protocols that support certificate rollover, the next certificate authority certificate is provided by this hook on request.
This hook will stop when the first configured implementation has handled the request.
Returns the chain of certificates used to sign the request.
The certificate chain consists of all certificates apart from the last certificate specified in the file.
This hook will stop when the first configured implementation has handled the request.
Returns the serial number to be used while signing a certificate
sign request.
Hook implementations that issue a certificate immediately will typically use this hook to provide the serial number to the signing process. Alternatively, hook implementations that save the certificate sign request for later processing, or that pass the certificate sign request to external systems will rely on those external systems to handle the serial number.
This hook will stop when the first configured implementation has handled the request.
Returns a generated public/private key pair.
Protocols that require that the public/private key pair be generated by the certificate authority will call this hook.
This hook will stop when the first configured implementation has handled the request.
Returns the time to be used for a given signature.
This hook is called when a protocol needs to know the time to sign a certificate sign request, or when responding to a timestamp request.
Hook implementations might source the time from the system, or might source the time from dedicated hardware for this purpose.
This hook will stop when the first configured implementation has handled the request.
Verify the parameters
included with the certificate sign request, such as the
challenge password.
This hook is optional, in that if a hook implementation is not supplied, the request will succeed.
This hook will stop when the first configured implementation has handled the request.
Store the newly generated certificate to locally or in a database
or directory.
This hook is optional, in that if a hook implementation is not supplied, the request will succeed.
This hook will stop when the first configured implementation has handled the request.
Returns the certificate revocation list.
The certificate revocation list might be stored on disk or in a directory, or the certificate revocation list might be generated on the fly.
This hook will stop when the first configured implementation has handled the request.
Return the status of a specific certificate from
the certificate revocation list.
This hook is used for protocols where the status of a single certificate can be queried.
This hook will stop when all the configured implementations have handled the request.