Based on the configuration of paths and files, this module allows certificate sign requests to be saved to disk for later processing, and certificates to be returned from disk to clients that ask for them.

In addition, an OpenSSL compatible serial file and index database can be used to generate serial numbers for certificates and stored for later access in an index database.

This module allows a typical disk based OpenSSL certificate authority to become accessible over the web.

This optional hook allows you to verify the parameters included with the certificate sign request, such as the previous certificate. If left unconfigured, all certificate requests will be accepted.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, this module saves the certificate sign request to disk ready for later processing. Protocols like SCEP provide a mechanism to register the request for a certificate, and then return the results when ready.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, this module saves the newly generated certificate to a directory.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, certificates that were generated earlier are returned from the specified directory.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, this module returns the next serial number after the one stored in the current serial file. The serial number can optionally be stored in an OpenSSL compatible database index file.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules and backend modules.

Save incoming certificate sign requests to an incoming directory, then serve the resulting certificates back when ready. In this example, certificates are signed out of band.

# backend configuration:
<IfModule mod_ca_disk.c>
  CADiskCertificateSignRequestPath /etc/pki/CA/certs/
  CADiskCertificateByTransactionPath /etc/pki/CA/certs/
</IfModule>

# frontend configuration:
<IfModule mod_scep.c>
  <Location /scep>
    SetHandler scep
    ScepSubjectRequest commonName
  </Location>
</IfModule>

In this example we generate serial numbers from the OpenSSL serial file, and we keep track of certificates issued by writing them to the OpenSSL index.

# backend configuration:
<IfModule mod_ca_disk.c>
  CADiskSerialFile /etc/pki/CA/serial
  CADiskIndexFile /etc/pki/CA/index.txt
  CADiskCertificateBySerialPath /etc/pki/CA/certs/
</IfModule>
<IfModule mod_ca_simple.c>
  CASimpleTime on
</IfModule>

# frontend configuration:
<IfModule mod_csr.c>
  <Location /csr>
    SetHandler csr
    CsrSubjectRequest CN
  </Location>
</IfModule>

Saves the certificate revocation list to a directory on disk for later processing.

The CADiskCertificateSignRequestPath directive enables this hook implementation.

Each certificate sign request is written to a file named after the transaction ID, with the extension csr.

Checks whether a renewal request signed by a previous certificate can be found among our existing certificates, and that the existing certificate is still valid and not revoked.

The CADiskIndexFile directive is searched to confirm certificate validity, and if valid the CADiskCertificateBySerialPath is searched for an exact match. Both of these directives must be present for this hook to take effect.

If the CADiskIndexUnique directive is enabled all renewal attempts are rejected, as renewal requires that the previous certificate and current certificate are valid at the same time.

Saves the newly generated certificate to a directory.

If the CADiskCertificateBySerialPath directive is used, the certificate is stored in the given directory with the name corresponding to the certificate serial number, and the default extension pem. This matches the behaviour of the new_certs_dir option in an OpenSSL openssl.cnf file.

If the CADiskIndex directive is used, the index is updated with the subject and serial number of the certificate being stored, as well as the filename of the certificate. This matches the behaviour of the database option in an OpenSSL openssl.cnf file.

Alternatively, if the CADiskCertificateByTransactionPath directive is used, the certificate is stored in the given directory with the name corresponding to the transaction ID and the default extension cert.

Returns the certificate from a directory on disk written during earlier processing.

If the CADiskCertificateBySerialPath directive is enabled, and the serial number of the certificate has been kept aside during earlier processing, the certificate will be read from a file matching the serial number expressed as a hex value, and the default extension pem.

Alternatively, if the CADiskCertificateByTransactionPath directive is used, the certificate is read from the given directory with the name corresponding to the transaction ID and the default extension cert.

This hook will trigger the Get Certificate Chain Hook to add the certificate chain to the certificate.

Returns the next serial number from the contents of a file on disk.

If the CADiskSerialFile directive is enabled, the number in the file is read in, incremented, saved and returned as the serial number for this certificate.

The serial number file corresponds to and is designed to work with the serial parameter in the openssl.cnf file in OpenSSL.

If the CADiskIndexFile directive is enabled, the resulting serial number and subject is written to the given index file. The database index file corresponds to and is designed to work with the database parameter in the openssl.cnf file in OpenSSL.

If the CADiskIndexUnique directive is enabled, the request will fail if the combination of serial number and subject has been seen before. This option corresponds to the unique_subject option in the OpenSSL openssl.cnf file.

Set to the path where certificate sign requests should be stored.

Incoming certificate sign requests will be written to the path specified by this directive, for later processing. Each certificate sign request is written to a file named after the transaction ID, with the extension csr.

Set to the path for certificates keyed by transaction, followed by optional suffix.

Signed certificates will be written to and stored at the path specified by this directive, for record, or later retrieval. Each certificate sign request is written to a file named after the transaction ID, with the default extension cert. This extension can be overridden.

Set to the path for certificates keyed by serial number, followed by optional suffix.

Signed certificates will be written to and stored at the path specified by this directive, for record, or later retrieval. Each certificate sign request is written to a file named after the certificate serial number, with the default extension pem. This extension can be overridden.

Set to the name of a file containing the last used serial number.

If this directive is used, this module will increment and return the serial number in the given file to the ca_makeserial hook.

The serial number file corresponds to and is designed to work with the serial parameter in the openssl.cnf file in OpenSSL.

Set to the name of a file containing the index database.

This directive requires the CADiskSerialFile directive to be set for this directive to take effect.

If this directive is used, this module will add the serial number and subject to the database file in the ca_makeserial hook.

The database index file corresponds to and is designed to work with the database parameter in the openssl.cnf file in OpenSSL.

If enabled, the certificate subject must be unique.

This directive requires the CADiskSerialFile and CADiskIndexFile directives to be set for this directive to take effect.

If this directive is used, the serial number and subject being added to the database file in the ca_makeserial hook will fail if the serial number has been used before.