Core Module

This module provides the hooks that tie frontend and backend modules together.

What does it do?

This module provides a set of hooks that allow different hook implementations to be plugged as required to build up a working certificate authority.

Each hook implementation is a piece of a puzzle, the pieces of which can be swapped out to meet the exact needs of a given certificate authority. Only the hook implementations needed to meet a specific objective need be deployed, and the configuration can be hardened down to only those implementations required.

Frontend and Backend Modules

Redwax Server modules come in two different types. To create a working certificate authority, you need at least one frontend module, and at least one backend module.

Frontend Modules

Modules that implement specific web based protocols like SCEP or OCSP are termed frontend modules and hook themselves into the Apache httpd request hook.

At key points in the protocol, like signing a certificate sign request, or returning the time, the frontend modules call hooks to plug in the desired implementations to perform each step.

These hook implementations are provided in backend modules.

Backend Modules

Modules that implement low level functions like signing a certificate sign request or returning the time are termed backend modules and hook themselves into frontend modules. Some backend modules may choose to hook in other backend modules depending on the application.

To build a certificate authority, combine frontend modules with suitably configured backend modules to meet the objectives needed.

Hook Reference

Frontend and backend modules are linked to one another using hooks. The following hooks are provided by this module.

Sign Request

Signs the certificate sign request.

This hook receives a certificate sign request, and has the option to the process the certificate sign request immediately and return a signed certificate, or set aside the certificate sign request for later processing, and return confirmation that the certificate sign request was accepted.

This hook is typically mandatory, in that if a hook implementation is not supplied, the request will fail.

This hook will stop when the first configured implementation has handled the request.

Get Certificate

Returns a given certificate, either by transactionID or serial number.

Protocols that need to request and return a given certificate will call this hook.

This hook will stop when the first configured implementation has handled the request.

Get Certificate Authority

Returns the certificate authority certificate used to sign the request.

This is the last certificate in the certificate chain, and is usually the root certificate.

This hook will stop when the first configured implementation has handled the request.

Get Next Certificate Authority

Returns the next certificate authority certificate that will be used to sign future requests.

For protocols that support certificate rollover, the next certificate authority certificate is provided by this hook on request.

This hook will stop when the first configured implementation has handled the request.

Get Chain

Returns the chain of certificates used to sign the request.

The certificate chain consists of all certificates apart from the last certificate specified in the file.

This hook will stop when the first configured implementation has handled the request.

Make Serial

Returns the serial number to be used while signing a certificate sign request.

Hook implementations that issue a certificate immediately will typically use this hook to provide the serial number to the signing process. Alternatively, hook implementations that save the certificate sign request for later processing, or that pass the certificate sign request to external systems will rely on those external systems to handle the serial number.

This hook will stop when the first configured implementation has handled the request.

Make Key

Returns a generated public/private key pair.

Protocols that require that the public/private key pair be generated by the certificate authority will call this hook.

This hook will stop when the first configured implementation has handled the request.

Get Time

Returns the time to be used for a given signature.

This hook is called when a protocol needs to know the time to sign a certificate sign request, or when responding to a timestamp request.

Hook implementations might source the time from the system, or might source the time from dedicated hardware for this purpose.

This hook will stop when the first configured implementation has handled the request.

Request Authorization

Verify the parameters included with the certificate sign request, such as the challenge password.

This hook is optional, in that if a hook implementation is not supplied, the request will succeed.

This hook will stop when the first configured implementation has handled the request.

Certificate Storage

Store the newly generated certificate to locally or in a database or directory.

This hook is optional, in that if a hook implementation is not supplied, the request will succeed.

This hook will stop when the first configured implementation has handled the request.

Get Certificate Revocation List

Returns the certificate revocation list.

The certificate revocation list might be stored on disk or in a directory, or the certificate revocation list might be generated on the fly.

This hook will stop when the first configured implementation has handled the request.

Get Certificate Status

Return the status of a specific certificate from the certificate revocation list.

This hook is used for protocols where the status of a single certificate can be queried.

This hook will stop when all the configured implementations have handled the request.