Hi Jan, We also have a separate web front end specifically for uploading CSRs and downloading the resulting Certificate, with no other certificate management functionality whatsoever. It communicates to the backend PKI via SCEP and was designed specifically to be used on a bastion host.
Best regards, Scott > On Feb 25, 2017, at 17:36, Oliver Welter <[email protected]> wrote: > > Hi Jan, > > Am 25.02.2017 um 00:46 schrieb Jan Schermer: >> Hi, >> I am working on a setup of company CA and I have some questions before I try >> setting up openxpki (Disclaimer: I just read through the docs). > Thats a good staring point ;) > >> Thus I'd like to be able to have the CA online and running behind a >> firewall, not visible to the public, reaching out to an external RA for >> requests >> >> - CSRs, SCEP requests and any other public interface (OCSP) should be >> on an external machine >> I don't care much about SCEP, but I want to give the users some >> sort of an interface. >> I very much like how EJBCA does it - after signing is approved >> on the CA, the certificate gets pushed to the RA, notifications are sent and >> the user can retrieve the cert without further CA operator involvement. >> >> - That machine will never connect to the CA itself, but the CA will >> rather connect to it and gather requests. This is as closed to air-gapped >> setup as I feel is practical. >> >> Is this possible? If not, is it easy enough to implement? >> I can imagine a simple cron job INSERTing the requests into database and >> exporting finished certs, but it still needs some sort of a public >> interface... (Like a second OpenXPKI instance with deleted private keys?) > > Ready to use - no, possible - yes, easy to implement - depends... > > I see three options how to do that: > > Shared Database: If you can accept a shared database, you can modifiy the > default csr workflows so the RA side stops when it comes to signing and a > scheduler on the CA side takes over. > > NICE Interface: The "NICE" interface was made to encapsulate the CA key > operations to be sort of atomic. You can build your own instance of this > interface that writes the CSR to disk and polls for the certificate (See > OpenXPKI::Server::NICE::Local). > > Custom Workflow: Write your own workflow that dumps the required data to the > filesystem, depending on your exact needs it might be necessary that the > existing classes need to be extended. > > There is unfortunately not much documentation around, but examining the > existing workflows and reading the perldoc of the classes should give you an > idea. > > best regards > > Oliver > > -- > Protect your environment - close windows and adopt a penguin! > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! > http://sdm.link/slashdot_______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
