GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
OpenXPKI::Server::NICE(3) User Contributed Perl Documentation OpenXPKI::Server::NICE(3)

OpenXPKI::Server::NICE

NICE ist the Nice Interface for Certificate Enrollment. This class is just a stub to be inherited by your specialised backend class.

The mandatory input parameters are directly passed to the methods while the mandatory return values should be returned as a hash ref by the method call and are written to the context by the surrounding activity functions. The implementations are free to access the context to transport internal parameters.

If the expected operation could not be completed, the method MUST return undef, it is recommended to set a verbose error in the last_error class attribute (this might also show up on the UI).

The methods should NOT use workflow controls as pause or retry, this should be left to the activity classes. Methods should throw exceptions only on final errors (such that will not succeed when called again with the same input data).

Submit a certificate request for a new certificate. The certificate request entry from the database is passed in as hashref.

Note that it highly depends on the implementation what properties are taken from the pkcs10 container and what can be overridden by other means. PKCS10 is the default format which should be supported by any backend. You might implement any own format. See documentation of the used backend for details.

In case the backend has processed the request but needs extra time to process it, the response should be a hash with cert_identifier set to undef. The backend should support pickup of the certificate by fetch certificate in this case and keep information in the context to process this call.

Parameters

ca_alias - name of the ca-token to use

Return values

cert_identifier - the identifier of the issued certificate

csr attributes

Besides the properties of the csr, following attributes should be processed where applicable.

Submit a certificate renewal request. Same as issueCertificate but receives the certificate identifier of the originating certificate as second parameter.

This is only valid if issueCertificate or renewCertificate returned with a pending request and tries to fetch the requested certificate. If successful, the cert_identifier context parameter is populated with the identifier, otherwise the pending marker remains in the context. If the fetch finally failed, it should unset the cert_identifier.

Output

cert_identifier - the identifier of the issued certificate

Request the ca to add this certificate to its revocation list. Expects the cert_identifer (mandatory) and optional additional information about the revocation. Some backends can handle an extra parameter hash at the end of the list.

Parameters

cert_identifier - the certificate identifier of the cert to revoke

Return Values

Boolean, true if the request was processed. Should throw an exception if revocation is not possible.

Might only valid after calling revokeCertificate.

Check if the certificate revocation request was processed and set the status field in the certificate table to REVOKED/HOLD. The special state HOLD must be used only if the certificate is marked as "certificateHold" on the issued CRL or OCSP.

Parameters

Return Values

true if the certificate is revoked, false if not.

Remove a formerly revoked certifiate from the revocation list. Expects the certificate identifier. Only allowed after "certificateHold", sets the status field of the certificate status table back to ISSUED immediately.

Input

Trigger issue of the crl and write it into the "crl" parameter. The parameter ca_alias contains the alias name of the ca token.

In case the backend has processed the request but needs extra time to process it, the response should be a hash with csr_serial set to undef. The backend should support pickup of the certificate by fetchCrl in this case and keep information in the context to process this call.

Parameters

Return values

Only valid after calling issueCRL, tries to fetch the new CRL. See issue/fetchCertificate how to use the pending marker.

Generate and return a private key according to the parameters passed. Supported modes and parameter sets depend on the backend, some backends might even not implement this method.

Input

Output

Return value is a hash, the encrypted key must be returned in the key pkey.

Additional arguments might be returned by the backend.

Fetch a key created by with generateKey from the backend. Usage of the password and key_transport settings might differ between implementations.

Input

Expect the name of the context field as parameter and returns the appropriate context value. Does not deserialize the content.

Expect the name of the context field, and its new value. Does not serialize the content.

Persist a certificate into the certificate table and store implementation specific information in the datapool. The first parameter is a hash with the fields explained below. The second parameter is serialized "as is" and stored in the datapool and can be retrieved later using "__fetchPersistedCertificateInformation".

Mandatory Keys

The PEM encoded certificate.

Optional Keys

Identifier of the issuer certificate, if not set the method tries to autodetect it by searching the certificate table for a certificate matching the authority key identifier. If the certificate has no authority key identifier set, the lookup is done on the the issuer dn.

If no match is found, the chain parameter is evaluated.

If no issuer identifier can be found, it is set to unknown.

For implementations working with external issuers, this provides an alternative to complete the issuer chain. Passes the parameter as input to the "__import_chain" method.

Return the hashref for a given certificate identifiere stored within the datapool using "__persistCertificateInformation".

Expects a list of PEM encoded certificates to import. The first item must be the entity certificate. Import must be activated by setting the import_chain parameter, imported entities can be registered as a new alias setting the register_issuer parameter.

The NICE API implements every operation in two individual steps to support asynchronus operating backends. If you are building a synchronus backend, you can ommit the implementation of the second steps.

The activity definitions in OpenXPKI::Server::Workflow::Activity::NICE::* show the expected usage of the API functions.

The following class attributes can to be set from the implementing class to modify internal behaviour.

Default is none which deactivates any import of chain certificates, valid values are all which also imports missing root certificates and chain which requires the root exist in the database.
Default is empty, needs to be set to the name of an alias group.

If a new entity is imported into the database by "import_chain", it is added to the alias group given as register_issuer.

Note: auto registration of a "new" issuer is not run if the certificate already exists in the database.

The request information must be taken from the csr and csr_attributes tables.

The method must persist the certificate by calling __persistCertificateInformation and write the certificates identifier into the context parameter cert_identifier.

2025-07-15 perl v5.40.2
Search for    or go to Top of page |  Section 3 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.