Wednesday, November 19, 2008

Simple Certificate Archival solution


From syscheck 1.2 and on there is a script-based archival solution.

New and revoked certificates are stored on local disk in a file-tree and optional remote SSH server.

syscheck svn:

Setup of publisher

Go to: EJBCA Adminweb → ”Edit Publishers” → Add new name: ”Archival publisher”

Select/ enter the following:

Publisher Type: ”Custom Publisher”

Class Path: ””

Properties of Custom Publisher:

crl.application /path/to/syscheck/related-enabled/

crl.failOnStandardError true

crl.failOnErrorCode true

cert.application /path/to/syscheck/related-enabled/

cert.failOnStandardError true

cert.failOnErrorCode true

revoke.application /path/to/syscheck/related-enabled/

revoke.failOnStandardError true

revoke.failOnErrorCode true

Use the publisher on CA:s

Go to: EJBCA Adminweb → ”Edit Certificate Authorites”

Select the CA you want CRL archival on, then click on edit CA

At ”CRL Publishers”:

Select ”Archival publisher”

Do this for all CA:s you want CRL Archival for.

Use the publisher on Certificate profile:s

Go to: EJBCA Adminweb → ”Edit Certifcate Profiles”

At: ”Publishers”

Select ”Archival publisher”

Do this for all Certificate profiles:s you want Certifcate Archival for.