How to set revocation URLs in intermediate CA with PKIAAS?

mjourdan · October 4, 2024, 9:10am

I have a .csr for my intermediate CA to sign with my Nitrokey HSM2.

In PKI-as–service, after .csr submission and approval, I go to Views / Service Requests. Then:

I click on the ID matching the signature request
I click on Issue Certificate
I click on Accept Certificate

Than I click on the certificate name, and I see in the “non-critical extensions” the is this line:

Certificate Revocation List Distribution Points | Uniform Resouce Identifier http://localhost:8080/se/crl/1

I suspect I’ll have to access PKIAAS through something like :80 and create a new root CA so the sub CA will end up with the following CRLDP URI: http://<fqdn>/se/crl/1.

Otherwise, how could I define arbitrary URL for CRL?
Is there a way to specify an URL for OCSP too?

sc-hsm · October 4, 2024, 10:21am

I guess the use case “Certify external CA” is currently not well supported.

We have a feature on the ToDo list to add better profile support for certificate issuing. We should add options to handle those corner cases.

In the meantime you could use a custom service request. The portal has a plug-in mechanism, that allows to intercept existing workflow processing. We use that in our own portal to auto-approve certificate requests for the DevNetCA.

mjourdan · October 9, 2024, 8:38am

I suspect I’ll have to access PKIAAS through something like :80 and create a new root CA so the sub CA will end up with the following CRLDP URI: http://<fqdn>/se/crl/1.
I tried that and it didn’t work, the new URL is: http://localhost:8080/se/crl/2

My understanding is that certificates are systematically issued with an unreachable URI for certificate validation, so there is basically no revocation possible when using standard service requests. If I am correct, how is this a corner case?

In the meantime you could use a custom service request.

Do you have pointers on how to do that, by any chance?

sc-hsm · October 9, 2024, 4:47pm

The CRL-DP is always in the issued certificate, not the CA certificate. In your case, the Sub-CA certificate contains the CRL-DP of the Root-CA.

The URL is automatically determined from the ServerURL in the configuration. Here it is http://localhost:8080/se.

You need to issue the first CRL in the portal with CA / Issue CRL. After that the CRL is available in the CRL-DP shown in the certificate.

For writing your own plug-ins, we don’t have a manual yet. You could use one of the existing plug-ins in the CDN to see how that is supposed to work.

mjourdan · October 14, 2024, 9:06am

Indeed, after setting the ServerURL and rebuilding the image we get a usable URI. Even if the URI can not be set arbitrarily, that is enough to unblock us.

We updated docker-compose.yml to mount the configuration file as a read-only volume, so we don’t have to run the deploy script on configuration changes.

Thank you!