[security-dev] PicketLink and Certificate Management API

Pedro Igor Silva psilva at redhat.com
Wed Jun 18 14:32:30 EDT 2014

Sorry, the there was a error on the example. This is the correct code:

X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key


----- Original Message -----
From: "Pedro Igor Silva" <psilva at redhat.com>
To: "security-dev >> \"security-dev" <security-dev at lists.jboss.org>
Sent: Wednesday, June 18, 2014 3:28:40 PM
Subject: [security-dev] PicketLink and Certificate Management API


    We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications.

    The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it.

    In the future, we also want to provide:

        - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK).
        - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE.
        - Support Java KeyStores to load and store keys.

    So far we did something like:

       CertificateConfig config = new DefaultCertificateConfig();

       // set config with signature algo, cert sign algo, default validity, bit length, etc

       // create a CA based on a existing partition
       CertificateAuthority authority = new DefaultCertificateAuthority(partition, config);

       User user = // get user

       CertificateRequest certRequest = new DefaultCertificateRequest(user, config)

       X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key

    We're still working on it. But would like to check your feedback or opinions about requirements and use cases.

Pedro Igor
security-dev mailing list
security-dev at lists.jboss.org

More information about the security-dev mailing list