[security-dev] PicketLink and Certificate Management API
Pedro Igor Silva
psilva at redhat.com
Wed Jun 18 14:32:30 EDT 2014
Sorry, the there was a error on the example. This is the correct code:
X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key
----- Original Message -----
From: "Pedro Igor Silva" <psilva at redhat.com>
To: "security-dev >> \"security-dev" <security-dev at lists.jboss.org>
Sent: Wednesday, June 18, 2014 3:28:40 PM
Subject: [security-dev] PicketLink and Certificate Management API
We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications.
The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it.
In the future, we also want to provide:
- RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK).
- Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE.
- Support Java KeyStores to load and store keys.
So far we did something like:
CertificateConfig config = new DefaultCertificateConfig();
// set config with signature algo, cert sign algo, default validity, bit length, etc
// create a CA based on a existing partition
CertificateAuthority authority = new DefaultCertificateAuthority(partition, config);
User user = // get user
CertificateRequest certRequest = new DefaultCertificateRequest(user, config)
X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key
We're still working on it. But would like to check your feedback or opinions about requirements and use cases.
security-dev mailing list
security-dev at lists.jboss.org
More information about the security-dev