[security-dev] PicketLink and Certificate Management API

Anil Saldhana Anil.Saldhana at redhat.com
Thu Jul 3 12:41:26 EDT 2014


Pedro,
   if the partition can perform the tasks of a CA, that is fine.

But we need a separate independent code base to do the Certificate 
Management.

We may have a circular dependency here because the Cert Mgmt stuff may 
want to use PL IDM to interact with the data stores - file, ldap,DB. :)

Regards,
Anil

On 06/18/2014 01:35 PM, Pedro Igor Silva wrote:
> Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that.
>
> ----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: "security-dev >> \"security-dev" <security-dev at lists.jboss.org>
> Sent: Wednesday, June 18, 2014 3:32:30 PM
> Subject: Re: [security-dev] PicketLink and Certificate Management API
>
> Sorry, the there was a error on the example. This is the correct code:
>
> X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key
>
>    
>
> ----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: "security-dev >> \"security-dev" <security-dev at lists.jboss.org>
> Sent: Wednesday, June 18, 2014 3:28:40 PM
> Subject: [security-dev] PicketLink and Certificate Management API
>
> Hi,
>
>      We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications.
>
>      The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it.
>
>      In the future, we also want to provide:
>
>          - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK).
>          - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE.
>          - Support Java KeyStores to load and store keys.
>
>      So far we did something like:
>
>         CertificateConfig config = new DefaultCertificateConfig();
>
>         // set config with signature algo, cert sign algo, default validity, bit length, etc
>
>         // create a CA based on a existing partition
>         CertificateAuthority authority = new DefaultCertificateAuthority(partition, config);
>
>         User user = // get user
>
>         CertificateRequest certRequest = new DefaultCertificateRequest(user, config)
>
>         X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key
>
>      We're still working on it. But would like to check your feedback or opinions about requirements and use cases.
>
> Regards.
> Pedro Igor


More information about the security-dev mailing list