Adding an Approved Certification Service

vrk-kpa / xroad-joint-development

Unmaintained repository. Development moved to: https://github.com/nordic-institute/X-Road-development

19 stars 8 forks source link

Adding an Approved Certification Service #225

Closed hainguyen291 closed 6 years ago

hainguyen291 commented 6 years ago

Hi everyone,

I am trying to create a certification service from central server. However, I don't know how to find a file like this Locate the certification service CA certificate file and click Next.. When do we have this file before this step?

Regards,

Hai.

petkivim commented 6 years ago

Hi @hainguyen291,

Certification service / certification authority is an external service that is not part of the X-Road software. Please see the system architecture document for more detailed information about the role of the certification authority.

For testing purposes you can set up your own CA using some open source component, e.g. EJBCA or openssl based test CA that's available on the X-Road GitHub repository. For production environment it's recommended to use a trusted certification authority.

Creating a certification service to the central server means that you must upload the root certificate of the CA that you're using to the central server and define the URL of the OCSP service provided by the CA.

Another external service that you need for running an X-Road instance is a time-stamping service / time-stamping authority.

hainguyen291 commented 6 years ago

Hi @petkivim

I am trying to deploy openssl based test CA. However, when I run init.sh script, undered ca, I got this error:

screenshot from 2018-05-08 10 15 44

I keep all default value for these parameters (didn't edit anything):

dn parameters

DN_COUNTRY="{{ xroad_ca_dn_country }}" DN_CA_O="{{ xroad_ca_o }}" DN_CA_OU="{{ xroad_ca_ou }}" DN_CA_CN="{{ xroad_ca_cn }}" DN_OCSP_O="{{ xroad_ca_ocsp_o }}" DN_OCSP_OU="{{ xroad_ca_ocsp_ou }}" DN_OCSP_CN="{{ xroad_ca_ocsp_cn }}" DN_TSA_O="{{ xroad_ca_tsa_o }}" DN_TSA_OU="{{ xroad_ca_tsa_ou }}" DN_TSA_CN="{{ xroad_ca_tsa_cn }}"

hainguyen291 commented 6 years ago

@petkivim I found out the error due to country code is longer than 2 characters. So, I edit DN_COUNTRY="vn" And run script successfully.

However, I got problem when try to use EjbcaCertificateProfileInfoProvider, same problem to FiVRKCertificateProfileInfoProvider, as provider.

screenshot from 2018-05-08 10 48 51

How can I solve this problem?

Regards Hai

hainguyen291 commented 6 years ago

It is my bad, I should add full path of this provider instead of its name. ee.ria.xroad.common.certificateprofile.impl.EjbcaCertificateProfileInfoProvider sloved my problem