Through the Cert Safe Publisher, you can configure EJBCA to publish certificate issuance and lifecycle events (revoke and unrevoke) over HTTPS to a Cert Safe server using the Cert Safe REST API.

The publisher allows you to make certificates and lifecycle events accessible in systems external to the CA. To receive the events, the external system needs to implement the Cert Safe REST API, see Cert Safe REST API.

For more information on different publishers and their purposes, see Publishers Overview and for information on setting p publishers, see Publishers Management.

The HTTPS request body is a JSON object with the following fields:

  • status
  • revocationReason (optional)
  • pem

The following provides an example of the JSON object:

{                                                                       
	"status": "revoked",                                              
	"revocationReason": "keyCompromise",                             
	"pem": "-----BEGIN CERTIFICATE-----\n                             
	MIIDWTCCAkGgAwIBAgIIAZmQ+6dVVfgwDQYJKoZIhvcNAQEFBQAwOzEVMBMGA1UE\n
	AwwMTWFuYWdlbWVudENBMRUwEwYDVQQKDAxFSkJDQSBTYW1wbGUxCzAJBgNVBAYT\n
    	AlNFMB4XDTE0MDMwNDEwNTEyM1oXDTE2MDMwMzEwNTEyM1owETEPMA0GA1UEAwwG\n
	    c3NsZm9vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2nqbOm3ocTTm\n
    	jU49UgP7ugnhg427zHaPdJjWuMt1ZopVzF/46EEsHIfxyGL59J3otgMEXXBJgJwC\n
    	QuZgtqfByAgKIWvrgcxBhvkCe6NRjNAJv0DPaxsEJRqpQEFxV3Eo24eOpN+mxWIm\n
    	6h3N3vTgaaDBQTQMvcb3MndJDWte4+HoBwMtuJdfRapIjcCIkyfiNJKkS4NMvYGw\n
    	G+lrReq4Za0Qhyqejjf4BB+QdE7xetZAtck9HAUlM28/zUuilPNeyftK7lR1Qcyp\n
    	MxIYo6YI2mDbSDre7pr21srZB5lBdOP3dAb5B5MFZ7d4qqljygEb0HuUXedqu4pj\n
    	8e4VNtv7EwIDAQABo4GKMIGHMB0GA1UdDgQWBBR3QlV5l7AvnfNN7D6sILhjMNHs\n
    	LTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMIAelgt0T0LdOBNNFKBKb5rcu4V\n
    	MA4GA1UdDwEB/wQEAwIF4DAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIG\n
    	CCsGAQUFBwMEMA0GCSqGSIb3DQEBBQUAA4IBAQADfEI0DgJVBHe63YCC8AhLo+VX\n
    	Fudi97WmCJGfHMx42HaaQvHtIvvpCw8TUZ08k49gUv+qtRlznaKFQb02DjbWgyeY\n
    	TKuCwueiXhMIb7i4Af1+cMFrajBGOYrjYkbGGOwfyN8KcOrQxQk30vBf47DGRtX8\n
    	80fV12f1NWng1KD3ye7VcTnFQTkbwvZAT2aDQorqND8c7Pn8dEpPNnpP67EsLIvH\n
    	biLb4qeaMa0pr21cE2LMV7ZhdyNbziiITB2oNsrdLIcKeTGKqmGSLDec6N0DPnmb\n
    	NlJNaBcs77G2JSJfh908HEtaVqH+u5cKElV3pRSBbS9Z6DcAlwaC64G6tKs0\n    
    	-----END CERTIFICATE-----"                                        
} 
XML

Configure Cert Safe Publisher

The Cert Safe Publisher is set up on the EJBCA Manage Publisher page.

To add and configure the publisher:

  1. Click Publishers under CA Functions to open the Manage Publishers page.
  2. In the Add Publisher field, enter a publisher name, and click Add to create a new publisher.
  3. From the List of Publishers on the Manage Publishers page, select the newly created publisher and click Edit Publisher.
  4. On the Edit Publisher page, specify the following:
    • Publisher Type: CertSafePublisher (Class Path: (not modifiable) org.ejbca.core.model.ca.publisher.CertSafePublisher).
    • CertSafe Server URL: In the format: https://HOST:PORT/RELATIVE_PATH, for example, https://certsafe.host.domain/PrimeKey/certificates.
    • Authentication Key Binding for Connection: Name of the Authentication Key Binding used to authenticate (TLS) against the Cert Safe server.
    • HTTPS connection timeout: connection timeout:  Defaults to 10s.
  5. Click Save and Test Connection to store the information and validate the configuration.
  6. Once the publisher is created, it needs to be selected in the Certificate Profile Publishers list to be active. For more information, see Publishers Management.

For more information on creating an Authentication Key Binding token to specify the parameters used to establish the connection with the HTTPS server, see Internal Key Bindings Overview.

Troubleshooting

Server Errors

If an error occurs on the server, EJBCA expects an error message sent inside a JSON object with the keyword error, and the error message is displayed in the log file.

The following provides an example of the error JSON object:

{                                                                       
	"error": "An error message from the server.",                                              
} 
BASH

Publisher Failures

To avoid certificates going missing in the CertSafe server if publishing fails due to a network fail, for example, it is recommended to configure a Publish Queue Process Service. For more information, see Publishers Overview and Publisher Queue Process Service.