Publishing with an External Application

A lightweight alternative to developing a new custom publisher for exporting CRLs, certificates, and revocations is to use the General Purpose Custom Publisher (GPCP). GPCP allows exporting DER-encoded CRLs, certificates and/or revocations with a script (using scp or similar). The GPCP creates a temporary file and executes the script with the full pathname to the temporary file as an argument.

To to view and edit the General Purpose Custom Publisher (GPCP), access to external scripts must be enabled using the option Enable External Script Access under System Configuration>External Scripts.

To let the publisher ignore an error in the execution of a script, edit the publisher properties. By default, the publisher detects both output to standard error and a non-zero error level set by the script.

To start using the GPCP, do the following:

  1. Select Admin GUI > Manage Publishers and add a publisher GPCP.
  2. Click Edit Publisher and specify the following:
    1. Publisher Type: General Purpose Custom Publisher
    2. Properties:
      • Full pathname of X publishing script: For example /fullpathname/exportscript.sh for Unix/Linux or C:/fullpathname/exportscript.bat on MS Windows.
      • Fail X publishing on script error code: Will treat the publishing as unsuccessful if the script returns with a non-zero error code.
      • Fail X publishing on output to stderr: Will treat the publishing as unsuccessful if the script writes anything to standard error.
      • Calculate Delta CRL locally: Described below.
  3. Click Save and Test Connection to save the entered information and validate that the specified applications exist.
  4. Select Admin GUI > Certificate Authorities and select GPCP as your new CRL publisher.
  5. Click Save.
  6. To test CRL publishing, select Admin GUI > Basic Functions and click Create CRL.
  7. To test certificate publishing, select Admin GUI > Certificate Authorities and select a CA, click Edit and then Republish CA Certificates.

Note that more advanced scripts or applications allow using additional arguments:

  • cert.application fulltempfilepathname x509type certificateDN issuerDN certHexSerialNumber
  • revoke.application fulltempfilepathname x509reason certificateDN issuerDN certHexSerialNumber

Depending on the application, the GPCP can calculate whether a CRL is a delta CRL. Set the crl.calclulateDeltaCrlLocally parameter to true to enable the GPCP calculation. Disable the parameter if you wish to check this in an external script (or not at all). The result of this check, if run, is printed last in the argument list of the script.

The following displays an example Linux script for certificate publishing:

#!/usr/bin/env bash
echo $* >> /home/user/publisherlog.txt
cp $1 /home/user/cert.crt