ejbca-ce icon indicating copy to clipboard operation
ejbca-ce copied to clipboard
verified publisher icon Keyfactor

Publish artifacts to a server using SCP

Open Realiserad opened this issue 3 years ago • 1 comments

EJBCA Enterprise contains a publisher called "SCP publisher" which can publish CRLs and certificates to another server using SCP.

It would be nice to have something similar in EJBCA Community. The publisher in EJBCA Enterprise also has certain limitations, e.g. it publishes the certificates as a serialised Java objects which makes it difficult to read them with a non-Java application. It could also be useful to be able to invoke a script after the publisher has completed.

There is a library here on GitHub called sshj which provides an SCP client for Java.

The publisher could be written as a plugin by adding a class to the org.ejbca.scp.publisher package. For example:

public class ScpPublisherv2 extends CustomPublisherContainer implements ICustomPublisher, CustomPublisherUiSupport {
    // Implementation goes here
}

Here are some features which would be nice to have:

  • Support publishing of CRLs, certificates and pre-produced OCSP responses
  • Attempt to create the specified directory if it does not exist
  • Support the following variables in path:
    • ISO_TIMESTAMP, e.g. 2022-01-01T13:37
    • ISSUER_DN, e.g. CN=Foo CA,O=Foo AB,C=SE
    • ISSUER_CN, e.g. Foo CA
    • SERIAL_NUMBER (only for certificates), e.g. 0E34CB12
    • CRL_NUMBER (only for CRLs), e.g. 3
  • Atomic publishing by transferring to a temporary directory and then moving the file to the correct location
  • Optionally invoke the specified script after publishing
  • Authenticate with a private key which is either uploaded as a file or pasted in a textbox
  • The button "Save and test connection" should print the current public key fingerprint of the server
  • The button "Save" should cache the current public key fingerprint

With these features supported, the following information needs to be specified by the CA administrator:

  • SSH username
  • IP or hostname
  • Port number
  • The name of the directories where the artifacts will be published
  • A private key
  • The password of the private key
  • The name of the script to invoke after publishing

Realiserad avatar Mar 25 '22 13:03 Realiserad

It's not on the roadmap. If there is a PR we could surely look at it.

primetomas avatar Apr 08 '22 12:04 primetomas

I'm working on a custom publisher which hopefully can improve on the SCP publisher now bundled with ejbca-ce. When (and if) it gets relesase-ready, I'll provide it as a plugin here on GitHub.

Closing this ticket!

Realiserad avatar Jan 12 '23 12:01 Realiserad