Publishers

Overview

Publishers are a mechanism for publishing DN Fields in certificates to directory services such as LDAP. Currently supported are LDAPv3, LDAPv3 Search Publisher and Active Directory. There is also support for creating custom publishers. The information is published when the certificates are issued.

In order to publish DN fields to a directory service you will need to:

  1. Add and edit a Publisher
  2. Create a Certificate Profile that uses the Publisher
  3. Create an End entity Profile that uses the Certificate Profile
  4. Create End Entities using the End Entity Profile
  5. Create Certificate(s) for that End Entity

More detailed information on using LDAP can be found in the User Manual found in the /docs directory of EJBCA

Add/Edit Publisher

From the EJBCA Adminweb select Edit Publishers, enter a name suitable for your publisher and click the Add button. The publisher will be added to the 'Current Publishers' list.
Select your new Publisher from the list and click 'Edit Publisher'. This will bring you to the Edit Publisher Screen.
From here you will need to specify a number of parameters in order to configure how and what information is to be published.

First you need to tell EJBCA how to connect to the server

  • Publisher Type: Instructs EJBCA to use either LDAP V3 Publisher, LDAP V3 Search Publisher and Custom Publisher
  • Hostname: IP address or DNS name of the host residing the Directory Service
  • Port: The port the Directory Server listens to.
  • Use SSL: Check this box to use SSL to connect to the Publisher
  • Base DN: Appended to location fields to form an LDAP DN. Write on form: dc=example, dc=com
  • Login DN: DN describing a user with administrator rights on the Publishers. Write on form: cn=admin, dc=example, dc=com
  • Login Password: The admin users password
  • Confirm Password: You need to confirm the password

The next four parameters are used to configure when information is published to LDAP.
The Base DN and the Location field from a certificate is combined to make an LDAP DN. If an entry with the same LDAP DN already exists in LDAP that user is said to already exist.

  • Create Nonexisting Users: Determines whether to create a new new entry when a user does not already exist.
  • Modify Existing Users: Determines whether to update users when they already exist in LDAP. Unchecking this value means that attributes will not be overwritten or added.
  • Overwrite Existing Attributes: Determines whether to update the values of existing attributes when a user already exists.
  • Add Nonexisting Attributes: Determines whether to add attributes to users when a user exists but attributes found in the certificate are not yet published in LDAP.
  • Create intermediate nodes:
  • Add multiple certificates per user: Defines if we should use multiple certificate entries for each user or only one. Default only one certificate is added to a user entry in LDAP and if the user gets a new certificate the old one is deleted and replaced with the new one. If this checkbox is checked certificates are instead appended in LDAP so each user can have multiple certificate entries in LDAP.
  • Remove certificates when revoked:
  • Remove ldap user when certificate revoked:
  • User Object Class: The objectclass for the LDAP entries for users, where user certificates are published. The entry is hierarchical separated by ';' to build a structure like: objectclass: top, objectclass: person, objectclass: organizationalPerson, objectclass: inetOrgPerson. This objectclass must allow the attribute 'userCertificate;binary'. Default 'top;person;organizationalPerson;inetOrgPerson'
  • CA Object Class: is the objectclass for the LDAP entries for CAs, where CA certificates and CRLs are published. The entry is hierarchical separated by ';' to build a structure. This objectclass must allow the attributes 'cACertificate;binary', 'certificateRevocationList;binary' and 'authorityRevocationList;binary'. Default 'top;applicationProcess;certificationAuthority'
  • User Certificate Attribute: The attribute name, in the userObjectClass, for the users certificate. Default 'userCertificate;binary'.
  • CA Certificate Attribute: The attribute name, in the cAObjectClass, for the CAs certificate. Default 'cACertificate;binary'.
  • CRL Attribute the attribute name, in the cAObjectClass, for CRLs (user CRLs) publisher by the CA. Default 'certificateRevocationList;binary'.
  • Delta CRL Attribute:
  • ARL Attribute the attribute name, in the cAObjectClass, for ARLs (CA CRLs) publisher by the CA.
  • LDAP location fields from cert DN: When configuring the LDAP publisher the BaseDN will be used as the base for the DN published in LDAP, and it will be appended to the LDAP location fields selected to be used. example: If the user DN in EJBCA is "cn=tomas gustavsson, uid=tomasg, O=PrimeKey Solutions AB, C=SE" and the BaseDN is "dc=PrimeKey,dc=SE" and the selected LDAP location fields are "CN". The LDAP DN used for publishing will be "cn=tomas gustavsson, dc=PrimeKey, dc=SE", and the "uid=tomasg" will be added as an attribute in LDAP. The certificate stored under "cn=tomas gustavsson, dc=PrimeKey, dc=SE" will have the subjectDN "cn=tomas gustavsson, uid=tomasg, O=PrimeKey Solutions AB, C=SE".

Create Certificate Profile

see certificateprofile

Create End Entity Profile

see endentityprofiles

Create End Entity

Create Certificate

page_revision: 13, last_edited: 1206454904|%e %b %Y, %H:%M %Z (%O ago)
edittags history files print site tools+ options
Unless stated otherwise Content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License