Adding a CA to the PRQP Daemon

From OpenCA Labs WiKi

The PRQP daemon is capable of providing responses for multiple Certification Authorities as described in the IETF document. To add a new CA to the server, simply add a new configuration file (.xml) in the CA configuration directory: 

  PREFIX/etc/prqpd/ca.d/

Now you should restart the server. If the configuration is correct, the server will start responding for the new CA.

CA Configuration Example

The CA configuration file is a simple configuration file. A sample configuration file is hereby reported: 

 1:  <?xml version="1.0" ?>
 2:  <pki:caConfig xmlns:pki="http://www.openca.org/openca/pki/1/0/0">
       <!-- Name of the CA (used by the logging messages on the server) -->
 3:    <pki:name>SomeOrganization</pki:name>
       <!-- This element carries the PEM version of the CA certificate -->
 4:    <pki:caCertValue>
 5:      -----BEGIN CERTIFICATE-----
 6:      MIIED....
 7:      -----END CERTIFICATE-----
 8:    </pki:caCertValue>
       <!-- Here we start the list of services for which we have a config for -->
 9:    <pki:services>
         <!-- Each serviceEntry carries details about the provided service -->
10:      <pki:serviceEntry>
            <!-- Name of the service (taken from the IETF draft) -->
11:         <pki:name>certPolicy</pki:name>
            <!-- Resource URL -->
12:         <pki:url>http://myurl/.../policy-1.1.1.pdf</pki:url>
            <!-- We can specify a version number (integer) - optional -->
13:         <pki:version>1</pki:version>
            <!-- An OID can be used to identify the target data -->
14:         <pki:oid>1.3.6.1.4.1.18227.100.1.1.1</pki:oid>
15:      </pki:serviceEntry>
         <!-- End of the serviceEntry, to configure more entries, just add
              another serviceEntry item -->
16:    </pki:services>
       <!-- End of the Services List -->
17:  </pki:caConfig>

  NOTE: Every element in the configuration files are prefixes with pki: to identify
        the XML namespace. Please always use it in order to avoid namespace collisions
        in configurations for different servers.
The General Options

Now let's go through the different parts of the configuration file.

  • Lines 1-2 - describe the xml file format and the root XML item (caConfig).
  • Line 3 - carries the name of the CA (usually the field from the organization in the Certificate. This name is used by the server when logging only.
  • Lines 4-8 - carry the caCertValue item that contains the CA certificate in the PEM format. Using this option is useful in the sense that the configuration and the CA certificate are together in the same file. Alternatively the caCertUrl option can be used to specify the URL where to download the CA certificate from. The supported URLs are the ones supported by URL_retrieval interface of LibPKI (eg., http://, https://, ldap://, file://, fd://, mysql://, pg://, id://, etc.). For example: 
  <pki:caCertUrl>ldap://myldap/...</pki:caCertUrl>
  • Lines 9-16 - is the services section. The PRQP server will look inside this element for the 'serviceElement items (which are discussed in the next section).
  • Line 17 - closes the root element (i.e., caConfig). No elements are allowed after closing the root element of the configuration file
The serviceElement Item

The serviceElement item is used to describe a single service related to the CA. The element required elements are name and url, whilst the optional fields are version and oid.

  • <pki:name>..</pki:name> - this element carries the name of the service. It should match one of the names provided in the IETF PRQP document (https://datatracker.ietf.org/drafts/draft-ietf-pkix-prqp/). The name is automatically converted by the server into its corresponding OID.
  • <pki:url>..</pki:url> - this element contains the URL that is returned to the client when the location of this service is requested. There can be multiple URLs for each single service.
  • <pki:version>..</pki:version> - this element carries an integer that indicates the version of the service (where it is meaningful). For example, this field can be used to specify the version of the protocol supported by an OCSP server or the version of the pointed CRL (eg., 1 or 2). The field is optional.
  • <pki:oid>..</pki:oid> - this element identifies the OID related to the data that can be retrieved from the provided service/URL (wherever it is meaningful). For example, this field can be used to distinguish between certificate policies.The field is optional.
Retrieved from "http://mm.cs.dartmouth.edu/wiki/index.php/Adding_a_CA_to_the_PRQP_Daemon"