Custom Publishers

The following provides information on Developing a Custom Publisher and alternatively Publishing with an External Application.

Custom Publisher Implementations

For information on custom publisher implementations, see the following:

Developing a Custom Publisher

If your setup makes it complex to configure multiple certificate profiles and multiple publishers, you might consider writing a bespoke custom publisher.

For more information on writing your own solution, refer to the directory modules/ejbca-common/src/org/ejbca/core/model/ca/publishers. You can use and extend the empty custom publisher DummyCustomPublisher.java.

Custom publishers are deployed in the same way as custom services, i.e. in a Jar with a special meta-data file. For example:

# Example file. Should be named META-INF/services/org.ejbca.core.model.ca.publisher.ICustomPublisher
com.example.ejbca.MyCustomPublisher
com.example.ejbca.AnotherCustomPublisher 

Additionally you can have your publisher implement org.ejbca.core.model.ca.publisher.CustomPublisherUiSupport to make the configuration more user-friendly in the Admin GUI.

Publishing with an External Application

A lightweight alternative to developing a new custom publisher for exporting CRLs, certificates and revocations is to use the General Purpose Custom Publisher (GPCP). GPCP allows exporting DER-encoded CRLs, certificates and/or revocations with a script (using scp or similar). The GPCP creates a temporary file and executes the script with the full pathname to the temporary file as an argument.

To be able to view and edit the General Purpose Custom Publisher (GPCP), access to external scripts must be enabled by activating Enable External Script Access under System Configuration>External Scripts. For more information, see External Scripts.

To let the publisher ignore an error in the execution of a script, edit the publisher properties. By default, the publisher detects both output to standard error and a non-zero errorlevel set by the script.

To start using the GPCP, do the following:

  1. Select Admin GUI > Manage Publishers and add a publisher GPCP.

  2. Click Edit Publisher and specify the following:

    1. Publisher Type: General Purpose Custom Publisher

    2. Properties:

      1. Full pathname of X publishing script: For example /fullpathname/exportscript.sh for Unix/Linux or C:/fullpathname/exportscript.bat on MS Windows.

      2. Fail X publishing on script error code: Will treat the publishing as unsuccessful if the script returns with a non-zero error code.

      3. Fail X publishing on output to stderr: Will treat the publishing as unsuccessful if the script writes anything to standard error.

      4. Calculate Delta CRL locally: Described below.

  3. Click Save and Test Connection to save the entered information and validate that the specified applications exist.

  4. Select Admin GUI > Certificate Authorities and select GPCP as your new CRL publisher.

  5. Click Save.

  6. To test CRL publishing, select Admin GUI > Basic Functions and click Create CRL.

  7. To test certificate publishing, select Admin GUI > Certificate Authorities and select a CA, click Edit and then Republish CA Certificates.

Note that more advanced scripts or applications allow using additional arguments:

  • cert.application fulltempfilepathname x509type certificateDN issuerDN certHexSerialNumber

  • revoke.application fulltempfilepathname x509reason certificateDN issuerDN certHexSerialNumber

Depending on the application, the GPCP can calculate whether a CRL is a delta CRL. Set the crl.calclulateDeltaCrlLocally parameter to true to enable the GPCP calculation. Disable the parameter if you wish to check this in an external script (or not at all). The result of this check, if run, is printed last in the argument list of the script.

The following displays an example Linux script for certificate publishing:

#!/usr/bin/env bash
echo $* >> /home/user/publisherlog.txt
cp $1 /home/user/cert.crt