EJBCA - Open Source PKI Certificate Authority
Search ejbca.org on Google:
EJBCA 6.6.1 Enterprise (r24787)

EJBCA support, development and maintenance by

VA Services

The validation authority (VA) module of EJBCA provides services used to validate a certificate. These services can run on an installed EJBCA or on a standalone VA installation. Each service can be enabled/disabled independently at compile time. The services are disabled by default.

CA certificate store

The CA certificate store is used to get a certificate chain to the root CA in order to verify that the certificate is signed by a valid CA (it is valid if the root is trusted). RFC 4387 specifies how the certificates are retrieved. The configuration file conf/certstore.properties is used to configure the service.

If you view the page http://vahost:8080/certificates/search.cgi (when the service is enabled) you will get links to all URLs that can be used. 'certificates' is the default URL path for the web module, but this can be changed in the configuration (on EJBCA CA config change url end to ejbca/publicweb/certificates/search.cgi).

CRL store

The CRL store is used to get a Certificate Revocation List (a signed list of revoked certificates) for a CA. RFC 4387 specifies how the CRLs are retrieved. The configuration file conf/crlstore.properties is used to configure the service.

If you view the page http://vahost:8080/crls/search.cgi you will get links to all URLs that could be used. 'crls' is the default path for the web module, but this can be changed in the configuration (on EJBCA CA config change url end to ejbca/publicweb/crls/search.cgi).

OCSP responder

The OCSP responder is used to ask if a certificate is revoked or not. The OCSP protocol is specified in RFC 2560 and the successor RFC 6960. See OCSP Architecture

The url for OCSP services is http://vahost:8080/ejbca/publicweb/status/ocsp

Alias

You may also define aliases to certificates or CRLs. This is done in the configuration file conf/va.properties.

This is an example on how to get your root certificate if you have defined an alias for it:

http://myhost.com:8080/certificates/search.cgi?alias=root

RFC 4387

The protocol to retrieve CRLs and certificates is described in RFC 4387.

Only CA certificates can be fetched. Since the attributes 'certHash', 'uri', 'iAndSHash' and 'name' does not make that much sense to CA certificates and CRLs they are not implemented.

To be able to specify that a delta CRL should be fetched an extra parameter 'delta' is added to the URL. This is not described in the RFC. Example:

http://myhost:8080/crls/search.cgi?sKIDHash=X4NX3VF9u/tzkkGZU6M6OEffhFc&delta=

When searching for certificates you can use iHash, sHash and sKIDHash. iHash is the ASN1 encoded DN of the issuer in a certificate. If you search with it you get all certificates that has the same issuer, except for the root certificate. You do not find a root certificate if you search with the iHash of the root. It has been assumed that sHash should be used when searching for a root.

If you want to implement your own application accessing the VA you could look at the ejbca junit test class org.ejbca.ui.web.protocol.CertStoreServletTest