EJBCA - Open Source PKI Certificate Authority
Search ejbca.org for:

EJBCA support, development and maintenance by

VA Services

The validation authority (VA) part of EJBCA provides services used to validate a certificate. These services could run on an installed EJBCA or on a stand alone installation. See Standalone VA installation for instructions on how to install it stand alone. Each service is implemented by a servlet that can be enabled/disabled independently at compile time. The services are disabled by default.

CA certificate store

Is used to get a certificate chain to the root CA in order to verify that the certificate is signed by a valid CA (it is valid if the root is trusted). RFC 4387 specifies how the certificates are retrieved. The configuration file ${EJBCA_HOME}/conf/certstore.properties is used to configure the service.

If you view the page http://vahost:8080/certificates/search.cgi (when the service is enabled) you will get links to all URLs that can be used. 'certificates' is the default path for the servlet but can be changed in the configuration.

CRL store

Is used to get a Certificate Revocation List (a signed list of revoked certificates) for a CA. RFC 4387 specifies how the CRLs are retrieved. The configuration file ${EJBCA_HOME}/conf/crlstore.properties is used to configure the service.

If you view the page http://vahost:8080/crls/search.cgi you will get links to all URLs that could be used. 'crls' is the default path for the servlet but can be changed in the configuration.

OCSP responder

The OCSP responder is used to ask if a certificate is revoked or not. The OCSP protocol is specified in RFC 2560. See OCSP Architecture

The url for OCSP services is http://vahost:8080/ejbca/publicweb/status/ocsp

RFC 4387

The protocol to retrieve CRLs and certificates is described in RFC 4387.

Only CA certificates can be fetched. Since the attributes 'certHash', 'uri', 'iAndSHash' and 'name' does not make that much sense to CA certificates and CRLs they are not implemented.

To be able to specify that a delta CRL should be fetched an extra parameter 'delta' is added to the URL. This is not described in the RFC. Example:

http://myhost:8080/crls/search.cgi?sKIDHash=X4NX3VF9u/tzkkGZU6M6OEffhFc&delta=

When searching for certificates you can use iHash, sHash and sKIDHash. iHash is the ASN1 encoded DN of the issuer in a certificate. If you search with it you get all certificates that has the same issuer, except for the root certificate. You do not find a root certificate if you search with the iHash of the root. It has been assumed that sHash should be used when searching for a root.

If you want to implement your own application accessing the VA you could look at the ejbca junit test class org.ejbca.ui.web.protocol.TestCertStoreServlet