This article is valid for Certificate Manager 8.5 and later.

This article describes how to use certificate context and modules to verify the content of certificate requests in Protocol Gateway.

Protocol Gateway uses a subset of the certificate format files and modifiers in Certificate Factory (CF). For more information, see the section Certificate Formats in the Certificate Manager Technical Description.

Certificate context

Before sending certificate requests from Protocol Gateway to Certificate Factory (CF), the context is not only one certificate context, but a general context that contains certificate contexts. The context contains a list of certificate requests and also a common context, which in turn are the same as certificate contexts on CF. The values from the common context are copied to all certificate requests if they should be missing any information present in the common context.

The following certificate request contexts can be used for verifications in Protocol Gateway:

certrequests is a list of requests.

For example, to get commonname.value of a certificate request, specify the nested certificate context with the following syntax, where <index> specifies the certificate request number:

Example: certrequest syntax

certrequests:<index>:commonname.value

For example, to get the commonname.value of the common context, use the following syntax:

Example: commoncontext syntax

commoncontext:commonname.value

Available modules

Each handler in a <protocol>.properties file may define attributes in the same way as in a format. Below are examples of how to set up modifiers, by using the formatFields function of a handler in a .properties file.

Currently, the following general modules are available in the Protocol Gateway formats and they are run in the following order:

CertificateReader is a module unique to Protocol Gateway. Its function is to extract the client certificate used to authenticate to Protocol Gateway. It supports certificates from client TLS through Tomcat, or the signing certificate in a CMP request.

It extracts information from the certificate into the context, and this information can then be used with FieldComposer, FieldOperator and RequestVerifier to manipulate and verify the information.

Syntax

CertificateReader.Source = <source>
CertificateReader.Attribute.<index> = <attribute>

Value: CMP | TLS

If CMP is entered, the signing certificate of the CMP request is used.

If TLS is entered, the client certificate used to authenticate to Protocol Gateway is used.

<index>

A unique identifier for an attribute to extract, starting with 0.

If issuer. is prepended to the attribute, it means that it will try to get the attribute from the signing certificate's issuer's Subject.

The name to extract from the certificate, specified with FieldOperator syntax.

If san. is prepended to the attribute, it means that it will try to get the attribute from the SubjectAlternativeName of the certificate.

The attributes will be placed in .value of the same index after extraction from the certificate, e.g. CertificateReader.attribute.<index>.value.

Example

This example shows how to use CertificateReader in a <protocol>.properties file:

Example: CertificateReader in <protocol>.properties file

The FieldOperator modifier is a general utility module for simple manipulation of fields in the
Certificate context.

This example shows how to use FieldOperator in a <protocol>.properties file:

Example: FieldOperator in <protocol>.properties file

The FieldComposer modifier is used to produce new or to replace existing Distinguished Name attributes from attributes present in the certificate request.

This example shows how to use FieldComposer in a <protocol>.properties file:

Nexus Documentation

Certificate request verifications in Protocol Gateway