The simple module provides a simple implementation of the KeyAndCertificateHandler API.
This implementation includes a local embedded CA (Certification Authority) for issuance of signer certificates.
The local embedded CA has the following limitations:
- Issued certificates are not stored. Once delivered to the signing process, certificates are deleted.
- Revocation of certificates is not supported. An empty revocation list is stored on disk
The simple key and certificate handler incorporates the base configuration
parameters from the base module
The SimpleKeyAndCertificateHandlerConfiguration describes additional configuration parameters for the simple key and certificate handler:
| Field | Description |
|---|---|
baseUrl |
The application base URL for the signservice where this CA is deployed. Must not end with a slash. The base URL consists of the protocol, host and context path. |
caCredential |
The CA credential (private key and certificate(s)) used by the CA when issuing certificates. |
caSigningAlgorithm |
The CA signing algorithm. Defaults to XMLSignature#ALGO_ID_SIGNATURE_RSA_SHA256 or XMLSignature#ALGO_ID_SIGNATURE_ECDSA_SHA256 depending on the type of client credentials used. |
certValidity |
The validity for issued certificates. The default is 1 year. |
crlValidity |
The validity for issued CRL:s. The default is 2 days. |
crlDpPath |
The path to where CRL:s are exposed relative to baseUrl. |
crlDpUrl |
A URL where the CRL is published. This option may be used if the CRL is published under a publicly available URL to allow validation of the signature certificate. |
crlFileLocation |
Even though revocation is not supported we need to support an empty CRL. This property tells where to store thisCRL locally. |
Copyright © 2022-2023, Myndigheten för digital förvaltning - Swedish Agency for Digital Government (DIGG). Licensed under version 2.0 of the Apache License.