SCP Publisher

ENTERPRISE EDITION This is an EJBCA Enterprise Edition (EE) feature.

Description

For extremely secure environments where even the Peer Publisher (which only requires an outgoing connection through a firewall) cannot function, we provide the SCP Publisher which instead publishes certificates and CRLs to a remote location over SSH, which means that they can be published from a CA server which truly has all incoming traffic cut. These certificates and CRLs can later be retrieved by a VA instance and be used for OCSP responses. While more secure, unlike the Peer Publisher publishing will not be instantaneous, and naturally the CA cannot automatically query the VA in case of a broken connection.


images/download/attachments/26772236/Screenshot_2018-11-06_at_14.44.07.png

Once copied, the certificates files will be named after their fingerprint.

Configuration

Configuring the SCP Publisher is as simple as using the scp command. The following parameters need to be set:

Parameter

Description

CA to Sign Published Certificate

If the published certificate/CRL should be individually signed by CA before being copied to the destination.

Publish Without Identifying Information

If identifying information (such as the contents of the Subject DN, SAN, etc) should be redacted.

Username for SSH Connection

The username used to establish the SSH connection.

Destination URL for Certificates/CRLs

URL for the end destination of the certificate/CRL files, including directory.

Path to Private Key File

Path to a local private key used to establish the connection. A corresponding public key should exist in the same directory with the same name and the .pub suffix.

Password to Private Key File

Password to the private key. The field may be left blank if the private key is not password protected. The password is encrypted in the database using the passphrase defined by password.encryption.key in cesecore.properties in order to prohibit it from being read in cleartext from a database dump.

Path to Known Hosts File

Path to the file of known hosts.

Make sure to change the password.encryption.key in cesecore.properties from the default value.