certificate_authority: More documentation.

c6517823 · Vincent Pelletier · 2dd3c8d9 · c6517823
Commit c6517823 authored Mar 23, 2017 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 8 deletions

slapos/certificate_authority/doc/P-SLAPOS.Certificate.Authority.Plantuml.Sequence.Diagram.Signing.Request.txt ...e.Authority.Plantuml.Sequence.Diagram.Signing.Request.txt +43 -8

No files found.
--- a/slapos/certificate_authority/doc/P-SLAPOS.Certificate.Authority.Plantuml.Sequence.Diagram.Signing.Request.txt
+++ b/slapos/certificate_authority/doc/P-SLAPOS.Certificate.Authority.Plantuml.Sequence.Diagram.Signing.Request.txt
 @startuml
-title "Submitting a certificate signature request"
+title Automated Certificate Authority Service


 actor User
 actor Trusted
+actor Client
 autonumber

-User -> Authority : POST /request
+== Signing Request Submission ==
+
+User -> Authority : POST the CRL
 alt Sining request passes all checks
  Authority --> User : Signing request identifier
 else
  Authority --> User : Error
 end
-Trusted -> Authority : GET /requests XXX: check plural with Romain
+Note over User : See "Certificate Retrieval"
+
+== Certificate Production ==
+
+Note over Trusted : See "Signing Request Submission"
+Trusted -> Authority : GET (optional: with result range expression)
 Authority --> Trusted : List of pending signing requests with their identifiers
-Trusted -> Authority : GET /request with request identifier
+Trusted -> Authority : GET with request identifier
 Authority --> Trusted : Signing request content
 alt Trusted agrees to prvoduce a signed certificate from the signing request
-  Trusted -> Authority : POST /sign with the signing request identifier
+  Trusted -> Authority : POST with the signing request identifier
  alt Sining request was still pending
    Authority --> Trusted : Success
  else
    Authority --> Trusted : Not found
  end
 else
-  Trusted -> Authority : DELETE /request with the signing request identifier
+  Trusted -> Authority : DELETE with the signing request identifier
  Authority --> Trusted : Ok
 end
+
+== Certificate Retrieval ==
+
 loop Until certificate obtained or request rejected
-  User -> Authority : GET /certificate with signing request identifier
+  User -> Authority : GET with signing request identifier
  alt Signing request was signed
    Authority --> User : Certificate content
  else
    Authority --> User : Not found
    opt User wants to check request is still pending
-      User -> Authority : GET /request with signing request identifier
+      User -> Authority : GET with signing request identifier
      alt Sining request is still pending
        Authority --> User : Signing request content
      else
@@ -43,4 +54,28 @@ loop Until certificate obtained or request rejected
    end
  end
 end
+
+== Certificate Renewal ==
+
+User -> Authority : POST with the still-valid CRT and a CRL
+alt Renewal parameters consistent
+  Authority --> User : signing request identifier
+else
+  Authority --> User : Error
+end
+Note over User : See "Certificate Retrieval"
+
+== Certificate Revocation ==
+
+User -> Authority : POST with the CRT
+alt Revocation parameters consistent
+  Authority --> User : Ok
+else
+  Authority --> User : Error
+end
+
+== Certificate Validity Check ==
+
+Client -> Authority : GET (optional: with OCSP parameter)
+Authority --> Client : Certificate revocation list
 @enduml