P-SLAPOS.Certificate.Authority.Plantuml.Sequence.Diagram.Signing.Request.txt 2.66 KB
Newer Older
1 2 3
@startuml
title Automated Certificate Authority Service

4 5 6
actor service
actor user
actor libssl
7 8 9 10
autonumber

== Signing Request Submission ==

11
service -> caucased : PUT /csr with the CSR as body
Vincent Pelletier's avatar
Vincent Pelletier committed
12
alt CSR passes format check
13
  caucased --> service : Request identifier
Vincent Pelletier's avatar
Vincent Pelletier committed
14
else CSR format invalid
15
  caucased --> service : Error
16
end
17
Note over service : See "Certificate Retrieval"
18 19 20

== Certificate Production ==

21 22 23 24 25 26 27
Note over user : See "Signing Request Submission"
user -> caucased : GET /csr
caucased --> user : List of pending signing requests with their identifiers
user -> caucased : GET /csr/<request identifier>
caucased --> user : CSR
alt user agrees to produce a signed certificate from the signing request
  user -> caucased : PUT /crt/<request identifier>
Vincent Pelletier's avatar
Vincent Pelletier committed
28
  alt CSR was still pending
29
    caucased --> user : Success
Vincent Pelletier's avatar
Vincent Pelletier committed
30
  else CSR not pending (deleted or already signed)
31
    caucased --> user : Not found
32
  end
33 34 35
else user refuses to sign the request
  user -> caucased : DELETE with the signing request identifier
  caucased --> user : Ok
36 37 38 39 40
end

== Certificate Retrieval ==

loop Until certificate obtained or request rejected
41
  service -> caucased : GET /crt/<request identifier>
Vincent Pelletier's avatar
Vincent Pelletier committed
42
  alt CRT exists
43
    caucased --> service : Certificate content
Vincent Pelletier's avatar
Vincent Pelletier committed
44
  else CRT does not exist
45 46 47
    caucased --> service : Not found
    opt service checks if the CSR was rejected
      service -> caucased : GET /csr/<request identifier>
Vincent Pelletier's avatar
Vincent Pelletier committed
48
      alt CSR still pending
49
        caucased --> service : Signing request content
Vincent Pelletier's avatar
Vincent Pelletier committed
50
      else CSR rejected
51
        caucased --> service : Not found
52 53 54 55 56 57 58
      end
    end
  end
end

== Certificate Renewal ==

59
service -> caucased : PUT /crt/renew with the still-valid CRT and a CRL with the new public key
Vincent Pelletier's avatar
Vincent Pelletier committed
60
alt CRT is still valid (validity period, not revoked)
61
  caucased --> service : New certificate content
Vincent Pelletier's avatar
Vincent Pelletier committed
62
else CRT invalid
63
  caucased --> service : Error
64 65 66 67
end

== Certificate Revocation ==

68
service -> caucased : PUT /crt/revoke with the CRT, order signed with its private key
Vincent Pelletier's avatar
Vincent Pelletier committed
69
alt CRT is valid and parameters consistent
70
  caucased --> service : CRT revoked
Vincent Pelletier's avatar
Vincent Pelletier committed
71
else CRT is invalid or parameters inconsistent
72
  caucased --> service : Error
73 74
end

Vincent Pelletier's avatar
Vincent Pelletier committed
75 76
== Certificate Revocation without access to private key ==

77
user -> caucased : PUT /crt/revoke with the CRT
Vincent Pelletier's avatar
Vincent Pelletier committed
78
alt CRT is valid
79
  caucased --> user : CRT revoked
Vincent Pelletier's avatar
Vincent Pelletier committed
80
else CRT is invalid
81
  caucased --> user : Error
Vincent Pelletier's avatar
Vincent Pelletier committed
82 83 84 85
end

== Certificate Revocation without access to private key or the certificate ==

86
user -> caucased : PUT /crt/revoke with the serial to revoke
Vincent Pelletier's avatar
Vincent Pelletier committed
87
alt Serial is not revoked yet
88
  caucased --> user : CRT revoked
Vincent Pelletier's avatar
Vincent Pelletier committed
89
else Serials is already revoked
90
  caucased --> user : Error
Vincent Pelletier's avatar
Vincent Pelletier committed
91 92
end

93 94
== Certificate Validity Check ==

95 96
libssl -> caucased : GET /crl
caucased --> libssl : CRL content
97
@enduml