P-SLAPOS.Certificate.Authority.Plantuml.Sequence.Diagram.Signing.Request.txt 2.66 KB
@startuml
title Automated Certificate Authority Service

actor service
actor user
actor libssl
autonumber

== Signing Request Submission ==

service -> caucased : PUT /csr with the CSR as body
alt CSR passes format check
  caucased --> service : Request identifier
else CSR format invalid
  caucased --> service : Error
end
Note over service : See "Certificate Retrieval"

== Certificate Production ==

Note over user : See "Signing Request Submission"
user -> caucased : GET /csr
caucased --> user : List of pending signing requests with their identifiers
user -> caucased : GET /csr/<request identifier>
caucased --> user : CSR
alt user agrees to produce a signed certificate from the signing request
  user -> caucased : PUT /crt/<request identifier>
  alt CSR was still pending
    caucased --> user : Success
  else CSR not pending (deleted or already signed)
    caucased --> user : Not found
  end
else user refuses to sign the request
  user -> caucased : DELETE with the signing request identifier
  caucased --> user : Ok
end

== Certificate Retrieval ==

loop Until certificate obtained or request rejected
  service -> caucased : GET /crt/<request identifier>
  alt CRT exists
    caucased --> service : Certificate content
  else CRT does not exist
    caucased --> service : Not found
    opt service checks if the CSR was rejected
      service -> caucased : GET /csr/<request identifier>
      alt CSR still pending
        caucased --> service : Signing request content
      else CSR rejected
        caucased --> service : Not found
      end
    end
  end
end

== Certificate Renewal ==

service -> caucased : PUT /crt/renew with the still-valid CRT and a CRL with the new public key
alt CRT is still valid (validity period, not revoked)
  caucased --> service : New certificate content
else CRT invalid
  caucased --> service : Error
end

== Certificate Revocation ==

service -> caucased : PUT /crt/revoke with the CRT, order signed with its private key
alt CRT is valid and parameters consistent
  caucased --> service : CRT revoked
else CRT is invalid or parameters inconsistent
  caucased --> service : Error
end

== Certificate Revocation without access to private key ==

user -> caucased : PUT /crt/revoke with the CRT
alt CRT is valid
  caucased --> user : CRT revoked
else CRT is invalid
  caucased --> user : Error
end

== Certificate Revocation without access to private key or the certificate ==

user -> caucased : PUT /crt/revoke with the serial to revoke
alt Serial is not revoked yet
  caucased --> user : CRT revoked
else Serials is already revoked
  caucased --> user : Error
end

== Certificate Validity Check ==

libssl -> caucased : GET /crl
caucased --> libssl : CRL content
@enduml