SSL-Changelog

From TLDinfo
Jump to: navigation, search

We’d like to announce the launch of our new SSL backend on July 7th 2015 which comes with some changes for the management of SSL certificates at RRPproxy. This article gives a brief overview about the upcoming changes of SSL management for RRPproxy resellers.

Contents

The new handling

The primary change in our SSL rework is the separation of the general certificate data like the certificate id, the domain name or the contacts and the specific data of a certain instance of a certificate (we call it sub) like the CSR and CRT. This separation is designed to be of minimal impact for the standard use of our API and you will probably not need to change to much of your implementation if you are only using it in a linear way, avoiding reissues / renews. After each call of an Add-, Renew- or ReissueCertificate command, the response will return an order-identifier (parameter: certificate) and a certificate-identifier (parameter: sub). The StatusCertificate command will return the static data of an order and the dynamic data of the latest certificate (sub).

Thus the following scheme is applied:

Certificate (= order identifier, also referred to as certificate id)
- Sub1 (= certificate identifier, also referred to as sub or sub id)
- Sub2
- Sub3
...

Unlike domains SSL certificates can not be renewed. Instead, a new certificate will be issued. Following the principle of domain renewals RRPproxy provides the possibility to renew certificates. Issuing a renewal for a certificate will add a new sub to an order.

The main differences are that you keep your certificate id after a renew or reissue, but have technically unlimited renews / reissues and that you are able to look into older data from old certificates (parameter: sub) bundled to an order. This is extremely relevant if you e.g. need older CRT data after you just did a renew/reissue. In addition to giving you the option to look into older data, we also give you the option to use older data for a renew (eg. you need a renew with the data you used before a failed reissue).


New certificate IDs

With the introduction of our new SSL backend new certificate IDs will be assigned for all certificates in our system. The old IDs will not be used any more. We will provide you with a full list including old IDs and mapped new IDs of your certificates. The list will be available in the FTP area of your account which can be found in the web interface at “Account” -> “FTP”.


New feature: DNS/File Based Authentication

We will introduce two further options to validate certificates, via DNS record and via file on the respective HTTP server. Thus you can automatise the ordering process even a step further and do not need to validate via email, making 1-click solutions possible. Since this is still in development the respective parameters and values for API commands are not finalised yet. We will provide you with further information as soon as possible.


Testing area

On May 12th 10:00 UTC we will provide you with a testing area in our staging system, which can be reached via the following URLs:


MREGD

xrrpSSLServerHost = staging-01.rrpproxy.net xrrpSSLServerPort = 649


HTTPs API

https://staging-01.rrpproxy.net/api/call.cgi?s_login=[USERNAME]&s_pw=[PASSWORD]


SOAP

proxy = https://staging-01.rrpproxy.net:8082/soap s_login = [USERNAME] s_pw = [PASSWORD]


XMLRPC

proxy = https://staging-01.rrpproxy.net:8083/xmlrpc s_login = [USERNAME] s_pw = [PASSWORD]


Webinterface (will be available shortly after the staging system has been activated)

http://staging-01.rrpproxy.net


Please regard, the staging system won’t be available prior to May 12th 10:00 UTC.

Your login will be the same as for your live account using the OTE password. You can define the password for your OTE access in your web interface via “Account” -> “Settings” -> “Passwords” -> “OTE”.

We will synchronise our staging system with OTE logins and passwords on May 12th 10:00 UTC. Afterwards the password for your staging system login can not be changed any more. Please contact our support if you should have issues connecting to our staging system.

The staging system itself only supports the testing for the new SSL backend, unlike the OTE system. EPP will not be provided, since EPP only serves domain management. Our staging system will also send emails, so please carefully choose which email addresses are used for tests!

One week prior to launch on June 30th we’ll make the new SSL backend available in our OTE system as well.

The launch is planned for July 7th.

Commands

AddCertificate

This will create a new certificate order with its first sub-certificate.

[COMMAND]
command=AddCertificate
class=
csr#=
approveremail=<EMAIL>
period=<PERIOD>
ownercontact0=<CONTACT>
admincontact0=<CONTACT>
techcontact0=<CONTACT>
billingcontact0=<CONTACT>
webservertype=
(algorithm=)

[RESPONSE]
certificate=
sub=
certificate_status=
sub_status=

ReissueCertificate

This command will create a new sub-certificate in a certificate order (parameter "certificate") based on data of the most recent existing sub-certificate and the data given with the command (given values overwrite existing data). The expiration date of the new sub-certificate will not change since the new sub-certificate is only meant to be used as a replacement. Stating the CSR is mandatory. If you want to reissue the certificate order based on a different sub-certificate than the most recent, you have the option to use a specific sub-certificate (parameter "sub").

[COMMAND]
command=ReissueCertificate
certificate=
csr#=
(sub=) <-- only necessary, if data of an old sub-certificate shall be used.
(algorithm=)

[RESPONSE]
certificate=
sub=
certificate_status=
sub_status=

RenewCertificate

As with the ReissueCertificate command, RenewCertificate will create a new sub-certificate in a certificate order (parameter "certificate") from the existing data of the most recent sub-certificate. The new sub-certificate will have a new expiration date based on the period given and it is not possible to change the CSR during a renew. If you want to renew the certificate based on a different sub-certificate than the most recent, you have the option to use a specific sub-certificate (parameter "sub").

[COMMAND]
command=RenewCertificate
certificate=
period=
(sub=)
(approveremail=)
(algorithm=)

[RESPONSE]
certificate=
sub=
certificate_status=
sub_status=

StatusCertificate

This command will give you all information about your certificate order (parameter "certificate") with all information about the latest sub-certificate. If you want to see the status of the certificate based on a different sub-certificate than the most recent, you have the option to use a specific sub-certificate (parameter "sub"). You also have the option to look into metadata encoded in the CSR and CRT with the wide=1 parameter. In addition to the order information, this command will return the metadata of the selected (most recent or given in the command) sub-certificate, a complete list of sub-certificates of the certificate order and the status for each sub-certificate.

[command]
command=StatusCertificate
certificate=
(sub=)
(wide=0|1)
EOF

[RESPONSE]
property[admincontact][0]= 
property[approveremail][0]=
property[billingcontact][0]=
property[certificate][0]=
property[certificate expiration date][0]=
property[class][0]=
property[created date][0]=
property[crt][0]=
property[crt][1]=
...
property[crt][X]=
property[crt san][0]=
property[crt serial][0]=
property[crt size][0]=
property[csr][0]=
property[csr][1]=
...
property[csr][X]=
property[ownercontact][0]=
property[status][0]=
property[sub][0]=
...
property[sub][X]=
property[sub created date][0]=
property[sub id][0]=
property[sub updated date][0]=
property[sub status][0]=
...
property[sub status][X]=
property[techcontact][0]
property[updated date][0]
property[webservertype][0]


The following values are only returned if wide=1 is given in the command:

property[crt authority key identifier][0]=
property[crt extended key usage][0]=
property[crt issuer][0]=
property[crt issuer commonname][0]=
property[crt issuer country][0]=
property[crt issuer organization][0]=
property[crt issuer organizational unit][0]=
property[crt key usage][0]=
property[crt key usage][1]=
property[crt key usage type][0]=
property[crt public key algorithm][0]=
property[crt signature algorithm][0]=
property[crt subject][0]=
property[crt validity not after][0]=
property[crt validity not before][0]=
property[csr commonname][0]=
property[csr country][0]=
property[csr location][0]=
property[csr organization][0]=
property[csr public key algorithm][0]=
property[csr signature algorithm][0]=
property[csr size][0]=
property[csr state][0]=
property[csr subject][0]=)
property[domain][0]=

QueryCertificateList

Listing all certificate orders is possible with the QueryCertificateList command. This behaves like most Query...List - commands in RRPproxy allowing filtering and paging. By default all cancelled certificates are not returned.

[command]
command=QueryCertificateList
(wide=0|1)
(limit=<INT>)
(first=<INT>)
EOF


Workflows

Short description of different commands for certificates and subs.

AddCertificate

Ordering a new certificate. Creates a new certificate and a new sub.

[command]
command=AddCertificate
csrX=...
[...]

Certificate before the command has been issued:

n/a

Certificate after the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE


RenewCertificate

Renewing an existing certificate. Mandatory parameter is "certificate", a certain sub can be stated optionally. Creates a new sub for an existing certificate.

[Command]
command=RenewCertificate
certificate=CZ00001

--> No sub has been explicitly stated, the newest active certificate will be renewed.
Certificate before the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE	<-- this sub will be renewed

Certificate after the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE
Sub:			CZ00001-002		ACTIVE	<-- this is the renewed sub


[Command]
command=RenewCertificate
certificate=CZ00001

--> No sub has been explicitly stated, the newest active certificate will be renewed.
Certificate before the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE
Sub:			CZ00001-002		ACTIVE	<-- this sub will be renewed

Certificate after the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE
Sub:			CZ00001-002		ACTIVE
Sub:			CZ00001-003		ACTIVE	<-- this is the renewed sub


[Command]
command=RenewCertificate
certificate=CZ00001
sub=CZ00001-001

--> The explicitly stated sub will be renewed.
Certificate before the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE	<-- this sub will be renewed
Sub:			CZ00001-002		ACTIVE

Certificate after the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE
Sub:			CZ00001-002		ACTIVE
Sub:			CZ00001-003		ACTIVE	<-- this is the renewed sub



ReissueCertificate

[Command]
command=ReissueCertificate
certificate=CZ00001
csrX=...

--> No sub has been explicitly stated, the newest active certificate will be reissued.
Certificate before the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE	<-- this sub will be reissued

Certificate after the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE
Sub:			CZ00001-002		ACTIVE	<-- this is the reissued sub


[Command]
command=ReissueCertificate
certificate=CZ00001
csrX=...

--> No sub has been explicitly stated, the newest active certificate will be reissued.
Certificate before the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE
Sub:			CZ00001-002		ACTIVE	<-- this sub will be reissued

Certificate after the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE
Sub:			CZ00001-002		ACTIVE
Sub:			CZ00001-003		ACTIVE	<-- this is the reissued sub


[Command]
command=ReissueCertificate
certificate=CZ00001
sub=CZ00001-001
csrX=...

--> The explicitly stated sub will be reissued.
Certificate before the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE	<-- this sub will be reissued
Sub:			CZ00001-002		ACTIVE

Certificate after the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE
Sub:			CZ00001-002		ACTIVE
Sub:			CZ00001-003		ACTIVE	<-- this is the reissued sub


DeleteCertificate

The DeleteCertificate command can be used to revoke a certificate.

[Command]
command=DeleteCertificate
certificate=CZ00001

--> No sub has been explicitly stated, the newest active certificate will be revoked.
Certificate before the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE
Sub:			CZ00001-002		ACTIVE	<-- this sub will be revoked

Certificate after the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE
Sub:			CZ00001-002		REVOKED


[Command]
command=DeleteCertificate
certificate=CZ00001
sub=CZ00001-001

--> The explicitly stated sub will be reissued.

Certificate before the command has been issued:
Certificate:		CZ00001
Sub:			CZ00001-001		ACTIVE	<-- this sub will be revoked
Sub:			CZ00001-002		ACTIVE

Certificate after the command has been issued:

Certificate:		CZ00001
Sub:			CZ00001-001		REVOKED
Sub:			CZ00001-002		ACTIVE
Personal tools
Namespaces

Variants
Actions
Resources
new gTLDs
Products
New Users
General
Tools