etoken-ca-client − MyProxy certificate_issuer_program for etoken-ca-server
Client for etoken-ca-server, which can be used as a "certificate_issuer_program" for a MyProxy server. All configuration is done via sysconfig variables set in /etc/sysconfig/etoken-ca. Together with the server this provides a way to fully privilege separate a MyProxy server and the pincode for unlocking the eToken containing the private key for the CA.
The client expects input on STDIN (from a MyProxy server) consisting of a list of key-value pairs, followed by a PEM-encoded certificate signing request. The client stores this in a temporary file (in /var/cache/etoken-ca/request). It then creates a symbolic link in that same directory. This triggers the etoken-ca-server to read and process the file to produce a certificate. Upon success, the etoken-ca-server will create a symlink to the new file in again the same directory. The client will then write the output to STDOUT or produce an error on STDERR.
Configuration file for etoken-ca-client, etoken-ca-server and revoke-cert.
Directory for exchanging request and certificate between client and server.
Please report any errors to the Nikhef Grid Middleware Security Team <firstname.lastname@example.org>.
etoken-ca-server(8), etoken-ca(5), revoke-cert(8), myproxy-server.config(5)
Written by Mischa Sallé
Copyright © 2016- FOM-Nikhef