Certify and Recertify
Certify and Recertify are used to generate or regenerate a Certificate object for a public key.
Public Keys are certified by the certify() method on a KMIPSession. This creates a new Certificate Managed Object on the server.
Existing certificates on the server are recertified by the recertify() method on NAECertificate objects.
Certificate links on the server are automatically created between the newly created certificate and the public key that it certifies. The value of the certificate link is the UID of the public key managed object that the created certificate certifies. The certificate link can be read as a KMIP attribute and compared to the KMIPLinkAttribute.LINKTypes enumeration.
In this way, navigation from a certified public key can be made to the certificate managed object that certifies it. Likewise, a public key link is added from the newly created object to the public key it certifies.
A private key link is not created to the private key managed object of the public-private key pair on the server from the certificate. Instead, that navigation uses one of the following two navigation paths. KMIP uses navigation path 2.
Navigation Path
Certificate -> Public Key (via public key link)
Public Key -> Private Key (via private key link in the public key)
Navigation Path 2
Private Key -> Public Key (via the public key link in the Public Key Managed Object) Public Key -> Certificate (via the certificate link in the Public Key Managed object)
Certify
Certify is a method in a KMIP Session. It takes the following arguments:
the existing publicKeyName
the name for the certificate that will be created
the type of certificate signing request
the bytes of the certificate signing request
The method returns the Unique Identifier on the server of the newly created certificate Managed Object.
Code sample
The following codes demonstrates the certify method. In this example, a certificate with the Name attribute createThisCertificate is created on the server for the existing public key object with the Name attribute existingPublicKey using a PEM certificate signing request.
uid = session.certify( "existingPublicKey", "createThisCertificate",KMIPCertificateRequestTypes.CertificateRequestType.PEM, certificateSigningRequest.getBytes() );
Note
If the PEM request contains any carriage control characters, -----Begin, or ----End, those characters are stripped before the request is sent to the server.
Recertify
The recertify request is used to renew an existing certificate for a public key. It takes the following arguments:
the type of certificate signing request
the bytes of the certificate signing request
the offset interval
The offset interval value is passed as a Long integer and indicates the difference between the Initialization Date and the Activation Date of the new certificate. The interval is a length of time expressed in seconds (not Java milliseconds), as defined in the KMIP Specification section 4.8. For an offset of zero, pass 0L.
Code sample
The following code demonstrates the recertify method. In this example, a new certificate is created using the certificateSigningRequest bytes. The Unique Identifier is returned for the new certificate, and the links are adjusted by the server accordingly. As the new certificate takes over the name attribute of the existing certificate, only perform recertify once on an existing certificate.
NAECertificate nuCert = new NAECertificate( certName, KMIPsession );
String nuUID = nuCert.reCertify(KMIPCertificateRequestTypes.CertificateRequestType.PEM,certificateSigningRequestBytes, 10L);
