Hm, at the risk of adding to this long thread, let me try to summarise the recommendations.
1. Obviously you should use scripts for host certs; CW (like the web interface) would only be suitable for O(1) certificates.
2. There is in fact an API to the CA. I was talking to Robert this morning about making it available (currently it isn't because it may not be fully supported as specified.) It is RESTful but some parts of the API need authentication which isn't quite SSL (due to the need to accept expired certificates), which makes the client somewhat non-trivial at the moment. I had an Erasmus student at some point who worked on some code in Perl. I'll try to figure out whether it still works.
2.1. The API for the CW server side also does away with the need to request bulk ids. Basically you chunk up your requests in a XML blob which you POST to a REST interface and the CA accepts them (should accept them) as a bulk request.
2.2. Although it sounds easier, this makes bulk renewals more complicated, but let's leave that for now.
3. As regards scripts, the current PeCR talks to the old (not CW) interface. If you recall, we said you could remove email address from host certs by requesting a *new* host cert, and retain it by renewing it (as we lack other ways to tell the CA.)
3.1. As a side effect, when your host cert already does not have email address in it, you should get a *new* certificate if using PeCR (or wait for me to fix the bug that interprets it as a personal). This should be the same order of complexity, or easier.
3.2. There is a "feature" in OpenCA which prevents duplicate requests being submitted, or sometimes requests for existing certificates. I don't know the precise circumstances which trigger this rejection, I will have to look at it more closely.
Summary - for now, I recommend using PeCR to get *new* certs. If you only need O(1) certificates, CW should be easier.
Hope this helps (if not, find me in the coffee breaks.)
Thanks
--jens
--
Scanned by iCritical.
|