Publishers Overview

EJBCA has a modular support for Publishers. A publisher can be any external source where you want to send issued certificates and CRLs to be stored. The most common cases of Publishers, implemented by default in EJBCA, are Lightweight Directory Access Protocol (LDAP) directories and Active Directory (which is a special case of LDAP directory).

The Publisher architecture is modular, and it is possible to implement custom publishers that can be integrated and set up in the Admin GUI.

Publisher Access Rules

The presumed administrator of publishers is the built in CA Administrator role, or more specifically a role with access to /ca_functionality/edit_publishers. Besides that, only the following publishers will be available for a given role:

  • Publishers assigned to a CA that the role has access to.

  • Publishers not assigned to any CA.

  • ENTERPRISE EDITION Validation Authority Peer Publishers, given that the role has access to /peer/view

The following covers the built-in publishers.

Publisher Queue and Failures

To achieve robust publishing there is a publisher queue. When a publisher fails the published data is stored in a separate table in the database, the PublisherQueueData. This queue can then be processed by a service, see Publisher Queue Process Service.

Publishers can also be configured not to publish directly at all, but to store everything in the queue, which is later processed. The benefit of this approach is that publishing is instant. When issuing certificates the CA does not have to wait for all publishers to finish. If there are many publishers, this might delay the issuing process slightly.

The following lists available Publisher Settings:

Setting

Description

Current length

Displays the number of new entries in the queue in the intervals <1 min, 1-10 min, 10-60 min and >60 min.

No direct publishing, only use queue

When enabled, the publisher does not try to publish directly but instead pushes the update to the queue for later processing by a Publish Queue Process Service.

Keep successfully published items in database

When enabled, items stored in the publisher queue will not be removed when real publishing has been done, status will merely be changed from PENDING to SUCCESS.

Use queue for CRLs

Determines if the publisher queue should handle CRLs or not for this publisher.

Use queue for certificates

Determines if the publisher queue should handle certificates or not for this publisher.

Failed publishing attempts are not removed from the queue, but will remain there, and up to 20,000 attempts will be made per call to the Publisher Queue Process service, in batches of 100 queue entries at the time.