Operations
This section provides detailed information on the NPKD Operations introduced in the Workflows section.
The operations may differ for per object type (DS certificate, CRL, Master List, Deviation List) and are then described per object type below.
Note that some of the operations execute other operations. For example, the Import CSCA certificate operation executes Import CSCA certificate for every CSCA certificate it contains. Also schedulers can execute the majority of the NPKD operations.
The following operations are described:
Import
Import CSCA Certificate
The Import CSCA Certificate operation performs validity checks and imports a CSCA certificate into the NPKD database and sets its state to default. The tasks executed during import of CSCA certificates are listed respecting their execution order:
Check if the minimum requirements are met (certificate format, minimum ICAO conformance, and so on). If not, the import is aborted.
Check if this CSCA certificate already exists. If it does, the import is aborted.
If it's a link CSCA certificate check if issuer CSCA is present. If it is not, the import is aborted.
Check if the CSCA certificate is not yet valid or expired. If yes, the import is aborted.
Check if the CSCA certificate is revoked. If yes, the import is aborted. Note however, that the behavior can be defined using the General configuration settings Perform CRL revocation checks on import, Use latest country CRL for revocation checks, and Import certificate if there is no any CRL present. For more information, see General Configuration.
Importing the CSCA certificate into the database and setting it to the default state. Depending on the CRL configuration and revocation check result of the imported certificate, it can be set to: disabled, no CRL, or not revoked.
Import DS Certificate
The Import DS Certificate operation performs validity checks and imports DS certificate into the NPKD database and sets its state to default. The tasks executed during import of DS certificates are listed respecting their execution order:
Check if the minimum requirements are met (certificate format, minimum ICAO conformance, and so on). If not, the import is aborted.
Check if this DS certificate already exists. If yes, the import is aborted.
Check if CSCA issuer is not present or ignored. If yes, the import is aborted.
Check if the DS certificate is not yet valid or expired. If yes, the import is aborted.
Check if the DS certificate is revoked. If yes, the import will be aborted. Note however, that the behavior can be configured using the General configuration settings Perform CRL revocation checks on import, Use latest country CRL for revocation checks and Import certificate if there is no any CRL present. For more information, see General Configuration.
Import the DS certificate into database and set it to default state. Depending on CRL configuration and revocation check result of the imported certificate, it can be set to: disabled, no CRL or not revoked.
Import CRL
The Import CRL operation performs validity checks and imports of CRL into the NPKD database, and sets its state to default. The tasks executed during the import of CRLs are listed respecting their execution order:
- Check if the minimum requirements are met (CRL format, minimum ICAO conformance, and so on). If not, the import is aborted.
- If the CSCA issuer is not present or present but ignored or there is already a CRL present under the same issuer that is ignored, the import is aborted.
- Check if this CRL already exists or there is a fresher one present in DB. If yes, the importing will be aborted. If the General Configuration option Import CRL if not newer is enabled, import will be continued. For more information, see General Configuration.
- Import the CRL into the database (overwriting the freshest one for this CSCA) and set it to default state.
- Revoke all CSCA, DS, master and deviation list signer certificates found in the CRL. Revoked certificates, master and deviation list with revoked signer certificates will get unpublished and set to default state. Note that a CRL does not have to be published for revocation checks. However, an ignored CRL will be ignored for revocation checks
Import Master List
The Import Master List operation performs validity checks and imports of master list into the NPKD database and sets its state to default. All CSCA certificates found inside will also be imported. The tasks executed during import of master lists are listed respecting their execution order:
- Check if the minimum requirements are met (Master list format, certificates format, minimum ICAO conformance, and so on). If not, the import is aborted.
- If CSCA issuer is not present, the import is aborted. If the option Trust CSCA certificate in master list is enabled, the Import CSCA Certificate operation on the issuer CSCA certificate found in the master list will be executed.
- If CSCA issuer is present but ignored, or there is already a master list present under the same issuer that is ignored, the import is aborted.
- Check if this master list already exists or there is a fresher one present in the database. If yes, the import is aborted If the General Configuration setting Import master list if not newer is enabled, the import will be continued. For more information, see General Configuration.
- Import the master list and master list signer certificate into the database (overwriting the freshest one for this CSCA) and sets it to default state. Depending on CRL configuration and revocation check result of the imported signer certificate, it can be set to: disabled, no CRL or not revoked.
- Execute the Import CSCA Certificate operation on all CSCA certificates found in the master list.
Import Deviation List
The Import Deviation List operation performs validity checks and imports of deviation list into the NPKD database and sets its state to default. The tasks executed during import of deviation lists are listed respecting their execution order:
- Check if the minimum requirements are met (Deviation list format, certificates format, minimum ICAO conformance, and so on). If not, the import is aborted.
- If CSCA issuer is not present, the import is aborted. If the option Trust CSCA certificate in deviation list is enabled, the Import CSCA certificate operation on the issuer CSCA certificate found in the deviation list will be executed.
- if CSCA issuer is present but ignored or there is already a deviation list present under the same issuer that is ignored, the import is aborted.
- Check if this deviation list already exists or if there is a fresher one present in the database. If yes, the import is aborted. If the General Configuration option Import deviation list if not newer is enabled, the import will be continued. For more information, see General Configuration.
- Import the deviation list and deviation list signer certificate into the database (overwriting the freshest one for this CSCA) and set it to default state. Depending on CRL configuration and revocation check result of the imported signer certificate, it can be set to: disabled, no CRL, or not revoked.
Publish
Publish CSCA Certificate
The Publish CSCA Certificate operation performs validity checks on CSCA certificate, sets its state to published and adds it to Local LDAPs. The tasks executed during publishing of CSCA certificates are listed respecting their execution order:
- Check if it is not yet valid or expired. If yes, the publish is aborted.
- Check if it is revoked. If yes, the publish is aborted.
- Check if it is ignored. If yes, the publish is aborted.
- Set the state to published and perform add to Local LDAP operation.
- Perform publishing on issued objects with the Publish DS Certificate, Publish Master List, Publish Deviation List, and Publish CRL operations which can be configured with the Auto publish DS when issuer CSCA is published, Auto publish CRL when issuer CSCA is published and Auto publish master list when issuer CSCA is published
Publish DS Certificate
The Publish DS Certificate operation performs validity checks on DS certificate, sets its state to published and adds it to Local LDAPs. The tasks executed during publishing of DS certificates are listed respecting their execution order:
- Check if it's not yet valid or expired. I f yes, the publish is aborted.
- Check if it's revoked. If yes, the publish is aborted.
- Check if it's ignored. If yes, the publish is aborted.
- Check if its issuer CSCA is published. If not, the publish is aborted.
- Set the state to published and perform add to Local LDAP operation.
Publish CRL, Master List, or Deviation List
This operation performs validity checks on CRL, Master List, or Deviation List, sets its state to published and adds it to Local LDAPs. The tasks executed during publishing of these objects are listed respecting their execution order:
- Check if it is ignored. If yes, the publish is aborted.
- Check if its issuer CSCA is published. If not, the publish is aborted.
- Set the state to published and perform add to Local LDAP operation.
Unpublish
Unpublish CSCA Certificate
The tasks executed during unpublishing of CSCA certificate are listed respecting their execution order:
- Perform unpublish operation on all issued objects with the Unpublish DS Certificate, Unpublish CRL, Unpublish Master List, or Unpublish Deviation List operations.
- Set the state to default.
- Perform remove from Local LDAP operation.
Unpublish DS Certificate, CRL, Master List, or Deviation List
The tasks executed during unpublishing of DS certificate, CRL, Master List, or Deviation List are listed respecting their execution order:
- Set the state to default.
- Perform remove from Local LDAP operation.
Upload
Upload DS Certificate
The tasks executed during uploading of DS certificates are listed respecting their execution order:
- Check if it is not yet valid or expired. If yes, the upload is aborted.
- Check if it is revoked. If yes, the upload is aborted.
- Check if it is ignored. If yes, the upload is aborted.
- Perform add to ICAO Upload LDAP operation.
Upload CRL, Master List, or Deviation List
The tasks executed during uploading of CRL, Master List, or Deviation List are listed respecting their execution order:
- Check if it is ignored. If yes, the publish is aborted.
- Perform add to ICAO Upload LDAP operation.
Create Master List
The Create Master List operation will sign master list content (selected CSCA certificates) and import/update the created Master List into NPKD. During this operation, the following tasks will be executed:
- Check if selected CSCA certificates from master list content pass all the checks. If not, the operation is aborted.
- Send master list content to SignServer to get signed. The Master List Signer worker must be configured on SignServer.
- If SignServer has successfully signed the content, NPKD will perform final checks on created Master List then perform Import Master List operation on it.
Add to Master List Content
Add CSCA Certificate to Master List Content
This operation will add the specified CSCA certificate to Master List Content. During this operation, the following tasks will be executed:
- Check if selected CSCA certificates can pass all the checks. If not, the operation is aborted.
- Add the CSCA certificate to Master List Content.
Remove from Master List Content
Remove CSCA Certificate from Master List Content
This operation will remove the specified CSCA certificate from master list content. During this operation, the following task is executed:
- Remove the CSCA certificate from Master List Content.
Create Deviation List
This operation will sign deviation list content (chosen deviations) and import/update the created Deviation List into NPKD. During this operation, the following tasks will be executed:
- Send deviation list content to SignServer to get signed. Deviation List Signer worker must be configured on SignServer.
- If SignServer has successfully signed the content, NPKD will perform final checks on created Deviation List and then perform Import Deviation List operation on it.
PKD Scheduler
PKD Scheduler can be used to automatize updating of NPKD which usually consists of downloading the latest objects from ICAO PKD and then, depending of validity checks, publishes or unpublishes them. It can be scheduled to run on specified time and/or run by a user. Following tasks respecting their order can be configured to get executed with every PKD Scheduler run:
- Download all conformant objects available from download from ICAO PKD and perform the Import Master List, Import DS Certificate, Import CRL and Import Deviation List operation on them. Notice that the Import CRL operation can unpublish certificates.
- Download all non-conformant objects available from download from ICAO PKD and perform the Import Master List, Import DS Certificate, Import CRL and Import Deviation list operation on them. Notice that the Import CRL operation can unpublish certificates.
- Updates the local PKD version to prevent already imported data to be downloaded again from the ICAO server.
- Perform the Publish CSCA Certificate, Publish Master List, Publish DS Certificate, Publish CRL and Publish Deviation List operations on all non-ignored objects.
- Perform a re-check of the revocation status of all non-ignored certificates in the database
- Perform the Unpublish CSCA Certificate and Unpublish DS Certificate on objects that have been expired or revoked or whose signers have been expired or revoked.
- Sync Local LDAP server content against NPKD. Sync operation that is only needed if some Local LDAP servers are out of sync against NPKD.
- Perform the Upload Master List operation.
- Perform the Upload DS Certificate operation.
- Perform the Upload Deviation List operation
- Perform the Upload CRL operation.
- Create a backup of the database and store it in the local machine
- Create a maintenance report describing the size of the database and its individual tables.