Hi all,
I created a custom profile for tls client certs containing:
[......]
00_basic_style:
label: I18N_OPENXPKI_UI_PROFILE_TLS_CLIENT_BASIC_LABEL
description: I18N_OPENXPKI_UI_PROFILE_TLS_CLIENT_BASIC_DESC
ui:
subject:
- username
- email
- c
- st
- l
- o
info:
- requestor_gname
- requestor_name
- requestor_email
subject:
dn: CN=[% username %]+emailAddress=[% email %][% IF C %],C=[% C
%][% END %][% IF ST %],ST=[% ST %][% END %][% IF L %],L=[% L %][% END %][%
IF O %],O=[% O %][% END %][% IF OU %],OU=[% OU %][% END %]
metadata:
requestor: "[% requestor_gname %] [% requestor_name %]"
email: "[% requestor_email %]"
enroll:
subject:
dn: CN=[% CN.0 %][% IF C %],C=[% C %][% END %][% IF ST %],ST=[%
ST %][% END %][% IF L %],L=[% L %][% END %][% IF O %],O=[% O %][% END %][%
IF OU %],OU=[% OU %][% END %]
#dn: CN=[% CN.0 %][% IF C %],C=[% C.0 %][% END %][% IF ST
%],ST=[% ST.0 %][% END %][% IF L %],L=[% L.0 %][% END %][% IF O %],O=[% O.0
%][% END %][% IF OU %],OU=[% OU.0 %][% END %]
#dn: CN=[% CN.X %][% IF C %][% FOREACH entry = C %],C=[% entry
%][% END %][% END %][% IF ST %][% FOREACH entry = ST %],ST=[% entry %][%
END %][% END %][% IF L %][% FOREACH entry = L %],L=[% entry %][% END %][%
END %][% IF O %][% FOREACH entry = O %],O=[% entry %][% END %][% END %][%
IF OU %][% FOREACH entry = OU %],OU=[% entry %][% END %][% END %]
metadata:
system_id: "[% data.cust_id %]"
server_id: "[% data.server_id %]"
[......]
1. Requesting cert via web ui:
1.1. generating key on the server flow -> working as expected - no issues -
client cert successfully issued
1.2. uploading CSR flow ->
Generating CSR:
$ openssl req -verbose -new -newkey rsa:2048 -keyout test_User.key -subj
"/C=US/ST=California/L=Los Angeles/O=Test company/CN=test_User/emailAddress=
[email protected]" \
-out test_User.csr -nodes -sha256
$ openssl req -in test_User.csr -subject -noout
subject=/C=US/ST=California/L=Los Angeles/O=Test
company/CN=test_User/[email protected]
When CSR is uploaded all fields (username, c, st, l, o) except email were
automatically filled from CSR subject. Only email field is empty. I
modified email.yaml template adding
preset: "[% EMAILADDRESS.0.replace(':.*','') %]"
but still email field is empty. I suppose my parser is not correct... if
someone has some clue how to handle this ?
if I enter manually e-mail -> workflow is successful and client cert is
issued.
2. Requesting cert via scep:
Using the CSR generated above I tried to request cert via scep:
sscep getca -c web_cacerts -u http://ca-dev.local/scep/client
sscep enroll -u http://ca-dev.local/scep/client -k test_User.key -r
test_User.csr -c web_cacerts-0 -l test_User.crt -t 10 -n 1 -d &>
test_User.log
and the following error happen:
2017/03/14 18:58:17 openxpki.application.INFO:3071
[OpenXPKI::Service::SCEP::Command::PKIOperation
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP/Command/PKIOperation.pm:346);
scep-server-1()@5fa1] SCEP incoming request, id
F92E1E0DC6DADFB3BC207BEF6CD30CB2
2017/03/14 18:58:17 openxpki.application.INFO:3071
[OpenXPKI::Service::SCEP::Command::PKIOperation (408);
scep-server-1()@5fa1] SCEP try to start new workflow for
F92E1E0DC6DADFB3BC207BEF6CD30CB2
2017/03/14 18:58:17 openxpki.application.FATAL:3071
[OpenXPKI::Server::Workflow (774); scep-server-1()@5fa1] Workflow save
requested during startup - wont save! (running)
2017/03/14 18:58:17 openxpki.application.INFO:3071
[OpenXPKI::Server::Workflow (139); scep-server-1()@5fa1] Execute action
scep_initialize on workflow #15103
2017/03/14 18:58:17 openxpki.system.INFO:3071
[OpenXPKI::Server::Workflow::Persister::DBI (138); scep-server-1()@5fa1]
Created workflow 15103
2017/03/14 18:58:17 openxpki.application.INFO:3071
[OpenXPKI::Server::Workflow (139); scep-server-1()@5fa1] Execute action
scep_extract_csr on workflow #15103
2017/03/14 18:58:17 openxpki.application.WARN:3071
[OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Workflow/Activity/SCEPv2/ExtractCSR.pm:101);
scep-server-1()@5fa1] SCEP csr key size is ok (rsaEncryption / 2048)
2017/03/14 18:58:17 openxpki.application.INFO:3071
[OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (114);
scep-server-1()@5fa1] SCEP csr hash type is ok (sha1)
2017/03/14 18:58:17 openxpki.application.INFO:3071
[OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (199);
scep-server-1()@5fa1] SCEP subject rendering enabled (
I18N_OPENXPKI_PROFILE_TLS_CLIENT / enroll )
2017/03/14 18:58:17 openxpki.application.INFO:3071
[OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (315);
scep-server-1()@5fa1] SCEP signer subject: emailAddress=
[email protected],CN=test_User,O=Test company,L=Los
Angeles,ST=California,C=US - is selfsign
2017/03/14 18:58:17 openxpki.application.INFO:3071
[OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (385);
scep-server-1()@5fa1] SCEP signature verified; CSR subject:
CN=test_User,C=ARRAY(0x6b100b8),ST=ARRAY(0x6bc28d0),L=ARRAY(0x6bc28b8),O=ARRAY(0x6b47148),
Signer [email protected],CN=test_User,O=Test company,L=Los
Angeles,ST=California,C=US
2017/03/14 18:58:17 openxpki.system.ERROR:3071 [OpenXPKI::Service::SCEP
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP.pm:395);
scep-server-1()@5fa1] Error executing SCEP command 'PKIOperation':
I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __EXCEPTION__ =>
OpenXPKI::Exception; __ERROR__ =>
I18N_OPENXPKI_SERVER_API_INVALID_PARAMETER; __ERROR__ => The 'SUBJECT'
parameter
("CN=test_User,C=ARRAY(0x6b100b8),ST=ARRAY(0x6bc28d0),L=ARRAY(0x6bc28b8),O=ARRAY(0x6b47148)")
to OpenXPKI::Server::API::__ANON__ did not pass regex check
; __CALL__ => search_cert; __ACTION__ => scep_extract_csr
I tried with different dn values in the profile above -> same error.
If I change to
dn: CN=[% CN.0 %],C=US,ST=California,L=Los Angeles,O=Test company
the scep enroll is successful and client cert is issued. From what I can
see the problem is that csr subj fields are taken as arrays and they are
not able to be set as proper cert subj...
Can someone help here?
And also if I am using CN.0 only "test_User" from CN=test_User/emailAddress=
[email protected] filed is taken. I tied with CN.X, CN.1 or CN but
again only the first part is taken. How I can take all
:CN=test_User/[email protected] ?
Thank you in advance!
Regards,
Cho
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
