Hello Joerg, Am 04.05.2017 um 22:14 schrieb Joerg Eckert:
You just need to reply to one of the the mails you received as answer from the list.Hello againBecause i do not know to answer other threads.. Where can i find that? Want to answer the answer of my question (about ldap)
I want to configure that raop (and some others) must have a certificate to authenticate. Unfortunately i have no clue how to configure it
The authentication works on HTTPS with client certificates, you need to set this up with your apache server. Check in the manual for the SSLVerifyClient directive.
1. I assume that i do not have to add/change something in stack.yaml?
You need to remove the comments from the part starting with "Certificate via Webserver:"
2. What do i have to change or add in handler.yaml? I understand, that i do not have to add something if the user certificate is given by ca-one? remark: the openca-tools are installed...
openca-tools is not required, this is all done by the webserver. You need to adjust the identifier of the "cacert" value and the default role in the section "Certificate".
3. Do i have to add/change something in connector.yaml and role.yaml?
There is already a stub in connector.yaml, it points to a file named /home/pkiadm/ca-one-x509-roles.yaml- this file must list the common name of the certificate used with the associated user role as key/value pairs, e.g. if your certificate has a DN of "CN=Joerg Eckert, O=My Company, C=DE", and you want to become an Operator, you need to add:
Joerg Eckert: RA OperatorThe inline documentation of the base module has some more details on the options: perldoc OpenXPKI::Server::Authentication::X509
Oliver -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
