Hi Oliver,
Works like a charm now :)
There was a little misunderstanding from myself. I though OpenXPKI will do the
auth stuff. So after adding the SSLOptions, a correct Server cert/key/chain it
went as expected :)
I got one more question ;)
I have in my requests the CN and would like to add other Stuff like OU, O, L
and so on when issuing the cert.
This is what I use right now:
style:
00_basic_style:
label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
ui:
subject:
- cn
subject:
dn: CN=[% cn %],OU=XXX,O=XXX,L=Berlin,ST=Berlin,C=DE
metadata:
cn: "[% cn %]"
enroll:
subject:
dn: CN=[% cn %],OU=XXX,O=XXX,L=Berlin,ST=Berlin,C=DE
When requesting over the Gui it works fine but via RPC where I don't enter the
CN (but is in the REQ) the Subject looks like:
CN=,OU=XXX,O=XXX,L=Berlin,ST=Berlin,C=DE
Which gives an error when issung the cert. if I remove the CN part from the
subject like:
enroll:
subject:
dn: OU=XXX,O=XXX,L=Berlin,ST=Berlin,C=DE
The subject looks like:
OU=XXX,O=XXX,L=Berlin,ST=Berlin,C=DE. The CN from the REQ is ignored and also
not in the issued cert.
Is there a way to get the CN from the request? I think it is because it work
also when doing request via SCEP. But before I try to destroy the workflow it
would be nice if there is a way to do it with the profile :)
Thanks for Help.
Mit freundlichen Grüßen / Best regards
Andreas Krieger
-----Ursprüngliche Nachricht-----
Von: Oliver Welter [mailto:[email protected]]
Gesendet: Donnerstag, 6. September 2018 15:55
An: [email protected]
Betreff: Re: [OpenXPKI-users] Error when Requesting over RPC
Hi Andreas,
> 2018/09/05 11:10:04 DEBUG:11171 RPC unauthenticated (no cert)
As I just noticed that we forgot to mention that part in the docs and sample
configuration, I assume that your webserver is just not sending the certificate
to the script ;)
You must add "SSLOptions +StdEnvVars +ExportCertData" to your SSL Host
configuration to make the environment and authentication certificate available
to the script.
best regards
Oliver
Am 05.09.2018 um 11:26 schrieb [email protected]:
> Hello.
>
> I try to write a Client in C# to do certificate requests over REST.
>
> Doing the SearchCertificate works just fine but when using the
> RequestCertificate (which is described in the /etc/openxpki/rpc/...conf) I
> get en error that the request is not authenticated.
>
> The response from the OpenXPKI WebService is:
> {"result":{"data":{"error_code":"I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT
> _AUTHENTICATED"},"state":"FAILURE","pid":11171,"id":"8191"}}
>
> Rpc.log shows:
> 2018/09/05 11:10:04 DEBUG:11171 Autodetect config file for service
> rpc: ca-iaxd.conf
> 2018/09/05 11:10:04 DEBUG:11171 calling context is https
> 2018/09/05 11:10:04 DEBUG:11171 RPC unauthenticated (no cert)
> 2018/09/05 11:10:04 DEBUG:11171 Initialize client
> 2018/09/05 11:10:04 DEBUG:11171 Started volatile session with id:
> 1ujveeuw6BGWImGK1JWZug==
> 2018/09/05 11:10:04 DEBUG:11171 Selecting realm ca-iaxd
> 2018/09/05 11:10:04 DEBUG:11171 Selecting auth stack _System
> 2018/09/05 11:10:05 DEBUG:11171 Workflow created (ID: 8191), State:
> FAILURE
> 2018/09/05 11:10:05 INFO:11171 RPC request was processed properly
> (Workflow: 8191, State: FAILURE
> 2018/09/05 11:10:05 DEBUG:11171 Keys cert_identifier, error_code
> 2018/09/05 11:10:05 INFO:11171 Disconnect client
>
> What exactly means the '2018/09/05 11:10:04 DEBUG:11171 RPC unauthenticated
> (no cert)' line? I have used a certificate which I also use for SCEP.
>
> I have also followed some the instruction from another users post to create a
> client certificate with the subject "myhost:pkiclient" where myhost is the
> hostname of my OpenXPKI machine which certificate and key is under /tmp.
>
> I also got the following lines in the realms rpc.conf:
>
> authorized_signer:
> rule1:
> # Full DN
> subject: CN=.+:scepclient,.*
> rule2:
> # Full DN
> subject: CN=.+:pkiclient,.*
> rule3:
> identifier: JhkmsmPpsQrmrXoBRLJl2UIcSFc
>
> so rule 2 should catch the client certificate I have created for the rpc
> request and rule 3 should catch the scep certificate I use in my Rest
> request as it matches the identifier.
>
> What exactly I'm doing wrong? :)
>
>
> Mit freundlichen Grüßen / Best regards
>
> Andreas Krieger
>
> operational services GmbH & Co. KG
> Junior Systems Engineer, Mirrorserver/2 T3-Application Services North
>
> Pascalstrasse 11
> 10587 Berlin | Germany
> Telefon +49 375 60619 905
>
> [email protected]
> www.operational-services.de/
>
> Please find the compulsory statements here:
> www.operational-services.de/compulsoryStatements
> ----------------------------------------------------------------------
> -------- Check out the vibrant tech community on one of the world's
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
Protect your environment - close windows and adopt a penguin!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
