Hi Oliver, I can now request/search certificates as many as I want :
The only thing that is left is to get the certificates via REST. I can see
some information in the rpc.fcgi like
'=head3 Process Information
You can add a list of workflow context items to be exported with the
response:'
but I don't know where to ind/add those items. I don'T even can find the
error_code from
output = cert_identifier, error_code
in the workflow. The search_certificate method from REST also don't give me
the certificate.
I have added the last line in the certificate_search workflow
get_certificate_data:
class: OpenXPKI::Server::Workflow::Activity::Tools::SetContext
param:
_map_notbefore: "[% USE Certificate %][%
Certificate.notbefore(context.cert_identifier) %]"
_map_notafter: "[% USE Certificate %][%
Certificate.notafter(context.cert_identifier) %]"
_map_status: "[% USE Certificate %][%
Certificate.status(context.cert_identifier) %]"
_map_data: "[% USE Certificate %][%
Certificate.data(context.cert_identifier) %]"
I think data in Certificate.data(context.cert_identifier) should be the data
field in the database?
Is there a way to get the certificates as pem?
I tried it also with download.fcgi but I don't know if it can be uses with
the latest 1.20 version. It was not installed so I added it from github.
Mit freundlichen Grüßen / Best regards
Andreas Krieger
-----Ursprüngliche Nachricht-----
Von: Oliver Welter [mailto:[email protected]]
Gesendet: Sonntag, 9. September 2018 20:53
An: [email protected]
Betreff: Re: [OpenXPKI-users] Error when Requesting over RPC
Hi Andreas,
Am 07.09.2018 um 14:08 schrieb [email protected]:
> Hi Oliver,
>
> Works like a charm now :)
glad to hear ;)
> There was a little misunderstanding from myself. I though OpenXPKI
> will do the auth stuff. So after adding the SSLOptions, a correct
> Server cert/key/chain it went as expected :)
Well thats half the truth - the authentication step is split into two parts.
The apache handles the TLS authentication and therefore is responsible to
ensure the client has access to the private key of the provided certificate
but the validation if the certificate is from a trusted CA is done inside
OpenXPKI.
You CAN configure your apache using the SSLVerify options to exclude
unwanted TLS clients but we do not expect this, so even the "SSLVerifyClient
optional_no_ca" is fine for us.
> I got one more question ;)
>
> I have in my requests the CN and would like to add other Stuff like OU, O,
L and so on when issuing the cert.
>
> enroll:
> subject:
> dn: CN=[% cn %],OU=XXX,O=XXX,L=Berlin,ST=Berlin,C=DE
>
> When requesting over the Gui it works fine but via RPC where I don't enter
the CN (but is in the REQ) the Subject looks like:
> CN=,OU=XXX,O=XXX,L=Berlin,ST=Berlin,C=DE
Short Answer: use "CN=[% CN.0 %]"
Long Answer: The CSR is parsed and stored with the DN attributes as Arrays
with attributes names all uppercased. Have a look into the "Workflow
Context", you should see the parser result in the key cert_subject_parts
there.
Oliver
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
