Hi Darcy, > I couldn't use the patch because I didn't install it from source. the files are copied "as is" to /usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/ so you can just patch it "in place".
> One other question, does this OpenXPKI server also support enrolment>
> renewals using the EST protocol?
We wrote an implementation against the Cisco test client which basically
works for enrollment and renewal, support for CA rollover and some other
advanced features is not done yet.
Oliver
>
>
> Regards,
>
> Darcy
>
>
> On Wed, 2018-10-31 at 07:25 +0100, Oliver Welter wrote:
>> Hi Darcy, Martin,
>>
>> here is a patch which is somewhat a "quick hack" that makes it work.
>> We
>> are discussing how to move on with this but it should help you to get
>> things working until we have a final solution.
>>
>> Oliver
>>
>> diff --git a/core/server/OpenXPKI/Crypt/X509.pm
>> b/core/server/OpenXPKI/Crypt/X509.pm
>> index ae8ffcf2a..08360a743 100644
>> --- a/core/server/OpenXPKI/Crypt/X509.pm
>> +++ b/core/server/OpenXPKI/Crypt/X509.pm
>> @@ -63,7 +63,10 @@ has subject => (
>> lazy => 1,
>> default => sub {
>> my $self = shift;
>> - return join(',', reverse @{$self->_cert()->Subject});
>> + return join ",", map {
>> + # Replace S -> ST and l => L, see #674
>> + $_ =~ s{\AS=}{ST=}; $_ =~ s{\Al=}{L=}; $_
>> + } reverse @{$self->_cert()->Subject};
>> }
>> );
>>
>>
>> Am 30.10.2018 um 23:53 schrieb Oliver Welter:
>>> Hi Darcy,
>>>
>>> I shouldnt do such things at mdnight - I can see in the logs that
>>> there
>>> is a ST attribute in your request. So please remove this and all
>>> should
>>> work - if you are interested in the background ->
>>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgi
>>> thub.com%2Fopenxpki%2Fopenxpki%2Fissues%2F674&data=02%7C01%7Cdw
>>> atkins%40sierrawireless.com%7C00da8055941d4e2daa8e08d63ef9b36d%7C08
>>> 059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636765639546014487&sda
>>> ta=WJNho2QQH0SkS878vLcuO%2BwORE5mpcKxmf8dqU7Klbc%3D&reserved=0
>>>
>>> Oliver
>>>
>>> Am 30.10.2018 um 23:40 schrieb Oliver Welter:
>>>> Hi Darcy,
>>>>
>>>> one question I can not answer myself from the logs - did you have
>>>> an L
>>>> and/or ST attribute in your CSR (there is a bug!)? If so, please
>>>> remove
>>>> it and try again - with the sample profiles only the CN is used,
>>>> so
>>>> anything else is ignored.
>>>>
>>>> If this is not the case, please try to enroll against our publich
>>>> demo
>>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fo
>>>> xi-ee-
>>>> demo.whiterabbitsecurity.com%2Fscep%2Fscep&data=02%7C01%7Cdwa
>>>> tkins%40sierrawireless.com%7C00da8055941d4e2daa8e08d63ef9b36d%7C0
>>>> 8059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636765639546014487&
>>>> sdata=YWBTJYnE%2FFOl6YSMPm0wBeXYcQL3Sv1y0rmJ5zbVDjY%3D&reserv
>>>> ed=0 or send me your
>>>> CSR/Key or openssl command to generate a similar CSR.
>>>>
>>>> best regards
>>>>
>>>> Oliver
>>>>
>>>> Am 29.10.2018 um 18:27 schrieb Darcy Watkins:
>>>>> Hi,
>>>>>
>>>>> Included some of the log file output...
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>> On Mon, 2018-10-29 at 09:39 -0700, Darcy Watkins wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I set up the...
>>>>>>
>>>>>> scep.SERVER.policy.allow_anon_enroll: 1
>>>>>>
>>>>>> ...and it doesn't seem to make any difference. Still get the
>>>>>> same
>>>>>> error response.
>>>>>>
>>>>>> For the step immediately before the scep-enroll (generating
>>>>>> the key,
>>>>>> etc), apart from the challenge secret specified in the online
>>>>>> doc, is
>>>>>> there anything special that I should be entering in as all
>>>>>> the other
>>>>>> fields I am prompted for?
>>>>>>
>>>>>> Regarding the security concern, this is a test server setup
>>>>>> for proof
>>>>>> of concept.
>>>>>>
>>>>>>
>>>>>
>>>>> /var/log/openxpki/scep.log ...
>>>>>
>>>>> 2018/10/29 10:05:23 DEBUG:2507 Autodetect config file for
>>>>> service scep:
>>>>> scep.conf
>>>>> 2018/10/29 10:05:23 DEBUG:2507 No config file found, falling
>>>>> back to
>>>>> default
>>>>> 2018/10/29 10:05:23 INFO:2507 Incoming request from 10.1.65.139
>>>>> with
>>>>> PKIOperation
>>>>> 2018/10/29 10:05:27 DEBUG:2507 Response send
>>>>>
>>>>> /var/log/openxpki/workflows.log ...
>>>>>
>>>>> 2018/10/29 10:05:26 1791 Rendering subject: CN=MG90
>>>>> ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org
>>>>> 2018/10/29 10:05:26 1791 Trusted Signer chain validation
>>>>> FAILED
>>>>> 2018/10/29 10:05:26 1791 Trusted Signer not found in trust list
>>>>> (CN=MG90 ND63940293011030,O=Internet Widgits Pty Ltd,S=Some-
>>>>> State,C=AU).
>>>>>
>>>>> /var/log/openxpki/catchall.log
>>>>>
>>>>> 2018/10/29 10:05:24 openxpki.application.INFO SCEP incoming
>>>>> request, id
>>>>> 15C68437136E8C61175F791E0E5169DE
>>>>> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
>>>>> 2018/10/29 10:05:24 openxpki.application.INFO SCEP try to start
>>>>> new
>>>>> workflow for 15C68437136E8C61175F791E0E5169DE
>>>>> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
>>>>> 2018/10/29 10:05:26 openxpki.application.INFO Rendering
>>>>> subject:
>>>>> CN=MG90 ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org
>>>>> [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=
>>>>> 15C68437
>>>>> 136E8C61175F791E0E5169DE]
>>>>> 2018/10/29 10:05:26 openxpki.application.WARN Trusted Signer
>>>>> chain
>>>>> validation FAILED
>>>>> [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=
>>>>> 15C68437
>>>>> 136E8C61175F791E0E5169DE]
>>>>> 2018/10/29 10:05:26 openxpki.application.INFO Trusted Signer
>>>>> not found
>>>>> in trust list (CN=MG90 ND63940293011030,O=Internet Widgits Pty
>>>>> Ltd,S=Some-State,C=AU).
>>>>> [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=
>>>>> 15C68437
>>>>> 136E8C61175F791E0E5169DE]
>>>>> 2018/10/29 10:05:27 openxpki.application.INFO SCEP started new
>>>>> workflow
>>>>> with id 1791, state FAILURE
>>>>> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
>>>>> 2018/10/29 10:05:27 openxpki.application.ERROR SCEP Request
>>>>> failed
>>>>> without error code set - default to badRequest
>>>>> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Darcy
>>>>>>
>>>>>> Darcy Watkins :: Senior Staff Engineer, Firmware
>>>>>>
>>>>>> SIERRA WIRELESS
>>>>>> Direct +1 604 233 7989 :: Fax +1 604 231
>>>>>> 1109 :: Main +1 604
>>>>>> 231 1100
>>>>>> 13811 Wireless Way :: Richmond, BC Canada V6V 3A4
>>>>>> [P2]
>>>>>> [email protected] :: https://na01.safelinks.protect
>>>>>> ion.outlook.com/?url=www.sierrawireless.com&data=02%7C01%
>>>>>> 7Cdwatkins%40sierrawireless.com%7C00da8055941d4e2daa8e08d63ef
>>>>>> 9b36d%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C6367656395
>>>>>> 46014487&sdata=r%2Bs4AXuNfn2U18ibCCxm2m%2F0sRqnW6nmVcZIDE
>>>>>> ntDAU%3D&reserved=0
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Martin Bartosch <[email protected]>
>>>>>> Sent: October-27-18 7:19 AM
>>>>>> To: [email protected]
>>>>>> Subject: Re: [OpenXPKI-users] FW: SCEP server setup
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>> I followed the instructions at https://na01.safelinks.prote
>>>>>>> ction.outlook.com/?url=https%3A%2F%2Fna01.safelinks.protect
>>>>>>> ion.ou&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C0
>>>>>>> 0da8055941d4e2daa8e08d63ef9b36d%7C08059a4c248643dd89e33a747
>>>>>>> e0dcbe8%7C1%7C0%7C636765639546014487&sdata=srsquaGFsXIJ
>>>>>>> nxykaYdoBvIt0l5pWnXS6CNxtL2DUjI%3D&reserved=0
>>>>>>> tlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2
>>>>>>> Flatest%
>>>>>>> 2Fquickstart.html&data=02%7C01%7Cdwatkins%40sierrawirel
>>>>>>> ess.com%
>>>>>>> 7C52b35ec265754accf17708d63c173056%7C08059a4c248643dd89e33a
>>>>>>> 747e0dcb
>>>>>>> e8%7C1%7C0%7C636762467632140131&sdata=i2wTz0W7mt1IMR9%2
>>>>>>> FX68WCcU
>>>>>>> 6jO%2FkQSvcI6obEZuIpx8%3D&reserved=0 to setup a test
>>>>>>> server
>>>>>>> configuration and can log in, etc. I built an sscep client
>>>>>>> to test
>>>>>>> the SCEP service. Everything appears to work OK up to the
>>>>>>> last
>>>>>>> stage.
>>>>>>>
>>>>>>> For the last stage,
>>>>>>>
>>>>>>> sscep enroll -u https://na01.safelinks.protection.outlook.c
>>>>>>> om/?url=
>>>>>>> http%3A%2F%2Fcarmd-er-
>>>>>>> n00000.sierrawireless.local%2Fscep%2Fscep&data=02%7C01%
>>>>>>> 7Cdwatki
>>>>>>> ns%40sierrawireless.com%7C52b35ec265754accf17708d63c173056%
>>>>>>> 7C08059a
>>>>>>> 4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636762467632140131&
>>>>>>> ;sdata=2
>>>>>>> bXvvrvmiTf3oWXUuNsXnyOzH%2BmSTH2PO0KfYBD1woI%3D&reserve
>>>>>>> d=0 \
>>>>>>> -k tmp/scep-test.key -r tmp/scep-test.csr \
>>>>>>> -c tmp/cacert-0 \
>>>>>>> -l tmp/scep-test.crt \
>>>>>>> -t 10 -n 1
>>>>>>>
>>>>>>> I get the following error:
>>>>>>>
>>>>>>> sscep: sending certificate
>>>>>>> request
>>>>>>>
>>>>>>>
>>>>>>> sscep: valid response from
>>>>>>> server
>>>>>>>
>>>>>>>
>>>>>>> sscep: reply transaction id:
>>>>>>> 1C80739573B63A52747F2A777BCF6112
>>>>>>>
>>>>>>>
>>>>>>> sscep: pkistatus:
>>>>>>> FAILURE
>>>>>>>
>>>>>>>
>>>>>>> sscep: reason: Transaction not permitted or
>>>>>>> supported
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> The command you use tries to perform an anonymous initial
>>>>>> enrollment
>>>>>> against the SCEP server. The OpenXPKI team believes that
>>>>>> certificate
>>>>>> enrollment should be both authenticated and authorized, hence
>>>>>> anonymous SCEP initial enrollment is disabled by default.
>>>>>>
>>>>>> If you wish to allow this, set
>>>>>>
>>>>>> scep.SERVER.policy.allow_anon_enroll: 1
>>>>>>
>>>>>> in your configuration. You should consider the security
>>>>>> implications
>>>>>> for production deployments.
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenXPKI-users mailing list
>>>>>> [email protected]
>>>>>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2
>>>>>> F%2Flist
>>>>>> s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-
>>>>>> users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C52b3
>>>>>> 5ec26575
>>>>>> 4accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7
>>>>>> C0%7C636
>>>>>> 762467632140131&sdata=7ocXP0UGDtkWRkCDlOW8FYCTU6i87KCWK4O
>>>>>> wParflCE
>>>>>> %3D&reserved=0
>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenXPKI-users mailing list
>>>> [email protected]
>>>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2F
>>>> lists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-
>>>> users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C00da8055
>>>> 941d4e2daa8e08d63ef9b36d%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7
>>>> C0%7C636765639546014487&sdata=ueicdoEBY7rTxKOzFDcOYuaevnjSJkX
>>>> wCqST6aoew6Q%3D&reserved=0
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OpenXPKI-users mailing list
>>> [email protected]
>>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fli
>>> sts.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-
>>> users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C00da805594
>>> 1d4e2daa8e08d63ef9b36d%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7
>>> C636765639546014487&sdata=ueicdoEBY7rTxKOzFDcOYuaevnjSJkXwCqST6
>>> aoew6Q%3D&reserved=0
>>>
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
>> s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-
>> users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C00da8055941d
>> 4e2daa8e08d63ef9b36d%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636
>> 765639546024496&sdata=u7YO6jpq76TpL9k3OHJoWoGrpUlnG5K565SW6ISLgbk
>> %3D&reserved=0
--
Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
