Hi Ronny, you have been hit by this bug https://github.com/openxpki/openxpki/issues/674
Its already fixed on the development branch but there is no release yet so you need to apply the patch by yourself (or build your own packages). Oliver Am 03.01.19 um 13:35 schrieb Ronald Feicht: > Hi all, > > I am trying to expand certificate enrollment via SCEP to include (among > others) the location field "L" in the approval workflow. > OpenXPKI version: 2.2.3 > What I have done so far: > I installed and configured openxpki to receive, process, manually > approve CSRs and return generated certificates via SCEP. I expanded my > custom profile (a copy of I18N_OPENXPKI_PROFILE_TLS_SERVER.yaml) in the > following manner: > ... > enroll: > subject: > dn: CN=[% CN.0 %][% IF OU %][% FOREACH entry = OU %],OU=[% > entry %][% END %][% END %][% IF O %][% FOREACH entry = O %],O=[% entry > %][% END %][% END %][% IF DC %][% FOREACH entry = DC %],DC=[% entry %][% > END %][% END %][% IF L %],L=[% L.0 %][% END %][% IF C %],C=[% C.0 %][% > END %] > ... > template: > id: L > label: I18N_OPENXPKI_UI_PROFILE_HOSTNAME > placeholder: PLZ und Stadt > tooltip: I18N_OPENXPKI_UI_PROFILE_HOSTNAME_TOOLTIP > description: I18N_OPENXPKI_UI_PROFILE_HOSTNAME_DESC > type: freetext > preset: "[% L %]" > match: .+ > width: 120 > > This works for the fields "CN", "O", "OU", "DC", "C" and "SAN:DNS". Yet, > when I include "L=..." in the CSR the workflow stops at workflow history > state > START_ONBEHALF > > global_set_error_signer_not_authorized > > AUTORUN > > scep-server-1 > > openxpki > > instead of proceeding to > START_INITIAL > > enroll_calculate_hmac > > AUTORUN > > scep-server-1 > > openxpki > > > The reason for this is that > csr_subject = "CN=ronny.scsynergy.local,O=GmbH,L=55294 Stadt > Land Fluss,C=de" whereas the > signer_subject = "CN=ronny.scsynergy.local,O=GmbH,l=55294 Stadt Land > Fluss,C=de". Mind the lowercase "L" here. > > I changed START_ONBEHALF into START_INITIAL in the function > SIGNED_REQUEST: > autorun: 1 > action: > - set_mode_initial > START_INITIAL ? > signer_subject_matches_csr_subject signer_key_matches_subject_key > - set_mode_onbehalf > START_ONBEHALF ? > !signer_subject_matches_csr_subject > - set_mode_renewal > START_RENEWAL ? > signer_subject_matches_csr_subject !signer_key_matches_subject_key > in the file > /etc/openxpki/config.d/realm/ca-one/workflow/def/certificate_enroll.yaml > just to see whether the workflow would finish if the subjects matched. > And it did - a certificate was issued with a capital "L" field. > > I checked and double checked the subject DNs of the CSR and the > self-signed signer certificate and both have a capital "L" in their > subject DNs. So, it must be an issue on the openxpki server side which > seems to extract the "L" field from the signer certificate as lowercase. > > So, how do I fix this? > > Best regards > Ronny > > -- > *sc synergy GmbH* > Am Kümmerling 24-26 | 55294 Bodenheim | Deutschland > Fon: +49 6135 71691 - 000 | Fax: +49 6135 71691 - 199 > http://www.scsynergy.com | [email protected] > Sitz der Gesellschaft Bodenheim, HRB 8830, Amtsgericht Mainz, > Geschäftsführer: Christian Reichert > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
