Hi Oliver,
I applied the bug fix and it works now.
Thank you very much!
Ronny
On 1/3/19 3:01 PM, Oliver Welter wrote:
Hi Ronny,
you have been hit by this bug
https://github.com/openxpki/openxpki/issues/674
Its already fixed on the development branch but there is no release yet
so you need to apply the patch by yourself (or build your own packages).
Oliver
Am 03.01.19 um 13:35 schrieb Ronald Feicht:
Hi all,
I am trying to expand certificate enrollment via SCEP to include (among
others) the location field "L" in the approval workflow.
OpenXPKI version: 2.2.3
What I have done so far:
I installed and configured openxpki to receive, process, manually
approve CSRs and return generated certificates via SCEP. I expanded my
custom profile (a copy of I18N_OPENXPKI_PROFILE_TLS_SERVER.yaml) in the
following manner:
...
enroll:
subject:
dn: CN=[% CN.0 %][% IF OU %][% FOREACH entry = OU %],OU=[%
entry %][% END %][% END %][% IF O %][% FOREACH entry = O %],O=[% entry
%][% END %][% END %][% IF DC %][% FOREACH entry = DC %],DC=[% entry %][%
END %][% END %][% IF L %],L=[% L.0 %][% END %][% IF C %],C=[% C.0 %][%
END %]
...
template:
id: L
label: I18N_OPENXPKI_UI_PROFILE_HOSTNAME
placeholder: PLZ und Stadt
tooltip: I18N_OPENXPKI_UI_PROFILE_HOSTNAME_TOOLTIP
description: I18N_OPENXPKI_UI_PROFILE_HOSTNAME_DESC
type: freetext
preset: "[% L %]"
match: .+
width: 120
This works for the fields "CN", "O", "OU", "DC", "C" and "SAN:DNS". Yet,
when I include "L=..." in the CSR the workflow stops at workflow history
state
START_ONBEHALF
global_set_error_signer_not_authorized
AUTORUN
scep-server-1
openxpki
instead of proceeding to
START_INITIAL
enroll_calculate_hmac
AUTORUN
scep-server-1
openxpki
The reason for this is that
csr_subject = "CN=ronny.scsynergy.local,O=GmbH,L=55294 Stadt
Land Fluss,C=de" whereas the
signer_subject = "CN=ronny.scsynergy.local,O=GmbH,l=55294 Stadt Land
Fluss,C=de". Mind the lowercase "L" here.
I changed START_ONBEHALF into START_INITIAL in the function
SIGNED_REQUEST:
autorun: 1
action:
- set_mode_initial > START_INITIAL ?
signer_subject_matches_csr_subject signer_key_matches_subject_key
- set_mode_onbehalf > START_ONBEHALF ?
!signer_subject_matches_csr_subject
- set_mode_renewal > START_RENEWAL ?
signer_subject_matches_csr_subject !signer_key_matches_subject_key
in the file
/etc/openxpki/config.d/realm/ca-one/workflow/def/certificate_enroll.yaml
just to see whether the workflow would finish if the subjects matched.
And it did - a certificate was issued with a capital "L" field.
I checked and double checked the subject DNs of the CSR and the
self-signed signer certificate and both have a capital "L" in their
subject DNs. So, it must be an issue on the openxpki server side which
seems to extract the "L" field from the signer certificate as lowercase.
So, how do I fix this?
Best regards
Ronny
--
*sc synergy GmbH*
Am Kümmerling 24-26 | 55294 Bodenheim | Deutschland
Fon: +49 6135 71691 - 000 | Fax: +49 6135 71691 - 199
http://www.scsynergy.com | [email protected]
Sitz der Gesellschaft Bodenheim, HRB 8830, Amtsgericht Mainz,
Geschäftsführer: Christian Reichert
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
*sc synergy GmbH*
Am Kümmerling 24-26 | 55294 Bodenheim | Deutschland
Fon: +49 6135 71691 - 000 | Fax: +49 6135 71691 - 199
http://www.scsynergy.com | [email protected]
Sitz der Gesellschaft Bodenheim, HRB 8830, Amtsgericht Mainz,
Geschäftsführer: Christian Reichert
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
