Am 20.01.20 um 16:34 schrieb James Gibson: > > Hi, > > I am trying to configure OpenXPKI with EST to use the client certificate for > authorisation of the CSR to /simpleenroll, but keep getting the following > error ‘I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED' > > Do have any examples on how to configure this? Most of the examples seem to > use the ‘identifier’ keyword, but does not explain how to create the > identifier hash. > > File est.default > rule3: > identifier: <hash> > > The client certificate is not signed by the same CA as OpenXPKI is issuing > for and the CN is not the same. > The client certificate has been added to /etc/ssl/certs so Apache can > authenticate the client certificate. > The client provides both the client certificate and intermediate certificate, > to form the chain of trust. >
As Martin already said you can calculate the identifier of the certificate and nail it to the authorization. There is also the option to check on the subject using a regex and perform chain validation internally (you need to import the intermediates in that case into OXI or modify the code to pass through the chain certificate) Have a look here https://github.com/openxpki/openxpki/blob/develop/core/server/OpenXPKI/Server/Workflow/Activity/Tools/EvaluateSignerTrust.pm#L355 best regards Oliver -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
