Thanks for your responses.
I have added the hash of the Root CA for the Client Certificate to test.defualt
authorized_signer:
rule1:
# Manufacturer Root CA
identifier: VKIBAbQtFyqCur1UvfPINV0lCY8
However I still get the same error
`I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED`, during the state
START_ONBEHALF
global_set_error_signer_not_authorized
Do I need to import the Root CA used to sign the TLS Client certificate
anywhere other than in /etc/ssl/certs and the identifier in est.default?
Or what is the best way to log what hashes are being used to validate the TLS
client certificate inside OpenXPKI?
Apache is configured to pass the following parameters
SSLCACertificatePath /etc/ssl/certs/
SSLVerifyClient optional
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
# EST (RFC7030)
ScriptAlias /.well-known/est /usr/lib/cgi-bin/est.fcgi
label: Enrollment
authorized_signer:
rule1:
# Manufacturer Root CA
identifier: VKIBAbQtFyqCur1UvfPINV0lCY8
renewal_period: 000060
policy:
allow_man_authen: 1
allow_anon_enroll: 0
allow_man_approv: 1
allow_eligibility_recheck: 1
approval_points: 1
max_active_certs: 1
auto_revoke_existing_certs: 1
allow_replace: 1
export_certificate: chain
profile:
cert_profile: tls_nmos
cert_subject_style: enroll
eligible:
initial:
value: 1
renewal:
value: 1
onbehalf:
value: 1
On 21 Jan 2020, at 07:44, Oliver Welter <[email protected]<mailto:[email protected]>>
wrote:
Am 20.01.20 um 16:34 schrieb James Gibson:
Hi,
I am trying to configure OpenXPKI with EST to use the client certificate for
authorisation of the CSR to /simpleenroll, but keep getting the following error
‘I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED'
Do have any examples on how to configure this? Most of the examples seem to use
the ‘identifier’ keyword, but does not explain how to create the identifier
hash.
File est.default
rule3:
identifier: <hash>
The client certificate is not signed by the same CA as OpenXPKI is issuing for
and the CN is not the same.
The client certificate has been added to /etc/ssl/certs so Apache can
authenticate the client certificate.
The client provides both the client certificate and intermediate certificate,
to form the chain of trust.
As Martin already said you can calculate the identifier of the
certificate and nail it to the authorization. There is also the option
to check on the subject using a regex and perform chain validation
internally (you need to import the intermediates in that case into OXI
or modify the code to pass through the chain certificate)
Have a look here
https://github.com/openxpki/openxpki/blob/develop/core/server/OpenXPKI/Server/Workflow/Activity/Tools/EvaluateSignerTrust.pm#L355
best regards
Oliver
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
