Hi James, I think you git that wrong - the identifier always refers to the special signer certificate, so what you configured is to accept a TLS Auth using the Root CA as TLS Client.
If you want to go this way you need to assign an alias to the root certificate using "openxpkiadm alias" and put this as "root-alias" in the rules. It might also be required to set realm = _any. Oliver Am 21.01.20 um 11:53 schrieb James Gibson: > Thanks for your responses. > > I have added the hash of the Root CA for the Client Certificate to > test.defualt > > authorized_signer: > rule1: > # Manufacturer Root CA > identifier: VKIBAbQtFyqCur1UvfPINV0lCY8 > > > However I still get the same error > `I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED`, during the state > START_ONBEHALF > global_set_error_signer_not_authorized > > > Do I need to import the Root CA used to sign the TLS Client > certificate anywhere other than in /etc/ssl/certs and the identifier in > est.default? > Or what is the best way to log what hashes are being used to validate > the TLS client certificate inside OpenXPKI? > > Apache is configured to pass the following parameters > SSLCACertificatePath /etc/ssl/certs/ > SSLVerifyClient optional > SSLVerifyDepth 3 > SSLOptions +StdEnvVars +ExportCertData > # EST (RFC7030) > ScriptAlias /.well-known/est /usr/lib/cgi-bin/est.fcgi > > label: Enrollment > > authorized_signer: > rule1: > # Manufacturer Root CA > identifier: VKIBAbQtFyqCur1UvfPINV0lCY8 > > renewal_period: 000060 > > > policy: > allow_man_authen: 1 > allow_anon_enroll: 0 > allow_man_approv: 1 > allow_eligibility_recheck: 1 > approval_points: 1 > max_active_certs: 1 > auto_revoke_existing_certs: 1 > allow_replace: 1 > export_certificate: chain > > profile: > cert_profile: tls_nmos > cert_subject_style: enroll > > eligible: > initial: > value: 1 > > renewal: > value: 1 > > onbehalf: > value: 1 > > > >> On 21 Jan 2020, at 07:44, Oliver Welter <[email protected] >> <mailto:[email protected]>> wrote: >> >> Am 20.01.20 um 16:34 schrieb James Gibson: >>> >>> Hi, >>> >>> I am trying to configure OpenXPKI with EST to use the client >>> certificate for authorisation of the CSR to /simpleenroll, but keep >>> getting the following >>> error ‘I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED' >>> >>> Do have any examples on how to configure this? Most of the examples >>> seem to use the ‘identifier’ keyword, but does not explain how to >>> create the identifier hash. >>> >>> File est.default >>> rule3: >>> identifier: <hash> >>> >>> The client certificate is not signed by the same CA as OpenXPKI is >>> issuing for and the CN is not the same. >>> The client certificate has been added to /etc/ssl/certs so Apache can >>> authenticate the client certificate. >>> The client provides both the client certificate and intermediate >>> certificate, to form the chain of trust. >>> >> >> As Martin already said you can calculate the identifier of the >> certificate and nail it to the authorization. There is also the option >> to check on the subject using a regex and perform chain validation >> internally (you need to import the intermediates in that case into OXI >> or modify the code to pass through the chain certificate) >> >> Have a look here >> https://github.com/openxpki/openxpki/blob/develop/core/server/OpenXPKI/Server/Workflow/Activity/Tools/EvaluateSignerTrust.pm#L355 >> >> best regards >> >> Oliver >> -- >> Protect your environment - close windows and adopt a penguin! >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
