Hi,
I have had some success with using an externally trusted CA to Authorise EST
Clients, here are some notes how to enable this for the record.
Added External Root CA to certificate database
Added an alias for External Root CA
Added alias to `authorised_signer` list
authorized_signer:
rule3:
root_alias: trustgroup1
Enbable external signers in
`config.d/realm.tpl/workflow/global/action/check_authorized_signer.yaml`
allow_external_signer: 1
This works fine for authorising TLS Client Certificates signed by the External
Trusted Root CA, however this fails if the TLS Client Certificate is signed by
an intermediate certificate.
The EST Client provides the TLS Client Certificate and the corresponding chain
of trust, however only the client certificate is passed from Apache to
OpenXPKI. The chain of intermediates certificates is not included in the
request, meaning OpenXPKI cannot validate is the client certificate is trusted
as it only knows about the Externally Trusted Root CA and the Client
Certificate, it is missing the intermediate Gas to form the chain of trust.
Thanks,
James
On 21 Jan 2020, at 12:36, Oliver Welter <[email protected]<mailto:[email protected]>>
wrote:
Hi James,
I think you git that wrong - the identifier always refers to the special
signer certificate, so what you configured is to accept a TLS Auth using
the Root CA as TLS Client.
If you want to go this way you need to assign an alias to the root
certificate using "openxpkiadm alias" and put this as "root-alias" in
the rules. It might also be required to set realm = _any.
Oliver
Am 21.01.20 um 11:53 schrieb James Gibson:
Thanks for your responses.
I have added the hash of the Root CA for the Client Certificate to
test.defualt
authorized_signer:
rule1:
# Manufacturer Root CA
identifier: VKIBAbQtFyqCur1UvfPINV0lCY8
However I still get the same error
`I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED`, during the state
START_ONBEHALF
global_set_error_signer_not_authorized
Do I need to import the Root CA used to sign the TLS Client
certificate anywhere other than in /etc/ssl/certs and the identifier in
est.default?
Or what is the best way to log what hashes are being used to validate
the TLS client certificate inside OpenXPKI?
Apache is configured to pass the following parameters
SSLCACertificatePath /etc/ssl/certs/
SSLVerifyClient optional
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
# EST (RFC7030)
ScriptAlias /.well-known/est /usr/lib/cgi-bin/est.fcgi
label: Enrollment
authorized_signer:
rule1:
# Manufacturer Root CA
identifier: VKIBAbQtFyqCur1UvfPINV0lCY8
renewal_period: 000060
policy:
allow_man_authen: 1
allow_anon_enroll: 0
allow_man_approv: 1
allow_eligibility_recheck: 1
approval_points: 1
max_active_certs: 1
auto_revoke_existing_certs: 1
allow_replace: 1
export_certificate: chain
profile:
cert_profile: tls_nmos
cert_subject_style: enroll
eligible:
initial:
value: 1
renewal:
value: 1
onbehalf:
value: 1
On 21 Jan 2020, at 07:44, Oliver Welter <[email protected]<mailto:[email protected]>
<mailto:[email protected]>> wrote:
Am 20.01.20 um 16:34 schrieb James Gibson:
Hi,
I am trying to configure OpenXPKI with EST to use the client
certificate for authorisation of the CSR to /simpleenroll, but keep
getting the following
error ‘I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED'
Do have any examples on how to configure this? Most of the examples
seem to use the ‘identifier’ keyword, but does not explain how to
create the identifier hash.
File est.default
rule3:
identifier: <hash>
The client certificate is not signed by the same CA as OpenXPKI is
issuing for and the CN is not the same.
The client certificate has been added to /etc/ssl/certs so Apache can
authenticate the client certificate.
The client provides both the client certificate and intermediate
certificate, to form the chain of trust.
As Martin already said you can calculate the identifier of the
certificate and nail it to the authorization. There is also the option
to check on the subject using a regex and perform chain validation
internally (you need to import the intermediates in that case into OXI
or modify the code to pass through the chain certificate)
Have a look here
https://github.com/openxpki/openxpki/blob/develop/core/server/OpenXPKI/Server/Workflow/Activity/Tools/EvaluateSignerTrust.pm#L355
best regards
Oliver
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
