Hi Oliver,
There is nothing else between PARSED and PROFILE_SET. The flow looks starts
like this:
INITIAL enroll_initialize EXECUTE
INITIAL_ENROLL_INITIALIZE_0 global_map_url_params AUTORUN
INITIAL_ENROLL_INITIALIZE_1 enroll_set_transaction_id AUTORUN
INITIAL_ENROLL_INITIALIZE_2 enroll_set_workflow_attributes AUTORUN
INITIAL_ENROLL_INITIALIZE_3 global_load_policy AUTORUN
INITIAL_ENROLL_INITIALIZE_4 global_set_profile AUTORUN
INITIAL_ENROLL_INITIALIZE_5 enroll_parse_pkcs10 AUTORUN
PARSED global_noop AUTORUN
PROFILE_SET enroll_render_subject AUTORUN
PROFILE_SET_ENROLL_RENDER_SUBJECT_0 enroll_set_workflow_attributes AUTORUN
READY_TO_PROCESS global_check_authorized_signer AUTORUN
SIGNED_REQUEST enroll_set_mode_initial AUTORUN
START_INITIAL enroll_calculate_hmac AUTORUN
The CSR (for this request) is this:
Certificate Request:
Data:
Version: 0 (0x0)
Subject:
commonName = mujrouter:test
domainComponent = Test Deployment
domainComponent = OpenXPKI
domainComponent = org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:9e:76:e7:cb:25:76:b6:77:3f:7a:5b:92:2e:
<snip>
88:a1
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:zabbix.conel.cz
1.3.6.1.4.1.311.20.2:
..pc-client
Signature Algorithm: sha256WithRSAEncryption
59:27:5f:64:86:3f:5e:95:68:1a:89:f6:9d:c5:05:8e:75:49:
<snip>
75:1a:ca:9c
I did notice two dots before the "pc-client" string above. That's the
"ASN1:UTF8String" encoding-- 0x0C as the UTF8String type and then 0x09 as the
length of the string:
SEQUENCE {
OBJECT IDENTIFIER
enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)
OCTET STRING 0C 09 70 63 2D 63 6C 69 65 6E 74
}
Is that the expected encoding, or am I doing something wrong? The examples
accross internet are not very consistent.
Regards,
Petr
-----Original Message-----
From: Oliver Welter [mailto:[email protected]]
Sent: Thursday, July 30, 2020 10:00 AM
To: [email protected]
Subject: Re: [OpenXPKI-users] Workflow selection and SCEP
Hi Petr,
yes it should work this way - can you please check if your workflow
history contains the step
PARSED > set_profile_from_extension > PROFILE_SET
If not, whats the action used between those two states?
Oliver
Am 29.07.20 um 18:38 schrieb Petr Gotthard:
> Hello,
>
> I am using OpenXPKI 3.4.0 and I want to issue both client and server
> certificates via SCEP. I found in the docs that the
> "1.3.6.1.4.1.311.20.2" extension can be used to select the certificate
> template, so I tried.
>
>
>
> In /etc/openxpki/config.d/realm.tpl/scep/generic.yaml I have the default
> configuration, which says:
>
>
>
> profile:
>
> cert_profile: tls_server
>
> cert_subject_style: enroll
>
>
>
> profile_map:
>
> pc-client: tls_client
>
>
>
>
>
> Now, when I issue an enrollment request via SCEP with this extension I
> can see in the Workflow Context an entry "req_extensions" with
> "certificateTemplateName, pc-client", so I guess the parameter was
> encoded correctly. I thought that inclusion of "pc-client" will select
> the "tls_client" from the profile map, but it seems to not work this way.
>
>
>
> Am I doing something wrong, please?
>
>
>
>
>
> Petr Gotthard
>
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
