Re: [OpenXPKI-users] Workflow selection and SCEP

Oliver Welter Thu, 30 Jul 2020 08:01:29 -0700

Hi Petr,

there was a migration bug in the config in 3.4 which is fixed in v3.6 -I assume this line starts with "ds_key" in your config, you need tochange this to "hash_key":


https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/workflow/def/certificate_enroll.yaml#L629

Oliver

Am 30.07.20 um 13:46 schrieb Petr Gotthard:

Hi Oliver,
There is nothing else between PARSED and PROFILE_SET. The flow looks starts 
like this:

INITIAL enroll_initialize       EXECUTE
INITIAL_ENROLL_INITIALIZE_0 global_map_url_params AUTORUN
INITIAL_ENROLL_INITIALIZE_1 enroll_set_transaction_id AUTORUN
INITIAL_ENROLL_INITIALIZE_2 enroll_set_workflow_attributes AUTORUN
INITIAL_ENROLL_INITIALIZE_3 global_load_policy AUTORUN
INITIAL_ENROLL_INITIALIZE_4 global_set_profile AUTORUN
INITIAL_ENROLL_INITIALIZE_5  enroll_parse_pkcs10 AUTORUN
PARSED global_noop AUTORUN
PROFILE_SET enroll_render_subject AUTORUN
PROFILE_SET_ENROLL_RENDER_SUBJECT_0 enroll_set_workflow_attributes AUTORUN
READY_TO_PROCESS global_check_authorized_signer AUTORUN
SIGNED_REQUEST enroll_set_mode_initial AUTORUN
START_INITIAL enroll_calculate_hmac AUTORUN


The CSR (for this request) is this:

     Certificate Request:
     Data:
         Version: 0 (0x0)
         Subject:
             commonName                = mujrouter:test
             domainComponent           = Test Deployment
             domainComponent           = OpenXPKI
             domainComponent           = org
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     00:d3:9e:76:e7:cb:25:76:b6:77:3f:7a:5b:92:2e:
<snip>
                     88:a1
                 Exponent: 65537 (0x10001)
         Attributes:
         Requested Extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Key Usage: critical
                 Digital Signature, Key Encipherment
             X509v3 Extended Key Usage: critical
                 TLS Web Server Authentication
             X509v3 Subject Alternative Name:
                 DNS:zabbix.conel.cz
             1.3.6.1.4.1.311.20.2:
                 ..pc-client
     Signature Algorithm: sha256WithRSAEncryption
          59:27:5f:64:86:3f:5e:95:68:1a:89:f6:9d:c5:05:8e:75:49:
<snip>
          75:1a:ca:9c

I did notice two dots before the "pc-client" string above. That's the 
"ASN1:UTF8String" encoding-- 0x0C as the UTF8String type and then 0x09 as the length of 
the string:

              SEQUENCE {
                OBJECT IDENTIFIER
                  enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)
                OCTET STRING 0C 09 70 63 2D 63 6C 69 65 6E 74
               }

Is that the expected encoding, or am I doing something wrong? The examples 
accross internet are not very consistent.


Regards,
Petr

-----Original Message-----
From: Oliver Welter [mailto:[email protected]]
Sent: Thursday, July 30, 2020 10:00 AM
To: [email protected]
Subject: Re: [OpenXPKI-users] Workflow selection and SCEP


Hi Petr,

yes it should work this way - can you please check if your workflow
history contains the step

PARSED > set_profile_from_extension > PROFILE_SET

If not, whats the action used between those two states?


Oliver

Am 29.07.20 um 18:38 schrieb Petr Gotthard:

Hello,

I am using OpenXPKI 3.4.0 and I want to issue both client and server
certificates via SCEP. I found in the docs that the
"1.3.6.1.4.1.311.20.2" extension can be used to select the certificate
template, so I tried.



In /etc/openxpki/config.d/realm.tpl/scep/generic.yaml I have the default
configuration, which says:



profile:

   cert_profile: tls_server

   cert_subject_style: enroll



profile_map:

     pc-client: tls_client





Now, when I issue an enrollment request via SCEP with this extension I
can see in the Workflow Context an entry "req_extensions" with
"certificateTemplateName, pc-client", so I guess the parameter was
encoded correctly. I thought that inclusion of "pc-client" will select
the "tls_client" from the profile map, but it seems to not work this way.



Am I doing something wrong, please?





Petr Gotthard





_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users



--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users



--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Workflow selection and SCEP

Reply via email to