Solved! That was the issue. Thanks, Oliver! Regards, Petr
-----Original Message----- From: Oliver Welter [mailto:[email protected]] Sent: Thursday, July 30, 2020 5:00 PM To: [email protected] Subject: Re: [OpenXPKI-users] Workflow selection and SCEP CAUTION: This email originated from outside of the Advantech organization. Do not click any link or open any attachment unless you recognize the sender and know the content is 100% safe! If you are not sure this email is legitimate, please contact IT.Helpdesk immediately. Hi Petr, there was a migration bug in the config in 3.4 which is fixed in v3.6 - I assume this line starts with "ds_key" in your config, you need to change this to "hash_key": https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/workflow/def/certificate_enroll.yaml#L629 Oliver Am 30.07.20 um 13:46 schrieb Petr Gotthard: > Hi Oliver, > There is nothing else between PARSED and PROFILE_SET. The flow looks starts > like this: > > INITIAL enroll_initialize EXECUTE > INITIAL_ENROLL_INITIALIZE_0 global_map_url_params AUTORUN > INITIAL_ENROLL_INITIALIZE_1 enroll_set_transaction_id AUTORUN > INITIAL_ENROLL_INITIALIZE_2 enroll_set_workflow_attributes AUTORUN > INITIAL_ENROLL_INITIALIZE_3 global_load_policy AUTORUN > INITIAL_ENROLL_INITIALIZE_4 global_set_profile AUTORUN > INITIAL_ENROLL_INITIALIZE_5 enroll_parse_pkcs10 AUTORUN PARSED > global_noop AUTORUN PROFILE_SET enroll_render_subject AUTORUN > PROFILE_SET_ENROLL_RENDER_SUBJECT_0 enroll_set_workflow_attributes > AUTORUN READY_TO_PROCESS global_check_authorized_signer AUTORUN > SIGNED_REQUEST enroll_set_mode_initial AUTORUN START_INITIAL > enroll_calculate_hmac AUTORUN > > > The CSR (for this request) is this: > > Certificate Request: > Data: > Version: 0 (0x0) > Subject: > commonName = mujrouter:test > domainComponent = Test Deployment > domainComponent = OpenXPKI > domainComponent = org > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:d3:9e:76:e7:cb:25:76:b6:77:3f:7a:5b:92:2e: > <snip> > 88:a1 > Exponent: 65537 (0x10001) > Attributes: > Requested Extensions: > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: critical > TLS Web Server Authentication > X509v3 Subject Alternative Name: > DNS:zabbix.conel.cz > 1.3.6.1.4.1.311.20.2: > ..pc-client > Signature Algorithm: sha256WithRSAEncryption > 59:27:5f:64:86:3f:5e:95:68:1a:89:f6:9d:c5:05:8e:75:49: > <snip> > 75:1a:ca:9c > > I did notice two dots before the "pc-client" string above. That's the > "ASN1:UTF8String" encoding-- 0x0C as the UTF8String type and then 0x09 as the > length of the string: > > SEQUENCE { > OBJECT IDENTIFIER > enrollCerttypeExtension (1 3 6 1 4 1 311 20 2) > OCTET STRING 0C 09 70 63 2D 63 6C 69 65 6E 74 > } > > Is that the expected encoding, or am I doing something wrong? The examples > accross internet are not very consistent. > > > Regards, > Petr > > -----Original Message----- > From: Oliver Welter [mailto:[email protected]] > Sent: Thursday, July 30, 2020 10:00 AM > To: [email protected] > Subject: Re: [OpenXPKI-users] Workflow selection and SCEP > > > Hi Petr, > > yes it should work this way - can you please check if your workflow > history contains the step > > PARSED > set_profile_from_extension > PROFILE_SET > > If not, whats the action used between those two states? > > > Oliver > > Am 29.07.20 um 18:38 schrieb Petr Gotthard: >> Hello, >> >> I am using OpenXPKI 3.4.0 and I want to issue both client and server >> certificates via SCEP. I found in the docs that the >> "1.3.6.1.4.1.311.20.2" extension can be used to select the >> certificate template, so I tried. >> >> >> >> In /etc/openxpki/config.d/realm.tpl/scep/generic.yaml I have the >> default configuration, which says: >> >> >> >> profile: >> >> cert_profile: tls_server >> >> cert_subject_style: enroll >> >> >> >> profile_map: >> >> pc-client: tls_client >> >> >> >> >> >> Now, when I issue an enrollment request via SCEP with this extension >> I can see in the Workflow Context an entry "req_extensions" with >> "certificateTemplateName, pc-client", so I guess the parameter was >> encoded correctly. I thought that inclusion of "pc-client" will >> select the "tls_client" from the profile map, but it seems to not work this >> way. >> >> >> >> Am I doing something wrong, please? >> >> >> >> >> >> Petr Gotthard >> >> >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
