I was hoping to figure out how to pass the profile name in the url, or via command line parameter.
I will use the conf file. I will need it for more complex stuff in the future anyways, right? :) Thank-you Petr !! From: "Petr Gotthard" <[email protected]> To: "mail" <[email protected]>, "openxpki-users" <[email protected]> Sent: Tuesday, August 4, 2020 2:49:44 AM Subject: RE: Workflow selection and SCEP Hi Perryn, First of all, in the default config the name is not „tls_client“, but „pc-client“. Have a look into /etc/openxpki/.../scep/generic.yaml, „profile_map“, which converts the 1.3.6.1.4.1.311.20.2 names to OpenXPKI profile names. The default looks like this: # Mapping of names to OpenXPKI profiles to be used with the # Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2) profile_map: pc-client: tls_client I use openssl with a config. The following works for me (some parts I skipped with „...“): oid_section = new_oids [ req ] ... distinguished_name = req_dn attributes = req_attributes req_extensions = req_ext [ new_oids ] certTemplateName = 1.3.6.1.4.1.311.20.2 [ req_dn ] [ req_attributes ] [ req_ext ] ... certTemplateName = ASN1:UTF8String:pc-client and then openssl req -new -config my.cnf -subj "..." -out my.csr The oid_section must be on the top-level, above [ req ] . Regards Petr From: Perryn Gordon [mailto:[email protected]] Sent: Tuesday, August 4, 2020 4:30 AM To: mail <[email protected]> Cc: openxpki-users <[email protected]> Subject: Re: [OpenXPKI-users] Workflow selection and SCEP CAUTION: This email originated from outside of the Advantech organization. Do not click any link or open any attachment unless you recognize the sender and know the content is 100% safe! If you are not sure this email is legitimate, please contact IT.Helpdesk immediately. Here is one of the methods I have tried: [root@bf1c2596355e ~]# openssl req -new -keyout tmp/scep-test.key -out tmp/scep-test.csr -newkey rsa:2048 -nodes -subj "/CN=Perryn Gordon:tls_client" -addext "1.3.6.1.4.1.311.20.2=tls_client" Error Loading command line extensions 139633151907648:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:crypto/x509v3/v3_conf.c:78: 139633151907648:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=1.3.6.1.4.1.311.20.2, value=tls_client From: "mail" < [ mailto:[email protected] | [email protected] ] > To: "mail" < [ mailto:[email protected] | [email protected] ] >, "openxpki-users" < [ mailto:[email protected] | [email protected] ] > Sent: Monday, August 3, 2020 7:54:36 PM Subject: Re: [OpenXPKI-users] Workflow selection and SCEP In regards to SCEP, I see references to different ways to set the profile for the request, but I am not able to implement any of them successfully. What is the correct way, or ways, to indicate a non-default profile. I am trying to get a tls_client in particular at the moment. Thank-you!!! Perryn From: "mail" < [ mailto:[email protected] | [email protected] ] > To: "openxpki-users" < [ mailto:[email protected] | [email protected] ] > Sent: Monday, August 3, 2020 2:24:41 PM Subject: Re: [OpenXPKI-users] Workflow selection and SCEP Yes, thank-you Oliver!! This fixed my issue as well. Perryn From: "Petr Gotthard" < [ mailto:[email protected] | [email protected] ] > To: "openxpki-users" < [ mailto:[email protected] | [email protected] ] > Sent: Monday, August 3, 2020 4:09:21 AM Subject: Re: [OpenXPKI-users] Workflow selection and SCEP Solved! That was the issue. Thanks, Oliver! Regards, Petr -----Original Message----- From: Oliver Welter [ [ mailto:[email protected] | mailto:[email protected] ] ] Sent: Thursday, July 30, 2020 5:00 PM To: [ mailto:[email protected] | [email protected] ] Subject: Re: [OpenXPKI-users] Workflow selection and SCEP CAUTION: This email originated from outside of the Advantech organization. Do not click any link or open any attachment unless you recognize the sender and know the content is 100% safe! If you are not sure this email is legitimate, please contact IT.Helpdesk immediately. Hi Petr, there was a migration bug in the config in 3.4 which is fixed in v3.6 - I assume this line starts with "ds_key" in your config, you need to change this to "hash_key": [ https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/workflow/def/certificate_enroll.yaml#L629 | https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/workflow/def/certificate_enroll.yaml#L629 ] Oliver Am 30.07.20 um 13:46 schrieb Petr Gotthard: > Hi Oliver, > There is nothing else between PARSED and PROFILE_SET. The flow looks starts > like this: > > INITIAL enroll_initialize EXECUTE > INITIAL_ENROLL_INITIALIZE_0 global_map_url_params AUTORUN > INITIAL_ENROLL_INITIALIZE_1 enroll_set_transaction_id AUTORUN > INITIAL_ENROLL_INITIALIZE_2 enroll_set_workflow_attributes AUTORUN > INITIAL_ENROLL_INITIALIZE_3 global_load_policy AUTORUN > INITIAL_ENROLL_INITIALIZE_4 global_set_profile AUTORUN > INITIAL_ENROLL_INITIALIZE_5 enroll_parse_pkcs10 AUTORUN PARSED > global_noop AUTORUN PROFILE_SET enroll_render_subject AUTORUN > PROFILE_SET_ENROLL_RENDER_SUBJECT_0 enroll_set_workflow_attributes > AUTORUN READY_TO_PROCESS global_check_authorized_signer AUTORUN > SIGNED_REQUEST enroll_set_mode_initial AUTORUN START_INITIAL > enroll_calculate_hmac AUTORUN > > > The CSR (for this request) is this: > > Certificate Request: > Data: > Version: 0 (0x0) > Subject: > commonName = mujrouter:test > domainComponent = Test Deployment > domainComponent = OpenXPKI > domainComponent = org > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:d3:9e:76:e7:cb:25:76:b6:77:3f:7a:5b:92:2e: > <snip> > 88:a1 > Exponent: 65537 (0x10001) > Attributes: > Requested Extensions: > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: critical > TLS Web Server Authentication > X509v3 Subject Alternative Name: > DNS:zabbix.conel.cz > 1.3.6.1.4.1.311.20.2: > ..pc-client > Signature Algorithm: sha256WithRSAEncryption > 59:27:5f:64:86:3f:5e:95:68:1a:89:f6:9d:c5:05:8e:75:49: > <snip> > 75:1a:ca:9c > > I did notice two dots before the "pc-client" string above. That's the > "ASN1:UTF8String" encoding-- 0x0C as the UTF8String type and then 0x09 as the > length of the string: > > SEQUENCE { > OBJECT IDENTIFIER > enrollCerttypeExtension (1 3 6 1 4 1 311 20 2) > OCTET STRING 0C 09 70 63 2D 63 6C 69 65 6E 74 > } > > Is that the expected encoding, or am I doing something wrong? The examples > accross internet are not very consistent. > > > Regards, > Petr > > -----Original Message----- > From: Oliver Welter [ [ mailto:[email protected] | mailto:[email protected] ] ] > Sent: Thursday, July 30, 2020 10:00 AM > To: [ mailto:[email protected] | > [email protected] ] > Subject: Re: [OpenXPKI-users] Workflow selection and SCEP > > > Hi Petr, > > yes it should work this way - can you please check if your workflow > history contains the step > > PARSED > set_profile_from_extension > PROFILE_SET > > If not, whats the action used between those two states? > > > Oliver > > Am 29.07.20 um 18:38 schrieb Petr Gotthard: >> Hello, >> >> I am using OpenXPKI 3.4.0 and I want to issue both client and server >> certificates via SCEP. I found in the docs that the >> "1.3.6.1.4.1.311.20.2" extension can be used to select the >> certificate template, so I tried. >> >> >> >> In /etc/openxpki/config.d/realm.tpl/scep/generic.yaml I have the >> default configuration, which says: >> >> >> >> profile: >> >> cert_profile: tls_server >> >> cert_subject_style: enroll >> >> >> >> profile_map: >> >> pc-client: tls_client >> >> >> >> >> >> Now, when I issue an enrollment request via SCEP with this extension >> I can see in the Workflow Context an entry "req_extensions" with >> "certificateTemplateName, pc-client", so I guess the parameter was >> encoded correctly. I thought that inclusion of "pc-client" will >> select the "tls_client" from the profile map, but it seems to not work this >> way. >> >> >> >> Am I doing something wrong, please? >> >> >> >> >> >> Petr Gotthard >> >> >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [ mailto:[email protected] | >> [email protected] ] >> [ https://lists.sourceforge.net/lists/listinfo/openxpki-users | >> https://lists.sourceforge.net/lists/listinfo/openxpki-users ] >> > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [ mailto:[email protected] | > [email protected] ] > [ https://lists.sourceforge.net/lists/listinfo/openxpki-users | > https://lists.sourceforge.net/lists/listinfo/openxpki-users ] > > > _______________________________________________ > OpenXPKI-users mailing list > [ mailto:[email protected] | > [email protected] ] > [ https://lists.sourceforge.net/lists/listinfo/openxpki-users | > https://lists.sourceforge.net/lists/listinfo/openxpki-users ] > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [ mailto:[email protected] | [email protected] ] [ https://lists.sourceforge.net/lists/listinfo/openxpki-users | https://lists.sourceforge.net/lists/listinfo/openxpki-users ] _______________________________________________ OpenXPKI-users mailing list [ mailto:[email protected] | [email protected] ] [ https://lists.sourceforge.net/lists/listinfo/openxpki-users | https://lists.sourceforge.net/lists/listinfo/openxpki-users ] _______________________________________________ OpenXPKI-users mailing list [ mailto:[email protected] | [email protected] ] [ https://lists.sourceforge.net/lists/listinfo/openxpki-users | https://lists.sourceforge.net/lists/listinfo/openxpki-users ]
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
