Awesome!! Thank-you!
From: "Oliver Welter" <[email protected]> To: "openxpki-users" <[email protected]> Sent: Wednesday, August 5, 2020 1:43:13 AM Subject: Re: [OpenXPKI-users] Workflow selection and SCEP Hi Perryn, SCEP per se does not support URL Parameters, however the OpenXPKI implementation does and this was also added to sscep some time ago ;) If you append a param "profile=..." to the SCEP URI it will end up prefixed with the word "url_" in the workflow context and the workflow will pick this up and match it against the map in the same way as with the certTemplate Extension. Second option - define a second endpoint and change the default profile. Oli Am 05.08.20 um 09:01 schrieb Perryn Gordon: > I was hoping to figure out how to pass the profile name in the url, or > via command line parameter. > > I will use the conf file. I will need it for more complex stuff in the > future anyways, right? :) > > Thank-you Petr !! > > ------------------------------------------------------------------------ > *From: *"Petr Gotthard" <[email protected]> > *To: *"mail" <[email protected]>, "openxpki-users" > <[email protected]> > *Sent: *Tuesday, August 4, 2020 2:49:44 AM > *Subject: *RE: Workflow selection and SCEP > > Hi Perryn, > > > > First of all, in the default config the name is not „tls_client“, but > „pc-client“. Have a look into /etc/openxpki/.../scep/generic.yaml, > „profile_map“, which converts the 1.3.6.1.4.1.311.20.2 names to OpenXPKI > profile names. The default looks like this: > > > > # Mapping of names to OpenXPKI profiles to be used with the > > # Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2) > > profile_map: > > pc-client: tls_client > > > > I use openssl with a config. The following works for me (some parts I > skipped with „...“): > > > > oid_section = new_oids > > > > [ req ] > > ... > > distinguished_name = req_dn > > attributes = req_attributes > > req_extensions = req_ext > > > > [ new_oids ] > > certTemplateName = 1.3.6.1.4.1.311.20.2 > > > > [ req_dn ] > > [ req_attributes ] > > > > [ req_ext ] > > ... > > certTemplateName = ASN1:UTF8String:pc-client > > > > > > and then > > openssl req -new -config my.cnf -subj "..." -out my.csr > > > > > > The oid_section must be on the top-level, above [ req ]. > > > > > > Regards > > Petr > > > > *From:*Perryn Gordon [mailto:[email protected]] > *Sent:* Tuesday, August 4, 2020 4:30 AM > *To:* mail <[email protected]> > *Cc:* openxpki-users <[email protected]> > *Subject:* Re: [OpenXPKI-users] Workflow selection and SCEP > > > > *_CAUTION:_***This email originated from outside of the Advantech > organization. *_Do not click any link or open any attachment_* unless > you recognize the sender and know the content is 100% safe! If you are > not sure this email is legitimate, please contact IT.Helpdesk immediately. > > > > Here is one of the methods I have tried: > > > > [root@bf1c2596355e ~]# openssl req -new -keyout tmp/scep-test.key -out > tmp/scep-test.csr -newkey rsa:2048 -nodes -subj "/CN=Perryn > Gordon:tls_client" -addext "1.3.6.1.4.1.311.20.2=tls_client" > Error Loading command line extensions > 139633151907648:error:22097082:X509 V3 routines:do_ext_nconf:unknown > extension name:crypto/x509v3/v3_conf.c:78: > 139633151907648:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error > in extension:crypto/x509v3/v3_conf.c:47:name=1.3.6.1.4.1.311.20.2, > value=tls_client > > > > ------------------------------------------------------------------------ > > *From: *"mail" <[email protected] <mailto:[email protected]>> > *To: *"mail" <[email protected] <mailto:[email protected]>>, > "openxpki-users" <[email protected] > <mailto:[email protected]>> > *Sent: *Monday, August 3, 2020 7:54:36 PM > *Subject: *Re: [OpenXPKI-users] Workflow selection and SCEP > > > > In regards to SCEP, > > > > I see references to different ways to set the profile for the request, > but I am not able to implement any of them successfully. > > > > What is the correct way, or ways, to indicate a non-default profile. I > am trying to get a tls_client in particular at the moment. > > > > Thank-you!!! > > > > Perryn > > > > ------------------------------------------------------------------------ > > *From: *"mail" <[email protected] <mailto:[email protected]>> > *To: *"openxpki-users" <[email protected] > <mailto:[email protected]>> > *Sent: *Monday, August 3, 2020 2:24:41 PM > *Subject: *Re: [OpenXPKI-users] Workflow selection and SCEP > > > > Yes, thank-you Oliver!! > > This fixed my issue as well. > > Perryn > > ------------------------------------------------------------------------ > > *From: *"Petr Gotthard" <[email protected] > <mailto:[email protected]>> > *To: *"openxpki-users" <[email protected] > <mailto:[email protected]>> > *Sent: *Monday, August 3, 2020 4:09:21 AM > *Subject: *Re: [OpenXPKI-users] Workflow selection and SCEP > > > > Solved! That was the issue. > Thanks, Oliver! > > Regards, > Petr > > -----Original Message----- > From: Oliver Welter [mailto:[email protected]] > Sent: Thursday, July 30, 2020 5:00 PM > To: [email protected] > <mailto:[email protected]> > Subject: Re: [OpenXPKI-users] Workflow selection and SCEP > > CAUTION: This email originated from outside of the Advantech > organization. Do not click any link or open any attachment unless you > recognize the sender and know the content is 100% safe! If you are not > sure this email is legitimate, please contact IT.Helpdesk immediately. > > > Hi Petr, > > there was a migration bug in the config in 3.4 which is fixed in v3.6 - > I assume this line starts with "ds_key" in your config, you need to > change this to "hash_key": > > https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/workflow/def/certificate_enroll.yaml#L629 > > > Oliver > > Am 30.07.20 um 13:46 schrieb Petr Gotthard: >> Hi Oliver, >> There is nothing else between PARSED and PROFILE_SET. The flow looks starts >> like this: >> >> INITIAL enroll_initialize EXECUTE >> INITIAL_ENROLL_INITIALIZE_0 global_map_url_params AUTORUN >> INITIAL_ENROLL_INITIALIZE_1 enroll_set_transaction_id AUTORUN >> INITIAL_ENROLL_INITIALIZE_2 enroll_set_workflow_attributes AUTORUN >> INITIAL_ENROLL_INITIALIZE_3 global_load_policy AUTORUN >> INITIAL_ENROLL_INITIALIZE_4 global_set_profile AUTORUN >> INITIAL_ENROLL_INITIALIZE_5 enroll_parse_pkcs10 AUTORUN PARSED >> global_noop AUTORUN PROFILE_SET enroll_render_subject AUTORUN >> PROFILE_SET_ENROLL_RENDER_SUBJECT_0 enroll_set_workflow_attributes >> AUTORUN READY_TO_PROCESS global_check_authorized_signer AUTORUN >> SIGNED_REQUEST enroll_set_mode_initial AUTORUN START_INITIAL >> enroll_calculate_hmac AUTORUN >> >> >> The CSR (for this request) is this: >> >> Certificate Request: >> Data: >> Version: 0 (0x0) >> Subject: >> commonName = mujrouter:test >> domainComponent = Test Deployment >> domainComponent = OpenXPKI >> domainComponent = org >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (2048 bit) >> Modulus: >> 00:d3:9e:76:e7:cb:25:76:b6:77:3f:7a:5b:92:2e: >> <snip> >> 88:a1 >> Exponent: 65537 (0x10001) >> Attributes: >> Requested Extensions: >> X509v3 Basic Constraints: critical >> CA:FALSE >> X509v3 Key Usage: critical >> Digital Signature, Key Encipherment >> X509v3 Extended Key Usage: critical >> TLS Web Server Authentication >> X509v3 Subject Alternative Name: >> DNS:zabbix.conel.cz >> 1.3.6.1.4.1.311.20.2: >> ..pc-client >> Signature Algorithm: sha256WithRSAEncryption >> 59:27:5f:64:86:3f:5e:95:68:1a:89:f6:9d:c5:05:8e:75:49: >> <snip> >> 75:1a:ca:9c >> >> I did notice two dots before the "pc-client" string above. That's the >> "ASN1:UTF8String" encoding-- 0x0C as the UTF8String type and then 0x09 as >> the length of the string: >> >> SEQUENCE { >> OBJECT IDENTIFIER >> enrollCerttypeExtension (1 3 6 1 4 1 311 20 2) >> OCTET STRING 0C 09 70 63 2D 63 6C 69 65 6E 74 >> } >> >> Is that the expected encoding, or am I doing something wrong? The examples >> accross internet are not very consistent. >> >> >> Regards, >> Petr >> >> -----Original Message----- >> From: Oliver Welter [mailto:[email protected]] >> Sent: Thursday, July 30, 2020 10:00 AM >> To: [email protected] > <mailto:[email protected]> >> Subject: Re: [OpenXPKI-users] Workflow selection and SCEP >> >> >> Hi Petr, >> >> yes it should work this way - can you please check if your workflow >> history contains the step >> >> PARSED > set_profile_from_extension > PROFILE_SET >> >> If not, whats the action used between those two states? >> >> >> Oliver >> >> Am 29.07.20 um 18:38 schrieb Petr Gotthard: >>> Hello, >>> >>> I am using OpenXPKI 3.4.0 and I want to issue both client and server >>> certificates via SCEP. I found in the docs that the >>> "1.3.6.1.4.1.311.20.2" extension can be used to select the >>> certificate template, so I tried. >>> >>> >>> >>> In /etc/openxpki/config.d/realm.tpl/scep/generic.yaml I have the >>> default configuration, which says: >>> >>> >>> >>> profile: >>> >>> cert_profile: tls_server >>> >>> cert_subject_style: enroll >>> >>> >>> >>> profile_map: >>> >>> pc-client: tls_client >>> >>> >>> >>> >>> >>> Now, when I issue an enrollment request via SCEP with this extension >>> I can see in the Workflow Context an entry "req_extensions" with >>> "certificateTemplateName, pc-client", so I guess the parameter was >>> encoded correctly. I thought that inclusion of "pc-client" will >>> select the "tls_client" from the profile map, but it seems to not work this >>> way. >>> >>> >>> >>> Am I doing something wrong, please? >>> >>> >>> >>> >>> >>> Petr Gotthard >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> [email protected] > <mailto:[email protected]> >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>> >> >> >> -- >> Protect your environment - close windows and adopt a penguin! >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] > <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] > <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > > > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
