Hi Enrique,
did you create a new CSR ? The pickup works based on the csr/key hash so
if you resue the same CSR/key the old workflow is picked up. You also
need to restart the server to activate the config changes.
Oliver
Am 02.09.20 um 19:18 schrieb Cano Carballar, Enrique (GE Digital):
Oliver
Thank you, I appreciate your time helping me out with this.
I have this in democa/est/default.yaml:
label: Enrollment
authorized_signer:
rule1:
# Full DN
subject: CN=.+:scepclient,.*
rule2:
# Full DN
subject: CN=.+:pkiclient,.*
renewal_period: 000060
# You must set at least one of both options or remove the is_policy_loaded
# condition in the workflow definition
policy:
allow_anon_enroll: 1
approval_points: 0
max_active_certs: 0
allow_replace: 0
export_certificate: chain
profile:
cert_profile: tls_server
cert_subject_style: enroll
eligible:
initial:
value: 1
renewal:
value: 1
onbehalf:
value: 1
Still, when I do:
$ curl -k https://localhost:8443/.well-known/est/simpleenroll -s --data-binary @req.p10
-H "Content-Type: application/pkcs10"
I get:
Request was rejected: I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED
Am I missing anything?
Thanks again for your help
Enrique
On 02/09/2020, 08:21, "Oliver Welter" <[email protected]> wrote:
Hello Enrqiue,
thats intended behaviour - the default configuration expects an "on
behalf" request authenticated with a TLS signer certificate. Using Basic
Auth is not supported at the moment.
Please see this - very detailed - documentation of the enrollment
workflow and its configuration:
https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html
There is also a section for a "sign all" testdrive configuration
https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html#test-drive-insecure
best regards
Oliver
Am 01.09.20 um 16:12 schrieb Cano Carballar, Enrique (GE Digital):
> Hi!
>
>
>
> I’ve got openxpki running with docker-composer, pretty much following
> the instructions as described here:
> https://github.com/openxpki/openxpki-docker.
>
> I’m trying to use the EST protocol to sign a certificate request, and
> I’m using the following URL:
>
> curl -k -v https://localhost:8443/.well-known/est/simpleenroll -s -o
> cert.p7 --data-binary @req.p10 -H "Content-Type: application/pkcs10"
>
>
>
> But instead of the certificate, I’m getting this error message:
>
> $ cat cert.p7
>
> Request was rejected: I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED
>
>
>
> My questions are:
>
> 1. Do I need to create a user and send username and password using
> basic authentication?
> 2. Do I need to use a client certificate instead?
> 3. Can I accept anonymous requests for testing purposes?
>
>
>
> Many thanks in advance
>
>
>
> Enrique
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
