Hi Enrique, glad to here you got it working ;)
There is no standard use case - have a look at the workflow, it offers a multitude of options to do authentication and authorization of requests. How you can and want to handle this highly depends on your needs and environment and not a primarily technical issue. If you can not judge on your own, we are happy to offer our expertise ;) best regards Oliver Am 03.09.20 um 00:05 schrieb Cano Carballar, Enrique (GE Digital): > Hi Oliver > > With a new CSR it worked, thanks for your help! > This is good for a test drive, what does the production use case look like? > Would you normally have a client certificate issued by the same PKI to > request the signing of the CSR? > > Many thanks > > Enrique > > On 02/09/2020, 22:37, "Cano Carballar, Enrique (GE Digital)" > <[email protected]> wrote: > > Hi Oliver > > Appreciate your prompt reply. No, I reused the same CSR, will try a brand > new one and see how it goes. Yes, I restarted the server. > > Many thanks for your help > > Enrique > > On 02/09/2020, 19:48, "Oliver Welter" <[email protected]> wrote: > > Hi Enrique, > > did you create a new CSR ? The pickup works based on the csr/key hash > so > if you resue the same CSR/key the old workflow is picked up. You also > need to restart the server to activate the config changes. > > Oliver > > > > Am 02.09.20 um 19:18 schrieb Cano Carballar, Enrique (GE Digital): > > Oliver > > > > Thank you, I appreciate your time helping me out with this. > > > > I have this in democa/est/default.yaml: > > > > label: Enrollment > > > > authorized_signer: > > rule1: > > # Full DN > > subject: CN=.+:scepclient,.* > > rule2: > > # Full DN > > subject: CN=.+:pkiclient,.* > > > > renewal_period: 000060 > > > > # You must set at least one of both options or remove the > is_policy_loaded > > # condition in the workflow definition > > policy: > > allow_anon_enroll: 1 > > approval_points: 0 > > max_active_certs: 0 > > allow_replace: 0 > > export_certificate: chain > > > > profile: > > cert_profile: tls_server > > cert_subject_style: enroll > > > > > > eligible: > > initial: > > value: 1 > > > > renewal: > > value: 1 > > > > onbehalf: > > value: 1 > > > > Still, when I do: > > > > $ curl -k https://localhost:8443/.well-known/est/simpleenroll -s > --data-binary @req.p10 -H "Content-Type: application/pkcs10" > > > > I get: > > > > Request was rejected: > I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED > > > > Am I missing anything? > > > > Thanks again for your help > > > > Enrique > > > > On 02/09/2020, 08:21, "Oliver Welter" <[email protected]> wrote: > > > > Hello Enrqiue, > > > > thats intended behaviour - the default configuration expects > an "on > > behalf" request authenticated with a TLS signer certificate. > Using Basic > > Auth is not supported at the moment. > > > > Please see this - very detailed - documentation of the > enrollment > > workflow and its configuration: > > > https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html > > > > There is also a section for a "sign all" testdrive > configuration > > > https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html#test-drive-insecure > > > > best regards > > > > Oliver > > > > Am 01.09.20 um 16:12 schrieb Cano Carballar, Enrique (GE > Digital): > > > Hi! > > > > > > > > > > > > I’ve got openxpki running with docker-composer, pretty much > following > > > the instructions as described here: > > > https://github.com/openxpki/openxpki-docker. > > > > > > I’m trying to use the EST protocol to sign a certificate > request, and > > > I’m using the following URL: > > > > > > curl -k -v > https://localhost:8443/.well-known/est/simpleenroll -s -o > > > cert.p7 --data-binary @req.p10 -H "Content-Type: > application/pkcs10" > > > > > > > > > > > > But instead of the certificate, I’m getting this error > message: > > > > > > $ cat cert.p7 > > > > > > Request was rejected: > I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED > > > > > > > > > > > > My questions are: > > > > > > 1. Do I need to create a user and send username and > password using > > > basic authentication? > > > 2. Do I need to use a client certificate instead? > > > 3. Can I accept anonymous requests for testing purposes? > > > > > > > > > > > > Many thanks in advance > > > > > > > > > > > > Enrique > > > > > > > > > > > > _______________________________________________ > > > OpenXPKI-users mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > > > > -- > > Protect your environment - close windows and adopt a penguin! > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
