Hi,
I'm looking into the possibility of using openxpki in a bastion setup to lock down access to a few linux servers and I currently have the demo running in a vm but I have some requirements that I don't know if it's possible or not. The setup I have in mind is ssh into the bastion with a password + 2fa and then get a short term cert from the CA requested by the bastion host that allows access to other machines based on the principals in the certificate. So what I need from openxpki is that users can request an initial certificate with a certain access (profile?) that initially needs to be manually approved but can then be automatically renewed upon login to the bastion host unless the last cert was revoked with for example the 'affiliation has changed' reason and not just expired. I think apache can be used to restrict where new cert requests / renews can originate from unless there is a better way to do a little access control on that, the demo seems to allow anyone to request a cert. Is there actually a better way to do some access control and not allow the whole world to request certificates ? (Obviously it'd be firewalled off so only the figurative world ;) )
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
