Hi, I did not get in total what you are trying to achieve
For the renewal topic you can use the enrollment workflow via RPC, EST or SCEP to let a user create a new certificate with the same properties as the one he already has by proving the ownership of the old key. See https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html#renewal For the initial request I dont know what your intention/problem is - yes anyone can create a CSR but it needs to be approved by an Operator. In case you have any external data sources, the system offers plenty of options to handle authentication and authorization by checking relations in those systems. Oliver Am 08.10.20 um 11:15 schrieb Conz: > > Hi, > > > > I’m looking into the possibility of using openxpki in a bastion setup > to lock down access to a few linux servers and I currently have the > demo running in a vm but I have some requirements that I don’t know if > it’s possible or not. > > > > The setup I have in mind is ssh into the bastion with a password + 2fa > and then get a short term cert from the CA requested by the bastion > host that allows access to other machines based on the principals in > the certificate. > > So what I need from openxpki is that users can request an initial > certificate with a certain access (profile?) that initially needs to > be manually approved but can then be automatically renewed upon login > to the bastion host unless the last cert was revoked with for example > the ‘affiliation has changed’ reason and not just expired. > > I think apache can be used to restrict where new cert requests / > renews can originate from unless there is a better way to do a little > access control on that, the demo seems to allow anyone to request a cert. > > Is there actually a better way to do some access control and not allow > the whole world to request certificates ? (Obviously it’d be > firewalled off so only the figurative world ;) ) > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
