Hi Per, The RPC Interface returns a JSON structure that needs to be parsed so you need something like jq and you will need to add a lot of processing around to handle the different error and pending states so I would not recommend this as first place.
EST returns the certificate as PKCS7 structure which can be parsed using openssl and there are also some lightweight clients around so that might be a better way to go. The question of authentication is almost something of personal preference - OpenXPKI with the default workflows accepts a static challengePassword embeded into the PKCS#10 container (not recommended!) or authentication with a dedicated client certificate to perform the so called "on behalf enrollment". Basic Auth can be added via apache by protecting the EST endpoint using the builtin modules. You can of course also perform a manual approval with a later pickup. There are also some "non-standard" approaches using HMACs or per-request challengePasswords but those need some extra tweaks. So you should first take a deccission how your enrollment process should look like. The docs might help - https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html If you can afford some license fees you might want to have a look at CertNanny which wraps key generation, authentication, polling and error handling in a single easy-to-use binary: https://www.whiterabbitsecurity.com/produkte/certnanny/ best regards Oliver Am 25.03.21 um 11:10 schrieb Per Abildgaard Toft via OpenXPKI-users: > Hi Oliver, > > I would love to help develop a general ansible module which can help > enroll certificates. > > I am still quite new in OpenXPKI, and I am not sure which API to fit > for the purpose. I would prefer to use the REST api or the EST - what > do you think? > > Overall, what I have had working with EST so far is: > |openssl req -new -subj ||"/CN=est-test.openxpki.org > <http://est-test.openxpki.org>"| |-nodes -newkey rsa:4096 -keyout > estcert.key -outform der | openssl base64 -e 2>||/dev/null| |> req.p10| > | > | > |and then:| > ||curl -||v| |https:||//internal-ca02||.netic.dk/.well-known > <http://netic.dk/.well-known>||/est/simpleenroll| |--anyauth -s -o > cert.p7 --data-binary @req.p10 -H ||"Content-Type: > application/pkcs10"| |--dump-header resp.hdr| > | > > I am not sure how auth should be done? > I guess it is possible to provide a user certificate or an HTTP basic > auth. > > > Med venlig hilsen / Best Regards > *Netic A/S* > > *Per Abildgaard Toft* > Senior Consultant > [email protected] <mailto:[email protected]> > > Mobile: +4577770861 > Main: +45 7777 0888 | Support: +45 7777 0999 > Address and contact information <https://www.netic.dk/en/contact-us/> > > > On Thu, Mar 25, 2021 at 7:50 AM Oliver Welter <[email protected] > <mailto:[email protected]>> wrote: > > Hi Per, > > we did something like this in a customer project (well the > customer did it) but I am highly interested in getting a general > receipt for this. If you are willing to contribute the Ansible > Know-How I will try to add the OpenXPKI magic. > > We should start with your actual requirements ;) > > Oliver > > Am 24.03.21 um 10:29 schrieb Per Abildgaard Toft via OpenXPKI-users: >> Hi OpenXPKI users, >> >> Has anyone created an ansible module to enroll certificates with >> OpenXPKI? >> >> Med venlig hilsen / Best Regards >> *Netic A/S* >> >> *Per Abildgaard Toft* >> Senior Consultant >> [email protected] <mailto:[email protected]> >> >> Mobile: +4577770861 >> Main: +45 7777 0888 | Support: +45 7777 0999 >> Address and contact information <https://www.netic.dk/en/contact-us/> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
