I dont now if this is helpfull, but here is the used tls.crt:
----------
C:\Users\rkrahl\test>openssl x509 -in tls.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ff:ee:08:27:87:aa:60:ff:23
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, O = OpenXPKI, OU = PKI, CN = OpenXPKI Demo Issuing
CA 20210812
Validity
Not Before: Aug 12 08:18:21 2021 GMT
Not After : Aug 12 08:18:21 2022 GMT
Subject: DC = org, DC = OpenXPKI, DC = Test Deployment, CN =
tls-cert:pkiclient
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b7:aa:5f:4e:6f:5a:40:dc:18:8b:26:3f:0e:a8:
e9:1b:01:68:24:e3:07:97:c9:77:2a:ae:8a:7d:ca:
85:dc:5d:7a:6c:a1:4a:40:17:b5:19:74:f6:39:d3:
82:8d:0e:0c:a0:d6:10:16:94:b7:75:0c:51:91:1c:
53:ff:30:76:12:2d:f1:aa:88:5e:0d:30:65:cc:73:
8c:cb:46:86:ed:9e:30:6b:35:32:a7:b0:d1:ea:3c:
66:83:da:be:07:d2:c5:3d:37:1d:fe:41:69:9b:b1:
92:90:1b:75:32:30:d3:e3:a1:51:16:d0:1c:ce:8a:
a5:5c:a9:19:e3:95:12:23:9c:d5:f2:6c:a1:08:1e:
dd:b9:0f:0c:bd:5a:05:e9:6c:21:de:39:96:60:c5:
c9:a3:03:58:98:60:f0:a7:35:2b:5d:a8:e7:4c:96:
a5:95:f0:0c:f8:b4:e0:64:4c:f2:4d:f5:2c:8f:d9:
05:c1:07:c0:4d:b5:86:56:45:ef:3b:1d:61:a7:0e:
66:a7:31:56:eb:84:47:2e:59:82:2c:bb:10:84:24:
d4:b8:26:f0:45:93:57:3a:9f:87:ca:af:b3:e7:12:
0a:8d:ab:1c:22:30:75:6e:aa:a8:7c:dc:6b:c6:e4:
c8:a9:1b:13:fa:17:1c:25:71:1d:b8:2c:cb:72:dc:
64:63
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:
http://pki.example.com/download/OpenXPKI_Demo_Issuing_CA_20210812.cer
OCSP - URI:http://ocsp.example.com/
X509v3 Authority Key Identifier:
keyid:26:65:DC:C8:DF:10:13:B1:15:8A:93:DA:03:46:25:BC:B4:F7:12:A7
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:
http://pki.example.com/download/OpenXPKI_Demo_Issuing_CA_20210812.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature
X509v3 Certificate Policies:
Policy: 1.2.3.4
CPS: http://pki.example.com/cps.html
CPS: http://pki.example.com/cps.html
User Notice:
Explicit Text: This is a comment for policy oid 1.2.3.4
X509v3 Subject Key Identifier:
51:5B:0B:69:3F:23:40:F3:9B:22:DC:C1:0B:73:33:30:A7:AA:19:33
Signature Algorithm: sha256WithRSAEncryption
24:ec:ea:44:c5:21:b6:bc:2c:41:29:79:62:35:6f:ac:b6:c2:
18:bb:95:0f:f0:db:ac:2b:b6:6a:76:d8:a8:f5:92:ec:47:94:
46:0d:c8:f0:02:32:cc:66:0c:cd:c0:85:ac:c0:98:47:38:75:
a6:ab:8f:79:1c:34:a2:de:22:80:fc:17:96:84:73:b1:a1:b3:
ec:9d:96:3f:9e:1c:97:2f:6e:51:35:e8:00:c2:dd:03:c3:dc:
4c:29:d1:b3:38:ab:e7:5a:c5:ab:6b:ab:e6:a4:86:a0:5c:5d:
14:a5:da:86:0d:22:4b:05:08:c6:9c:55:0b:ef:a3:4f:cd:ea:
fc:26:5c:f2:c2:0d:be:86:b3:36:7a:6e:4e:e7:45:10:09:f1:
83:f5:9e:e1:72:a1:ca:37:d0:c3:41:72:95:43:1a:ad:b2:14:
c2:12:49:78:ee:0c:0b:1e:0c:12:73:3d:18:4d:c7:e0:b2:47:
73:c9:9d:3b:6b:46:49:65:d7:d5:54:c7:cc:2d:a1:49:47:95:
9a:68:1d:11:d8:c7:50:ce:6f:7f:4e:f7:5d:52:fc:e5:db:b6:
f4:14:97:6b:af:de:f2:31:de:55:a8:3f:75:a9:ae:e7:1b:dc:
6c:c5:48:ef:f8:b8:4e:76:c4:8a:79:d2:57:53:88:df:29:c1:
0b:e8:85:2c:aa:3f:b5:2c:e1:60:7a:bc:10:a1:7a:69:48:c2:
48:0c:f9:53:be:46:01:39:87:50:0a:c3:43:e3:f1:d9:de:81:
8d:b4:e1:c5:c9:9a:20:2d:c0:ad:00:09:dc:c6:c0:62:bc:47:
3f:19:6d:20:43:4a:6a:65:06:8a:aa:1d:79:a8:3b:ad:75:f6:
a2:f8:5d:84:e5:a6:37:58:0e:4e:2c:02:62:72:83:5d:f1:ae:
0b:26:7a:44:e3:15:82:c5:69:86:0f:9a:84:a4:48:20:cc:93:
bd:37:10:1d:5e:f2:ce:3b:65:c4:11:15:89:a0:f8:f3:e3:3c:
e3:98:07:c9:81:cf
----------
Am Do., 12. Aug. 2021 um 14:26 Uhr schrieb Robert Krahl <
rkrahl.ot...@gmail.com>:
> Hi Oliver,
>
> thanks for the quick reply!!
>
> When entering the curl command, no new entry is shown in the workflow UI
> (test account: raop).
>
> Regarding the TLS certificates:
>
> ----------
> root@3fac13af39a4:/etc/openxpki/tls/chain# ls -la
> total 5
> drwxrwxrwx 1 root root 0 Aug 12 08:08 .
> drwxrwxrwx 1 root root 0 Aug 12 08:08 ..
> lrwxr-xr-x 1 root root 1067 Aug 12 08:08 ba0583c9.0 -> dummy.crt
> -rwxr-xr-x 1 root root 1172 Aug 12 08:08 dummy.crt
> lrwxr-xr-x 1 root root 1067 Aug 12 08:08 ecb921c1.0 -> dummy.crt
> root@3fac13af39a4:/etc/openxpki/tls/chain# openssl x509 -in dummy.crt
> -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 57:ef:16:f1:68:ea:88:0b:ed:6f:a1:ef:21:ea:b0:7c:b2:7f:ac:f2
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: CN = Placeholder for TLS Client Auth
> Validity
> Not Before: Aug 12 08:08:57 2021 GMT
> Not After : Sep 11 08:08:57 2021 GMT
> Subject: CN = Placeholder for TLS Client Auth
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (2048 bit)
> Modulus:
> 00:c0:5b:0b:b6:55:78:ef:34:b3:42:ed:91:20:8b:
> 20:a3:fd:67:1b:66:a2:27:84:56:d6:f0:46:3d:a6:
> 9a:fa:7f:67:71:b2:5d:40:2a:b7:08:7f:85:3a:db:
> 7a:ee:33:16:b7:28:d9:c8:c7:02:ae:d5:3c:00:75:
> 11:b6:9b:3c:24:44:18:0c:bf:02:b4:23:d8:d3:b5:
> 7b:87:c6:d9:96:88:47:cf:1a:a6:4f:15:53:4a:96:
> 89:8f:39:df:7d:c1:8e:c9:89:2f:38:43:88:0a:7b:
> fc:04:7f:f0:c2:95:96:fd:a4:58:3e:5f:d8:7d:97:
> 1d:a2:cf:85:4c:60:c9:ed:a2:09:b6:ca:84:bd:6f:
> 58:9b:76:95:fd:1e:14:f3:62:7f:58:bf:8e:d0:c8:
> 4f:f3:32:5e:e1:5e:7a:04:b5:53:ae:cb:98:26:19:
> cd:24:50:f0:5c:3b:0e:af:51:4e:6c:36:5b:67:f5:
> 5e:0f:20:1e:b2:20:7a:e7:c6:2b:24:9d:a2:94:60:
> d9:e0:6b:4e:7f:c7:7d:f7:0d:f0:ac:eb:cc:2d:42:
> 8e:55:e1:21:e7:59:3a:26:e6:d7:f0:60:dc:80:3e:
> 55:cd:de:5f:0f:01:00:ba:ce:df:4d:5f:b0:5b:9d:
> cd:09:d9:6f:dc:70:69:8e:8a:2c:04:95:7b:10:85:
> 1a:81
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> 11:8F:14:D6:03:71:0F:1D:E6:BC:4E:91:39:B3:63:61:BB:75:DA:BA
> X509v3 Authority Key Identifier:
>
> keyid:11:8F:14:D6:03:71:0F:1D:E6:BC:4E:91:39:B3:63:61:BB:75:DA:BA
>
> X509v3 Basic Constraints: critical
> CA:TRUE
> Signature Algorithm: sha256WithRSAEncryption
> ac:a7:66:81:75:1e:32:f4:13:c8:e4:0b:90:98:aa:7b:c6:84:
> d3:89:33:0f:a1:e3:48:2b:78:83:bf:52:af:7e:29:3e:0f:b5:
> a5:cd:66:42:6d:ac:78:84:2d:51:43:7f:a5:22:05:3a:ab:16:
> 00:4a:fb:ee:19:26:33:08:9e:81:a4:ce:4f:72:b8:cf:3c:0a:
> 1e:84:12:b2:25:e1:6e:0c:05:c2:39:80:67:ac:06:d1:22:ac:
> 09:31:32:50:25:f7:69:61:f0:03:36:5a:3d:e6:98:13:07:77:
> 49:64:1d:98:b8:bf:38:19:2f:9e:1c:83:57:84:8f:f0:f4:40:
> 35:6a:6d:8d:4c:d6:11:fa:21:b0:89:3b:55:b6:0d:fa:15:1c:
> e7:0f:6b:2e:d5:1d:6a:67:bf:ed:c1:0e:f8:57:ad:86:d3:9c:
> cc:b2:8d:6f:2b:15:e1:80:87:80:a5:5a:cf:28:35:73:59:de:
> ce:f4:18:33:0e:6b:ae:88:f0:b7:62:5b:e1:4d:d1:f4:2e:19:
> 59:1e:11:92:cb:3d:b0:e4:00:ff:bf:54:22:a8:5f:ac:fd:cb:
> 6e:eb:6d:95:0f:45:eb:42:08:f3:7e:85:69:51:6a:a7:4b:c7:
> 58:23:be:34:6b:d3:ef:f1:4f:55:80:fe:3f:ec:64:79:5b:e1:
> 88:e6:ca:f4
> ----------
>
> Regarding the Apache server:
>
> ----------
> C:\Users\rkrahl\test>openssl s_client -connect localhost:8443
> (...)
> Acceptable client certificate CA names
> CN = Placeholder for TLS Client Auth
> Requested Signature Algorithms:
> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
> Shared Requested Signature Algorithms:
> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ----------
>
> That should fit so far (, am I right?)
>
> If I now set the EST log level to debug as described, the following
> entries are generated after entering the mentioned curl command:
>
> ----------
> root@3fac13af39a4:/var/log/openxpki# tail -f est.log
> 2021/08/12 08:46:15 INFO:73 EST handler initialized
> 2021/08/12 08:46:16 INFO:73 Disconnect client
> 2021/08/12 12:13:51 DEBUG:71 Config for service est loaded
> 2021/08/12 12:13:51 INFO:71 EST handler initialized
> 2021/08/12 12:13:51 DEBUG:71 Incoming request /.well-known/est/simpleenroll
> 2021/08/12 12:13:51 DEBUG:71 Autodetect config file for service est:
> default.conf
> 2021/08/12 12:13:51 DEBUG:71 calling context is https
> 2021/08/12 12:13:51 DEBUG:71 EST unauthenticated (no cert)
> 2021/08/12 12:13:51 DEBUG:71 Autodetect config file for service est:
> default.conf
> 2021/08/12 12:13:51 DEBUG:71 $VAR1 = {
> 'workflow' => 'certificate_enroll',
> 'pickup_attribute' => 'transaction_id',
> 'pickup' => 'pkcs10'
> };
> 2021/08/12 12:13:51 DEBUG:71 Pickup via attribute with transaction_id =>
> e0fff73e7ddf65f94c239e7f1b8c0ecd707fdc38
> 2021/08/12 12:13:51 DEBUG:71 Initialize client
> 2021/08/12 12:13:51 DEBUG:71 Started volatile session with id:
> LOtvQJ2OTdS0oRYR6pBaiA==
> 2021/08/12 12:13:51 DEBUG:71 Selecting auth stack _System
> 2021/08/12 12:13:51 DEBUG:71 Pickup 767 for
> e0fff73e7ddf65f94c239e7f1b8c0ecd707fdc38
> 2021/08/12 12:13:51 DEBUG:71 request for workflow info on 767
> 2021/08/12 12:13:51 INFO:71 Disconnect client
> ----------
>
> I'm a little lost with the problem...
> I thank you in advance for any given help! :)
>
> Best regards/ Liebe Grüße
> rkrahl
>
> Am Di., 10. Aug. 2021 um 06:40 Uhr schrieb Oliver Welter <m...@oliwel.de>:
>
>> Hi Robert,
>>
>> can you please look into the workflow via the UI and check if you can see
>> the "signer certificate" in the workflow?
>> If not, check if the Issuing CA you used is in /etc/openxpki/tls/chain/
>> and the symlink with the hash value exists for ii, to check if apache is
>> setup properly run
>>
>> openssl s_client -connect localhost:8443
>>
>> and look for the line "Acceptable client certificate CA names", the
>> issuing ca of your client certificate should be listed here.
>>
>> The logline with the Anonymous login is ok, the connection to the server
>> from the EST process is done with the anonymous System stack, the
>> authentication certificate is passed in as a parameter. If this all does
>> not help, raise the log level to debug in "est/log.conf" (restart apache)
>> and check the logfile for what is coming into the system.
>>
>> Oliver
>>
>> Am 09.08.21 um 15:28 schrieb Robert Krahl:
>>
>> Hello everyone,
>>
>> I am currently trying my best with Openxpki.
>> More precisely, I want to use EST to automatically issue or renew
>> certificates.
>> Regarding the deployment, I have made use of the docker resource and the
>> shell script "sampleconfig.sh". So far so good.
>> I have made some adjustments to the file "est/default.yaml".
>> I have modified the following:
>>
>> allow_anon_enroll: 0
>> approval_points: 0
>>
>> This should allow only authenticated EST queries to get through and then
>> be processed automatically.
>>
>> Now I have created a keypair using OpenSSL:
>>
>> > openssl req -new -newkey rsa:2048 -nodes -subj "/CN=tls cert"
>> -keyout tls.key -out tls.csr
>>
>> I then used the generated "tls.csr" and the Web-GUI to create a
>> certificate ("tls.crt") in PEM format (Certificate Profile: TLS Client;
>> Application Name: pkiclient).
>> Now I have created another keypair:
>>
>> > openssl req -new -newkey rsa:2048 -nodes -subj "/CN=test cert"
>> -keyout test.key -outform der -out - | base64 > test.pem
>>
>> The next thing I'm trying to do is make an authenticated EST query using
>> Curl and the artifacts I've created:
>>
>> > curl -v -k -H "Content-Type: application/pkcs10" --data @test.pem
>> --key tls.key --cert tls.crt
>> https://localhost:8443/.well-known/est/simpleenroll -o device.b64
>>
>> My problem is that the file "device.b64" does not contain the
>> certificate, but:
>>
>> Request was rejected:
>> I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED
>>
>> I don't know if it helps, but in "var/log/openxpki/openxpki.log" the
>> following entry occurs after the Curl command:
>>
>> 2021/08/09 13:09:58 INFO Login successful (user: Anonymous, role:
>> System) [pid=711|sid=IKeI]
>>
>> There is something I seem to be doing wrong or overlooking regarding the
>> authentication.... I am very grateful for any help!
>>
>> Best regards/ Liebe Grüße
>> rkrahl
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing
>> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>>
>> --
>> Protect your environment - close windows and adopt a penguin!
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
