Re: [OpenXPKI-users] EST with client certificate from another trust chain

Thu, 17 Feb 2022 01:14:22 -0800 

Hi Caro,

A certificate will only be recognized as an "internal" certificate if it
was issued by this CA which means in the DB that the "req_key" is set.

Option 1) Create a dummy realm and import the certificates as entity
certificates which is done by setting a profile on certificate import,
you can then reference those items via the signer rules, note that you
must set the realm attribute in the realm as the default is to use the
current realm only.

Option 2) Set the "allow_external_signer" flag and *do not* import the
end entity certificates (this will confuse the logic)

You should find detailed information in the docs of
OpenXPKI::Server::Workflow::Activity::Tools::EvaluateSignerTrust.

best regards

Oliver


Am 16.02.22 um 17:50 schrieb Ca Be:
> Hi,
>
> I have an issue with EST.
> In openxpki I configured an Issuing CA which works fine if the
> certificate that is used for EST client authentication was also issued
> by this Issuing CA.
>
> However, if the certificate used for TLS client authentication was
> issued by another CA ("Manufacturer CA"), I get the error
> "signer_not_authorised". I've imported the Manufacturer Root and
> Issuing CA to the data base to realm "democa" (however the command
> /openxpkiam certificates list --realm democa/ does not show them, but
> in the data baseĀ  table "certificate" the first column is set to
> "democa". I'm confused about that!?).
>
> Furthermore in est/default.yaml I changed the authorized signer rule
> to "subject: .*"
>
> I also wanted to try the approach to create an alias for the
> Manufacturer root ca and add it as "root_alias" the default.yaml.
>
> But creating a non-functional alias with the command/openxpki alias
> --realm demo --identifier ... --alias .../
> does not work for me, the alias is not created. The only aliases that
> appear in the table aliases are the functional aliases (root,
> ca-signer, data-vault).
> What am I doing wrong?
>
> What is the general approach for EST with client certificates from
> another CA?
>
> Thanks a lot,
> Caro
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users


-- 
Protect your environment -  close windows and adopt a penguin! 

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to