Hi Chandra,
the auth stacks do AUTHENTICATION and your config allows all
certificates from the democa realm, so this works as expected.
You need to use the authorized_signer settings inside the workflow for
AUTHORIZATION which will work with this auth settings but thats not
required as even the anonymous setup passes the signer certificate along
with the request. This is the same as for the RPC wrapper, so check the
documentation there.
Feel free to contact me for commercial support.
Oliver
On 29.06.22 08:00, Chandramauli De via OpenXPKI-users wrote:
Hello Oliver and others,
Can u pl look into this issue and give us some guidance.
Thanks & Regards,
Chandra
*Chandramauli De*
QA, Fleet management
STL, ISS
http://www.lexmark.com/common/images/email/lexmark-logo-email-signature.png
<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lexmark.com%2F&data=04%7C01%7Cheather.henley%40lexmark.com%7Cae5eb35646f344334e4c08d8ee023b6e%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637521040645785536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sr%2Bw4EEmMZPexRDBAYLsirn0QDIupP27eMq9c708gB8%3D&reserved=0>
www.lexmark.com
*From:* Chandramauli De via OpenXPKI-users
<[email protected]>
*Sent:* Monday, June 27, 2022 6:06 PM
*To:* [email protected]
*Cc:* Chandramauli De <[email protected]>
*Subject:* [OpenXPKI-users] Need help for client cert authentication
of openxpki EST server
Hello everyone,
We’ve configured an openxpki EST server. It has following config for
client cert auth in stack.yaml & handler.yaml. Still if we provide any
wrong certificate in our application, certificate enrollment is
successful. Whereas if we use testrfc7030.com, then in our
application, certificate enrollment is NOT successful. Is there any
problem in the config and if yes, can you pl help us where we need to
change w.r.t. est server configuration.
*stack.yaml*
# Login with a client certificate, needs to be setup on the webserver
Certificate:
label: Client certificate
description: Login using a client certificate
handler: Certificate
type: x509
sign:
# This is the public key matching the private one given in
webui/default.conf
# Use "openssl pkey -pubout" to create the required string
from the private key
key:
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+Kd4mdLwV4bEMaKQ2aUxO4e18QAuE1k0je5i82qk0haG8b8h1VJ4SaslRa+/Nff6Mhx31yRR6RNzmjEPRgLZYw==
*handler.yaml*
# Using the default config this allows a user login with ANY certificate
# issued by the democa which has the client auth keyUsage bit set
# the commonName is used as username!
Certificate:
type: ClientX509
role: User
arg: CN
trust_anchor:
realm: democa
Thanks & Regards,
Chandra
*Chandramauli De*
QA, Fleet management
STL, ISS
http://www.lexmark.com/common/images/email/lexmark-logo-email-signature.png
<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lexmark.com%2F&data=04%7C01%7Cheather.henley%40lexmark.com%7Cae5eb35646f344334e4c08d8ee023b6e%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637521040645785536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sr%2Bw4EEmMZPexRDBAYLsirn0QDIupP27eMq9c708gB8%3D&reserved=0>
www.lexmark.com <http://www.lexmark.com>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
