[OpenXPKI-users] Enrollment on behalf with client certificate from external PKI

[Reuter, Adrian]

Hello openxpki experts,

I know I am not the first one to ask, but I am sure that I read all threads and 
tried out all recommendations given. I am stuck already since more than two 
weeks and I desperately need this thing to work for my research project.

The goal: "Enrollment on behalf" with TLS client certificates from an external 
PKI. This means, whenever an arbitrary client authenticates with a certificate 
(not issued from openxpki!) from some external CA "XYZ", he shall receive a 
certificate from OpenXPKI. No fancy authorizing rules for DN, key usage, etc. 
needed.

What I did so far (all based up the democa)

  *   got the democa running using the sample script -> works fine (cert 
issuance works fine)


  *   imported my external CA certificate with: "openxpkiadm certificate import 
--file reach-root-ca.crt --alias fountain-root-ca" --> democa root cert & the 
external root cert are both imported


  *   changed /etc/openxpki/config.d/realm/democa/est/default.yaml to:

label: EST Default Endpoint

authorized_signer:
    rule1:
        # trust clients with certificates issued by external CA
        realm: _any
        subject: .*
    rule2:
        # Full DN
        subject: CN=.+:pkiclient,.*

policy:
    allow_anon_enroll: 0
    allow_man_approv: 0
    allow_man_authen: 0
    max_active_certs: 3000
    auto_revoke_existing_certs: 0

    # maybe this could help ?
    allow_expired_signer: 1
    allow_external_signer: 1
    allow_untrusted_signer: 1
    allow_surrogate_certificate: 1

    # require approval
    approval_points: 0

profile:
    cert_profile: tls_server
    cert_subject_style: enroll

eligible:
    initial:
        value: 1

    renewal:
        value: 1

    onbehalf:
        value: 1


  *   changed /etc/openxpki/config.d/realm/democa/handler.yaml:

[...]
Certificate:
    type: ClientX509
    role: User
    trust_anchor:
        realm: _any
[...]


Enrolling using a client cert issued via the OpenXPKI WebUI works fine, but 
using my external cert does not. I think the external cert gets authenticated, 
but not authorized?

Here the content of "tail /var/log/openxpki/workflows.log" after enrollment 
with client cert issued by openxpki:
2022/09/10 15:55:25 62719 Rendering subject: CN=est enrolled cert for 
rose,DC=Test Deployment,DC=OpenXPKI,DC=org
2022/09/10 15:55:25 62719 Trusted Signer chain validated - trusted root is 
-cY2oWTDzrlD58LMzuH2aOtFv3U
2022/09/10 15:55:25 62719 Trusted Signer Authorization matched rule rule1
2022/09/10 15:55:26 62719 Policy subject duplicate check failed, found certs 
y9b1jXUqUA33GqVJX-pPoic5tKI, LSq07ueAaZMh7gAsysPX8P4inFs, [...]
2022/09/10 15:55:26 62719 Eligibility check for est.default.eligible.onbehalf 
granted
2022/09/10 15:55:26 62719 Approval points for workflow 62719: 1
2022/09/10 15:55:26 62719 persisted csr for CN=est enrolled cert for 
rose,DC=Test Deployment,DC=OpenXPKI,DC=org with csr_serial 17919
2022/09/10 15:55:26 62719 start cert issue for serial 17919, workflow 62719
2022/09/10 15:55:26 62719 Certificate CN=est enrolled cert for rose,DC=Test 
Deployment,DC=OpenXPKI,DC=org (330563784286572676729712) issued by ca-signer-35
2022/09/10 15:55:26 62719 Trigger notification message enroll_cert_issued
--> cURL client shows new certificate perfectly

Here the content of "tail /var/log/openxpki/workflows.log" after enrollment 
with external client cert:
2022/09/10 14:51:58 62463 Rendering subject: CN=est enrolled cert for 
rose,DC=Test Deployment,DC=OpenXPKI,DC=org
2022/09/10 14:51:58 62463 Trusted Signer chain validated - trusted root is 
gTZxvCKETwjes-wZ_TDz4pj83u8
2022/09/10 14:51:58 62463 Trusted Signer Authorization matched rule rule1
--> cURL client shows error: I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_EXPIRED 
(client cert & root ca cert are valid until 2024+).

If I add "root_alias: root-36" (the alias of the external root ca cert that I 
imported) to rule1, the log states:
2022/09/10 16:08:37 63231 Rendering subject: CN=est enrolled cert for 
rose,DC=Test Deployment,DC=OpenXPKI,DC=org
2022/09/10 16:08:37 63231 Trusted Signer chain validated - trusted root is 
gTZxvCKETwjes-wZ_TDz4pj83u8
2022/09/10 16:08:37 63231 Trusted Signer not found in trust list 
(emailAddress=rfc8994+fd739fc23c34401122334455000000...@acp.example.com).
--> cURL clint shows error: 
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED

If you need any other information (certificate, csr, log files ...) just let me 
know.

Thanks a million in advance.
Adrian


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users