Re: [OpenXPKI-users] Enrollment on behalf with client certificate from external PKI

Sun, 11 Sep 2022 10:56:46 -0700 

Hi Adrian
that sounds pretty strange - can you please send the full output from the Workflow Context (from the UI via the right box or on the CLI openxpkicli get_workflow_info --arg id=xxx). 

Oli


PS: FunFact - the OpenXPKI project was initially founded at the TUM so 
its nice to see it coming back ;)



Am 10.09.22 um 16:24 schrieb Reuter, Adrian:

Hello openxpki experts,


I know I am not the first one to ask, but I am sure that I read all 
threads and tried out all recommendations given. I am stuck already 
since more than two weeks and I desperately need this thing to work for 
my research project.



The goal: "Enrollment on behalf" with TLS client certificates from an 
external PKI. This means, whenever an arbitrary client authenticates 
with a certificate (not issued from openxpki!) from some external 
CA "XYZ", he shall receive a certificate from OpenXPKI. No fancy 
authorizing rules for DN, key usage, etc. needed.


What I did so far (all based up the democa)

  * got the democa running using the sample script -> works fine (cert
    issuance works fine)


  * imported my external CA certificate with: "openxpkiadm certificate
    import --file reach-root-ca.crt --alias fountain-root-ca" --> democa
    root cert & the external root cert are both imported


  * changed /etc/openxpki/config.d/realm/democa/est/default.yaml to:

label: EST Default Endpoint

authorized_signer:
     rule1:
         # trust clients with certificates issued by external CA
         realm: _any
         subject: .*
     rule2:
         # Full DN
         subject: CN=.+:pkiclient,.*

policy:
     allow_anon_enroll: 0
     allow_man_approv: 0
     allow_man_authen: 0
     max_active_certs: 3000
     auto_revoke_existing_certs: 0
     # maybe this could help ?
     allow_expired_signer: 1
     allow_external_signer: 1
     allow_untrusted_signer: 1
     allow_surrogate_certificate: 1
     # require approval
     approval_points: 0

profile:
     cert_profile: tls_server
     cert_subject_style: enroll

eligible:
     initial:
         value: 1

     renewal:
         value: 1

     onbehalf:
         value: 1

  * changed /etc/openxpki/config.d/realm/democa/handler.yaml:

[...]
Certificate:
     type: ClientX509
     role: User
     trust_anchor:
         realm: _any
[...]



Enrolling using a client cert issued via the OpenXPKI WebUI works fine, 
but using my external cert does not. I think the external cert gets 
authenticated, but not authorized?



Here the content of "tail /var/log/openxpki/workflows.log" after 
enrollment _with client cert issued by __openxpki_:
2022/09/10 15:55:25 62719 Rendering subject: CN=est enrolled cert for 
rose,DC=Test Deployment,DC=OpenXPKI,DC=org
2022/09/10 15:55:25 62719 Trusted Signer chain validated - trusted root 
is -cY2oWTDzrlD58LMzuH2aOtFv3U

2022/09/10 15:55:25 62719 Trusted Signer Authorization matched rule rule1

2022/09/10 15:55:26 62719 Policy subject duplicate check failed, found 
certs y9b1jXUqUA33GqVJX-pPoic5tKI, LSq07ueAaZMh7gAsysPX8P4inFs, [...]
2022/09/10 15:55:26 62719 Eligibility check for 
est.default.eligible.onbehalf granted

2022/09/10 15:55:26 62719 Approval points for workflow 62719: 1

2022/09/10 15:55:26 62719 persisted csr for CN=est enrolled cert for 
rose,DC=Test Deployment,DC=OpenXPKI,DC=org with csr_serial 17919

2022/09/10 15:55:26 62719 start cert issue for serial 17919, workflow 62719

2022/09/10 15:55:26 62719 Certificate CN=est enrolled cert for 
rose,DC=Test Deployment,DC=OpenXPKI,DC=org (330563784286572676729712) 
issued by ca-signer-35

2022/09/10 15:55:26 62719 Trigger notification message enroll_cert_issued
--> cURL client shows new certificate perfectly


Here the content of "tail /var/log/openxpki/workflows.log" after 
enrollment _with external client cert_:
2022/09/10 14:51:58 62463 Rendering subject: CN=est enrolled cert for 
rose,DC=Test Deployment,DC=OpenXPKI,DC=org
2022/09/10 14:51:58 62463 Trusted Signer chain validated - trusted root 
is gTZxvCKETwjes-wZ_TDz4pj83u8

2022/09/10 14:51:58 62463 Trusted Signer Authorization matched rule rule1

--> cURL client shows error: 
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_EXPIRED (client cert & root ca 
cert are valid until 2024+).



If I add "root_alias: root-36" (the alias of the external root ca cert 
that I imported) to rule1, the log states:
2022/09/10 16:08:37 63231 Rendering subject: CN=est enrolled cert for 
rose,DC=Test Deployment,DC=OpenXPKI,DC=org
2022/09/10 16:08:37 63231 Trusted Signer chain validated - trusted root 
is gTZxvCKETwjes-wZ_TDz4pj83u8
2022/09/10 16:08:37 63231 Trusted Signer not found in trust list 
(emailAddress=rfc8994+fd739fc23c34401122334455000000...@acp.example.com).
--> cURL clint shows error: 
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED



If you need any other information (certificate, csr, log files ...) just 
let me know.


Thanks a million in advance.
Adrian


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users



--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to