Hi Lixin,
as long as you have only one realm and do not need any special setup, it
is sufficient to add a new configuration item in config.d/democa/est/
with the expected settings. This will be automatically picked up when
you use the name of the file as a EST ca label: /.well-known/est/<calabel>.
By example: Copy config.d/democa/est/default.yaml to
config.d/democa/estcustom.yaml - change the "profile" entry and use
/.well-known/est/custom as URL for your EST client. Some clients will
autocomplete the URL and only accept a "calabel" which ist "custom" in
this case. If you need more control over the "outer" wrapper
configuration, also create an appropriate file est/custom.conf - if this
is not present, it will inherit from default.
HTH
Oliver
On 02.02.23 04:31, Lixin Liu wrote:
Hi Martin,
Sorry I am new to OpenXPKI product and still trying to learn how to customize
to my need.
I am not sure how to define a new endpoint. Should I create a new ScriptAlias
in Apache
configuration to, say /.well-known/user-est and then create a directory
user-est with its
configuration in realm directory?
Could you provide an example how this is done?
I also had issue using user_auth_enc profile with EST and found the "enroll"
style wasn't
defined in the user_auth_enc.yaml. Worked after I added it.
Thanks,
Lixin.
On 2023-02-01, 1:08 AM, "Martin Bartosch via OpenXPKI-users"
<[email protected] <mailto:[email protected]>>
wrote:
Hi,
I have only one CA, but is it possible to configure EST with 2 different
profiles?
I would like to setup one for User certs. and one for TLS server certs.
Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST,
SCEP and RPC endpoints.
Each endpoint has its own distinct configuration, making it possible to provide
endpoints, e. g. specific for a device group. (In terms of long term
manageability this is an important feature, making it possible to modify the
enrollment policy e. g. only for your printers while leaving the enrollment
policy for phones unchanged.)
Each endpoint has a default certificate profile configuration which is selected
if no other supported profile is requested by the client (and accepted by the
endpoint).
The client may override the configured default profile by including the Microsoft specific
extension 1.3.6.1.4.1.311.20.2 (szOID_ENROLL_CERTTYPE_EXTENSION,
http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&action=display
<http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&action=display>)
in the submitted CSR.
If the profile requested by the client is contained in the profile mapping of
the endpoint configuration, the mapped profile is used for the incoming
certificate request, otherwise the default is used.
HTH
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
