Turning on DEBUG, I am seeing 2023/02/02 10:43:32 openxpki.application.WARN No policy params set in LoadPolicy [pid=107385|user=Anonymous|role=System|sid=Ki4O|wftype=certificate_enroll|wfid=22527] 2023/02/02 10:43:32 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR configuration_error exception thrown from [OpenXPKI::Server::Workflow::Condition::KeyParams: 40; before: OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the profile name or the key_rules directly [pid=107385|user=Anonymous|role=System|sid=Ki4O|wftype=certificate_enroll|wfid=22527] 2023/02/02 10:43:32 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR configuration_error exception thrown from [OpenXPKI::Server::Workflow::Condition::KeyParams: 40; before: OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the profile name or the key_rules directly [pid=107385|user=Anonymous|role=System|sid=Ki4O|wftype=certificate_enroll|wfid=22527]
Any hint how where I should look? Thanks, Lixin. On 2023-02-02, 8:19 AM, "Lixin Liu" <[email protected] <mailto:[email protected]>> wrote: Hi Oliver, Thanks for your reply. I followed your suggestion to create estcustom.yaml file with only change in cert_profile. I can get CA certs using curl -s https://<server>/.well-known/est/custom/cacerts But when I try to submit a CSR, it returns an invalid profile error: # curl -s -H "Content-Type: application/pkcs10" --data @test-req.pem https://<server>/.well-known/est/custom/simplereenroll I18N_OPENXPKI_UI_INVALID_PROFILE RA Web site shows: FAILURE This workflow failed finally and can not be restarted Error Code Invalid Profile API Endpoint custom Server Interface est Transaction ID 641418b87c6467502b977d722eeff4e0b5b929f7 Save yaml file works if I move it to default.yaml. What did I miss? Thanks again. Lixin. On 2023-02-01, 10:32 PM, "Oliver Welter" <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> wrote: Hi Lixin, as long as you have only one realm and do not need any special setup, it is sufficient to add a new configuration item in config.d/democa/est/ with the expected settings. This will be automatically picked up when you use the name of the file as a EST ca label: /.well-known/est/<calabel>. By example: Copy config.d/democa/est/default.yaml to config.d/democa/estcustom.yaml - change the "profile" entry and use /.well-known/est/custom as URL for your EST client. Some clients will autocomplete the URL and only accept a "calabel" which ist "custom" in this case. If you need more control over the "outer" wrapper configuration, also create an appropriate file est/custom.conf - if this is not present, it will inherit from default. HTH Oliver On 02.02.23 04:31, Lixin Liu wrote: > Hi Martin, > > Sorry I am new to OpenXPKI product and still trying to learn how to customize > to my need. > > I am not sure how to define a new endpoint. Should I create a new ScriptAlias > in Apache > configuration to, say /.well-known/user-est and then create a directory > user-est with its > configuration in realm directory? > > Could you provide an example how this is done? > > I also had issue using user_auth_enc profile with EST and found the "enroll" > style wasn't > defined in the user_auth_enc.yaml. Worked after I added it. > > Thanks, > > Lixin. > > On 2023-02-01, 1:08 AM, "Martin Bartosch via OpenXPKI-users" > <[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>>> wrote: > > > Hi, > > >> I have only one CA, but is it possible to configure EST with 2 different >> profiles? >> I would like to setup one for User certs. and one for TLS server certs. > > Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST, > SCEP and RPC endpoints. > > > Each endpoint has its own distinct configuration, making it possible to > provide endpoints, e. g. specific for a device group. (In terms of long term > manageability this is an important feature, making it possible to modify the > enrollment policy e. g. only for your printers while leaving the enrollment > policy for phones unchanged.) > > > Each endpoint has a default certificate profile configuration which is > selected if no other supported profile is requested by the client (and > accepted by the endpoint). > > > The client may override the configured default profile by including the > Microsoft specific extension 1.3.6.1.4.1.311.20.2 > (szOID_ENROLL_CERTTYPE_EXTENSION, > http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&action=display > <http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&action=display> > > <http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&action=display> > > <http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&amp;action=display>> > > <http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&action=display> > > <http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&amp;action=display>> > > <http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&amp;action=display>> > > <http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&amp;amp;action=display&gt;>>) > in the submitted CSR. > > > If the profile requested by the client is contained in the profile mapping of > the endpoint configuration, the mapped profile is used for the incoming > certificate request, otherwise the default is used. > > > HTH > > > Martin > > > > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > <https://lists.sourceforge.net/lists/listinfo/openxpki-users>> > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > <https://lists.sourceforge.net/lists/listinfo/openxpki-users>> > <https://lists.sourceforge.net/lists/listinfo/openxpki-users>> > <https://lists.sourceforge.net/lists/listinfo/openxpki-users&gt;>> > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > <https://lists.sourceforge.net/lists/listinfo/openxpki-users>> -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> <https://lists.sourceforge.net/lists/listinfo/openxpki-users>> _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users> _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
