Hi folks, I have a question regarding EST (automatic) reenrollment.
I've got EST simpleenroll working. Bot these ways work perfectly: * unauthenticated clients -> require manual approval in server (as documented in [1]) * authorized signer -> authenticate with dedicated mycn:pki_client certificate -> can request certificates for any CN, and no manual approval required in server (as documented in [2]) [1] https://openxpki.readthedocs.io/en/develop/subsystems/est.html#smoke-test [2] https://openxpki.readthedocs.io/en/develop/subsystems/est.html#authenticated-test Now I want to enable renewal. My requirements are pretty much the default what EST specifies in its RFC about simplereenroll. clients that authenticate with their *'own' valid certificate* (client side certificate authentication) and issue a new certificate with the *same CN*, are *automatically*, without manual approval, issued. I have some problems getting this to work though. I have a test.pem (csr, which works when doing an enrollment), pass that to openxpki while identifying with a previously issued certificate. curl -vv -H "Content-Type: application/pkcs10" --data @test.pem --key test_issued.key --cert test_issued.crt --insecure https://localhost:8443/.well-known/est/mobility/simplereenroll This however refuses to work and returns a server 400 with content: I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED The logs show: 2023/06/08 11:56:09 openxpki.application.INFO Trusted Signer not found in trust list (CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org). Both the certificate as the csr have the same CN: testme2 $ openssl x509 -in test_issued.crt -noout -text |grep Subj |grep CN Subject: DC=org, DC=OpenXPKI, DC=Test Deployment client TLS enroll, *CN=testme2* $ cat test.pem | base64 --decode | openssl req -inform der -noout -text |grep Subject |grep CN= Subject: *CN=testme2* The authentication part seems to work fine, if I revoke test_issued.crt I get a different error (I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_REVOKED)is. So I guess I have something wrong/incorrect in my configuration. Could you see what I am doing wrong? Have some hints where to look? Regards, Harm Full logging 2023/06/08 11:56:08 INF authenticated client DN: CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org [pid=708|ep=[undef]] ==> openxpki.log <== 2023/06/08 11:56:08 INFO Login successful (user: Anonymous, role: System) [pid=714|sid=Yvf3|pki_realm=mobility] ==> catchall.log <== 2023/06/08 11:56:08 openxpki.auth.INFO Login successful (user: Anonymous, role: System) [pid=714|sid=Yvf3|pki_realm=mobility] ==> workflows.log <== 2023/06/08 11:56:09 73215 Rendering subject: CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org ==> catchall.log <== 2023/06/08 11:56:09 openxpki.application.INFO Rendering subject: CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org [pid=714|user=Anonymous|role=System|sid=Yvf3|wftype=certificate_enroll|wfid=73215|pki_realm=mobility] ==> workflows.log <== 2023/06/08 11:56:09 73215 Trusted Signer chain validated - trusted root is tzw4UJlDLemD55ojDPxmAHU-4F8 ==> catchall.log <== 2023/06/08 11:56:09 openxpki.application.INFO Trusted Signer chain validated - trusted root is tzw4UJlDLemD55ojDPxmAHU-4F8 [pid=714|user=Anonymous|role=System|sid=Yvf3|wftype=certificate_enroll|wfid=73215|pki_realm=mobility] ==> workflows.log <== 2023/06/08 11:56:09 73215 Trusted Signer not found in trust list (CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org). ==> catchall.log <== 2023/06/08 11:56:09 openxpki.application.INFO Trusted Signer not found in trust list (CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org). [pid=714|user=Anonymous|role=System|sid=Yvf3|wftype=certificate_enroll|wfid=73215|pki_realm=mobility] ==> est.log <== 2023/06/08 11:56:09 INF Disconnect client [pid=708|ep=[undef]] est/mobility.conf contains: [global] socket = /var/openxpki/openxpki.socket realm = mobility # Servername can be set for all workflows/operations here at once or # for each one below. If neither one is set, simpleenroll/simplerenroll # use the calabel from the URL as server name # servername = default # Set to 1 if you want to server EST over plain HTTP # We use 1 as we have an SSL proxy in front of us insecure = 0 [logger] # A loglevel of DEBUG MIGHT disclose sensitive user input data # A loglevel of TRACE WILL dump any communication unfiltered log_level = INFO # <--- this logger seems to have no effect BTW, setting this to TRACE does not give more est logging. [auth] stack = _System realm/mobility/est/mobility.yaml contains label: EST Default Endpoint authorized_signer: rule1: # Full DN subject: CN=.+:pkiclient,.* renewal_period: 000060 # for an explanation of the policy options have a look at rpc/enroll.yaml policy: # anon request are ok allow_anon_enroll: 1 # manual approval for anon request allow_man_approv: 1 # enforce subject duplicate policy max_active_certs: 1 auto_revoke_existing_certs: 1 # require one approval approval_points: 1 allow_replace: 1 profile: cert_profile: tls_client cert_subject_style: enroll eligible: initial: value: 0 renewal: value: 1 onbehalf: value: 1
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
