Hi, I guess I need somehow to configure a ruleX: that verifies that the authorized_signer subject, matches the subject of the CSR.
I could not find any examples in the documentation, mailinglists how to do that. Are there any examples available? Or does someone has a suggestion here? Or am I missing something? (this behavior feels so 'standard' that I would have expected to be in the default config already, maybe I just broke it...) -Harm On Thu, Jun 8, 2023 at 2:18 PM Harm Verhagen <h...@symeon.nl> wrote: > Hi folks, > > I have a question regarding EST (automatic) reenrollment. > > I've got EST simpleenroll working. Bot these ways work perfectly: > * unauthenticated clients -> require manual approval in server (as > documented in [1]) > * authorized signer -> authenticate with dedicated mycn:pki_client > certificate -> can request certificates for any CN, and no manual approval > required in server (as documented in [2]) > > [1] > https://openxpki.readthedocs.io/en/develop/subsystems/est.html#smoke-test > [2] > https://openxpki.readthedocs.io/en/develop/subsystems/est.html#authenticated-test > > Now I want to enable renewal. My requirements are pretty much the default > what EST specifies in its RFC about simplereenroll. > clients that authenticate with their *'own' valid certificate* (client > side certificate authentication) and issue a new certificate with the *same > CN*, are *automatically*, without manual approval, issued. > > I have some problems getting this to work though. > > I have a test.pem (csr, which works when doing an enrollment), pass that > to openxpki while identifying with a previously issued certificate. > > curl -vv -H "Content-Type: application/pkcs10" --data @test.pem --key > test_issued.key --cert test_issued.crt --insecure > https://localhost:8443/.well-known/est/mobility/simplereenroll > > This however refuses to work and returns a server 400 with content: > I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED > > The logs show: 2023/06/08 11:56:09 openxpki.application.INFO Trusted > Signer not found in trust list (CN=testme2,DC=Test Deployment client TLS > enroll,DC=OpenXPKI,DC=org). > > Both the certificate as the csr have the same CN: testme2 > $ openssl x509 -in test_issued.crt -noout -text |grep Subj |grep CN > Subject: DC=org, DC=OpenXPKI, DC=Test Deployment client TLS > enroll, *CN=testme2* > > $ cat test.pem | base64 --decode | openssl req -inform der -noout -text > |grep Subject |grep CN= > Subject: *CN=testme2* > > The authentication part seems to work fine, if I revoke test_issued.crt I > get a different error (I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_REVOKED)is. > > So I guess I have something wrong/incorrect in my configuration. > > Could you see what I am doing wrong? Have some hints where to look? > > Regards, > Harm > > Full logging > > 2023/06/08 11:56:08 INF authenticated client DN: CN=testme2,DC=Test > Deployment client TLS enroll,DC=OpenXPKI,DC=org [pid=708|ep=[undef]] > ==> openxpki.log <== > 2023/06/08 11:56:08 INFO Login successful (user: Anonymous, role: System) > [pid=714|sid=Yvf3|pki_realm=mobility] > ==> catchall.log <== > 2023/06/08 11:56:08 openxpki.auth.INFO Login successful (user: Anonymous, > role: System) [pid=714|sid=Yvf3|pki_realm=mobility] > ==> workflows.log <== > 2023/06/08 11:56:09 73215 Rendering subject: CN=testme2,DC=Test Deployment > client TLS enroll,DC=OpenXPKI,DC=org > ==> catchall.log <== > 2023/06/08 11:56:09 openxpki.application.INFO Rendering subject: > CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org > [pid=714|user=Anonymous|role=System|sid=Yvf3|wftype=certificate_enroll|wfid=73215|pki_realm=mobility] > ==> workflows.log <== > 2023/06/08 11:56:09 73215 Trusted Signer chain validated - trusted root is > tzw4UJlDLemD55ojDPxmAHU-4F8 > ==> catchall.log <== > 2023/06/08 11:56:09 openxpki.application.INFO Trusted Signer chain > validated - trusted root is tzw4UJlDLemD55ojDPxmAHU-4F8 > [pid=714|user=Anonymous|role=System|sid=Yvf3|wftype=certificate_enroll|wfid=73215|pki_realm=mobility] > ==> workflows.log <== > 2023/06/08 11:56:09 73215 Trusted Signer not found in trust list > (CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org). > ==> catchall.log <== > 2023/06/08 11:56:09 openxpki.application.INFO Trusted Signer not found in > trust list (CN=testme2,DC=Test Deployment client TLS > enroll,DC=OpenXPKI,DC=org). > [pid=714|user=Anonymous|role=System|sid=Yvf3|wftype=certificate_enroll|wfid=73215|pki_realm=mobility] > ==> est.log <== > 2023/06/08 11:56:09 INF Disconnect client [pid=708|ep=[undef]] > > est/mobility.conf contains: > [global] > socket = /var/openxpki/openxpki.socket > realm = mobility > > # Servername can be set for all workflows/operations here at once or > # for each one below. If neither one is set, simpleenroll/simplerenroll > # use the calabel from the URL as server name > # servername = default > > # Set to 1 if you want to server EST over plain HTTP > # We use 1 as we have an SSL proxy in front of us > insecure = 0 > > [logger] > # A loglevel of DEBUG MIGHT disclose sensitive user input data > # A loglevel of TRACE WILL dump any communication unfiltered > log_level = INFO # <--- this logger seems to have no effect BTW, setting > this to TRACE does not give more est logging. > > [auth] > stack = _System > > realm/mobility/est/mobility.yaml contains > label: EST Default Endpoint > > authorized_signer: > rule1: > # Full DN > subject: CN=.+:pkiclient,.* > > renewal_period: 000060 > > # for an explanation of the policy options have a look at rpc/enroll.yaml > policy: > # anon request are ok > allow_anon_enroll: 1 > # manual approval for anon request > allow_man_approv: 1 > # enforce subject duplicate policy > max_active_certs: 1 > auto_revoke_existing_certs: 1 > # require one approval > approval_points: 1 > allow_replace: 1 > > profile: > cert_profile: tls_client > cert_subject_style: enroll > > eligible: > initial: > value: 0 > > renewal: > value: 1 > > onbehalf: > value: 1 > > > >
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
