Hi Harm,
in the OpenXPKI default workflows the condition for a renewal is a FULL
DN match so your incoming CSR must not only have the same CN but the
complete DN. This can be configured in several ways by changing the
comparison logic of the "subject matches" condition class, the details
are in the perldoc of it.
Oli
On 08.06.23 16:32, Harm Verhagen wrote:
Hi,
I guess I need somehow to configure a ruleX: that verifies that
the authorized_signer subject, matches the subject of the CSR.
I could not find any examples in the documentation, mailinglists how
to do that.
Are there any examples available? Or does someone has a suggestion here?
Or am I missing something? (this behavior feels so 'standard' that I
would have expected to be in the default config already, maybe I just
broke it...)
-Harm
On Thu, Jun 8, 2023 at 2:18 PM Harm Verhagen <h...@symeon.nl> wrote:
Hi folks,
I have a question regarding EST (automatic) reenrollment.
I've got EST simpleenroll working. Bot these ways work perfectly:
* unauthenticated clients -> require manual approval in server
(as documented in [1])
* authorized signer -> authenticate with dedicated
mycn:pki_client certificate -> can request certificates for any
CN, and no manual approval required in server (as documented in [2])
[1]
https://openxpki.readthedocs.io/en/develop/subsystems/est.html#smoke-test
[2]
https://openxpki.readthedocs.io/en/develop/subsystems/est.html#authenticated-test
Now I want to enable renewal. My requirements are pretty much the
default what EST specifies in its RFC about simplereenroll.
clients that authenticate with their *'own' valid certificate*
(client side certificate authentication) and issue a new
certificate with the *same CN*, are *automatically*, without
manual approval, issued.
I have some problems getting this to work though.
I have a test.pem (csr, which works when doing an enrollment),
pass that to openxpki while identifying with a previously issued
certificate.
curl -vv -H "Content-Type: application/pkcs10" --data @test.pem
--key test_issued.key --cert test_issued.crt --insecure
https://localhost:8443/.well-known/est/mobility/simplereenroll
This however refuses to work and returns a server 400 with
content: I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED
The logs show: 2023/06/08 11:56:09 openxpki.application.INFO
<http://openxpki.application.INFO> Trusted Signer not found in
trust list (CN=testme2,DC=Test Deployment client TLS
enroll,DC=OpenXPKI,DC=org).
Both the certificate as the csr have the same CN: testme2
$ openssl x509 -in test_issued.crt -noout -text |grep Subj |grep CN
Subject: DC=org, DC=OpenXPKI, DC=Test Deployment client
TLS enroll, *CN=testme2*
$ cat test.pem | base64 --decode | openssl req -inform der -noout
-text |grep Subject |grep CN=
Subject: *CN=testme2*
The authentication part seems to work fine, if I revoke
test_issued.crt I get a different error
(I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_REVOKED)is.
So I guess I have something wrong/incorrect in my configuration.
Could you see what I am doing wrong? Have some hints where to look?
Regards,
Harm
Full logging
2023/06/08 11:56:08 INF authenticated client DN:
CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org
[pid=708|ep=[undef]]
==> openxpki.log <==
2023/06/08 11:56:08 INFO Login successful (user: Anonymous, role:
System) [pid=714|sid=Yvf3|pki_realm=mobility]
==> catchall.log <==
2023/06/08 11:56:08 openxpki.auth.INFO <http://openxpki.auth.INFO>
Login successful (user: Anonymous, role: System)
[pid=714|sid=Yvf3|pki_realm=mobility]
==> workflows.log <==
2023/06/08 11:56:09 73215 Rendering subject: CN=testme2,DC=Test
Deployment client TLS enroll,DC=OpenXPKI,DC=org
==> catchall.log <==
2023/06/08 11:56:09 openxpki.application.INFO
<http://openxpki.application.INFO> Rendering subject:
CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org
[pid=714|user=Anonymous|role=System|sid=Yvf3|wftype=certificate_enroll|wfid=73215|pki_realm=mobility]
==> workflows.log <==
2023/06/08 11:56:09 73215 Trusted Signer chain validated - trusted
root is tzw4UJlDLemD55ojDPxmAHU-4F8
==> catchall.log <==
2023/06/08 11:56:09 openxpki.application.INFO
<http://openxpki.application.INFO> Trusted Signer chain validated
- trusted root is tzw4UJlDLemD55ojDPxmAHU-4F8
[pid=714|user=Anonymous|role=System|sid=Yvf3|wftype=certificate_enroll|wfid=73215|pki_realm=mobility]
==> workflows.log <==
2023/06/08 11:56:09 73215 Trusted Signer not found in trust list
(CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org).
==> catchall.log <==
2023/06/08 11:56:09 openxpki.application.INFO
<http://openxpki.application.INFO> Trusted Signer not found in
trust list (CN=testme2,DC=Test Deployment client TLS
enroll,DC=OpenXPKI,DC=org).
[pid=714|user=Anonymous|role=System|sid=Yvf3|wftype=certificate_enroll|wfid=73215|pki_realm=mobility]
==> est.log <==
2023/06/08 11:56:09 INF Disconnect client [pid=708|ep=[undef]]
est/mobility.conf contains:
[global] socket = /var/openxpki/openxpki.socket realm = mobility #
Servername can be set for all workflows/operations here at once or
# for each one below. If neither one is set,
simpleenroll/simplerenroll # use the calabel from the URL as
server name # servername = default # Set to 1 if you want to
server EST over plain HTTP # We use 1 as we have an SSL proxy in
front of us insecure = 0[logger] # A loglevel of DEBUG MIGHT
disclose sensitive user input data # A loglevel of TRACE WILL dump
any communication unfiltered log_level = INFO # <--- this logger
seems to have no effect BTW, setting this to TRACE does not give
more est logging. [auth] stack = _System
realm/mobility/est/mobility.yaml contains
label: EST Default Endpoint authorized_signer: rule1: # Full DN
subject: CN=.+:pkiclient,.* renewal_period: 000060 # for an
explanation of the policy options have a look at rpc/enroll.yaml
policy: # anon request are ok allow_anon_enroll: 1 # manual
approval for anon request allow_man_approv: 1 # enforce subject
duplicate policy max_active_certs: 1 auto_revoke_existing_certs: 1
# require one approval approval_points: 1 allow_replace: 1
profile: cert_profile: tls_client cert_subject_style: enroll
eligible: initial: value: 0 renewal: value: 1 onbehalf: value: 1
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
