Hi Nick Thanks a lot. I'm a bit confused why you have to configure realm-specific items in the main configuration area. I can't see any connection between the .conf files in /etc/openxpki/est/ and the .yaml files in /etc/openxpki/est/config.d/realm/$REALM/est/. And yes, I need different configurations for the two EST endpoints in the same realm. My idea is to issue certificates without manual approval when the request comes from a dedicated network during fabrication. If the request comes from the rest of the world, an RA operator has to approve the request.
Best Regards Thomas From: Nick Dawson <[email protected]> Sent: Dienstag, 29. August 2023 18:46 To: [email protected] Subject: Re: [OpenXPKI-users] EST and realm Again, I'm not the most knowledgable but I think I'm closer to your timezone so my reply might help you test. /etc/openxpki/est/default.yaml <--- I believe default.conf determines the end point. So you'd need /etc/openxpki/est/prod.conf /etc/openxpki/est/field.conf I don't believe you need to change /etc/openxpki/est/config.d/realm/$REALM/est/default.yaml unless you want to change the rules for how that realm processes EST requests or which profile it uses. …. (Although I may be wrong, that file name may need to match ) here's the doc section: https://openxpki.readthedocs.io/en/stable/subsystems/index.html#config-path-expansion On Tue, Aug 29, 2023 at 7:58 AM, Thomas Gusset <[email protected]<mailto:[email protected]>> wrote: Hi Using the realm name in the URL works like expected. Now I would like to have two EST endpoints with different configurations in the same realm https://localhost:8443/.well-known/est/$REALM/prod/simpleenroll https://localhost:8443/.well-known/est/$REALM/field/simpleenroll Where must the configuration files be stored and how must they be named? I tried * $REALM/est/prod.yaml * $REALM/est/prod/prod.yaml without success thanks and Best Regards Thomas From: Harm Verhagen <[email protected]<mailto:[email protected]>> Sent: Dienstag, 15. August 2023 12:31 To: [email protected]<mailto:[email protected]> Subject: Re: [OpenXPKI-users] EST and realm using the realm name in the URL. eg: https://localhost:8443/.well-known/est/$REALM/simpleenroll On Mon, Aug 14, 2023 at 7:35 PM Martin Bartosch via OpenXPKI-users <[email protected]<mailto:[email protected]>> wrote: Hi, > But I have an other question: is it possible to have an EST endpoint per > realm? OpenXPKI supports an arbitrary number of enrollment endpoints (EST, SCEP, RPC) per PKI Realm. Each of those can have different enrollment policies. Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
