Hi,
> For authenticated EST the OpenXPKI documentation says: Use the UI to obtain a
> TLS Client certificate with the application name *pkiclient*
>
> I don't understand in which field of the X.509 certficate should the
> "application name" go.
Our default configuration ships with the following EST endpoint configuration:
config.d/realm.tpl/est/default.yaml:
label: EST Default Endpoint
authorized_signer:
rule1:
# Full DN
subject: CN=.+:pkiclient,.*
...
This basically means "extract the CN from the subject and check if it ends with
:pkiclient". This can be used to perform some sort of authorization for the
"enrollment on behalf" case in which a client certificate is used to obtain
multiple certificates with different subjects. Basically this feature can be
used to centralize automatic issuance for certificates of other subscribers
(and needs a properly configured OpenXPKI EST/SCEP/RPC endpoint).
In order to facilitate issuing a certificate with subject with
CN=foo:pkiclient, O=... can be created during the request process.
Our default GUI configuration provides a field "Application Name". If this is
non-empty, the subject rendering rule in the default configuration will append
":ApplicationName" to the CN value. The purpose of this is to be able to have
multiple distinct certificates for one single host (for different purposes).
One of these purposes could be enrollment-on-behalf, in which case you could
input "pkiclient" as application name, giving you a TLS Client certificate
which would match above rule.
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
