Hi, > For authenticated EST the OpenXPKI documentation says: Use the UI to obtain a > TLS Client certificate with the application name *pkiclient* > > I don't understand in which field of the X.509 certficate should the > "application name" go.
Our default configuration ships with the following EST endpoint configuration: config.d/realm.tpl/est/default.yaml: label: EST Default Endpoint authorized_signer: rule1: # Full DN subject: CN=.+:pkiclient,.* ... This basically means "extract the CN from the subject and check if it ends with :pkiclient". This can be used to perform some sort of authorization for the "enrollment on behalf" case in which a client certificate is used to obtain multiple certificates with different subjects. Basically this feature can be used to centralize automatic issuance for certificates of other subscribers (and needs a properly configured OpenXPKI EST/SCEP/RPC endpoint). In order to facilitate issuing a certificate with subject with CN=foo:pkiclient, O=... can be created during the request process. Our default GUI configuration provides a field "Application Name". If this is non-empty, the subject rendering rule in the default configuration will append ":ApplicationName" to the CN value. The purpose of this is to be able to have multiple distinct certificates for one single host (for different purposes). One of these purposes could be enrollment-on-behalf, in which case you could input "pkiclient" as application name, giving you a TLS Client certificate which would match above rule. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users