Hi Alaa,
well, most of our customers do the inital registrar certificate in a
manual (or half manual) way as this is a critical step - you can use EST
to enroll the CSR, approve the request via the WebUI and install it by
just calling the EST endpoint again with the same CSR.
If you really want to automate this, OpenXPKI brings a multitude of
options - you can setup the endpoint to accept and enroll certificates
either based on a "challenge password" embded into the CSR or by using
basic authentication with username/password or network based rules as
provided by apache mod_authz. Another nice option which is not backed by
the RFC but works as long as you control the HTTP client is to use a
HMAC on the CSR and send this along the request as query parameter -
this was asked and answered in very detail here on the ML some months
ago so you should find this easily in the archives.
Which way to choose is a matter of design and risk assessment and not a
technical issue
Oliver
On 24.08.24 14:09, Alaa Hilal wrote:
Hello,
please let me clarify what I am trying to do. we are looking at
automating certificate signing operations. For this we are using EST
endpoints to get our CSR signed. Of course we want our api calls to be
authenticated with certificates and here I am facing the "Chicken and
egg" problem. in order call EST api I need key and certificate, but to
get a certificate I need to call the api. From this point of view I
was thinking about creating the initial certificate using cli commands
(that I know now that they don't exist)
I would like to know if there is another way to generate the 1st
certificate programmatically. Is there a way to do with openssl and
then get it imported? are there commands for these?
Regards
On Thu, 22 Aug 2024, 19:32 Alaa Hilal, <alaahi...@gmail.com> wrote:
Then is it possible to generate or enroll certificates for a
certain DNS?
On Thu, 22 Aug 2024, 19:04 Martin Bartosch via OpenXPKI-users,
<openxpki-users@lists.sourceforge.net> wrote:
Hi,
> Is it possible to sign a CSR using the command lines?
> openxpkicli or openxpkicmd (not through REST API)?
Not unless you craft a workflow to provide you with the
required functionality. We don't consider this a useful
feature, so it is not implemented. Use clca, OpenSSL or
Microsoft ADCS if you want to quickly create a certificate
from the command line.
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
