Thank you for the information, this was very helpful. I am thinking that in my automated deploy script, we can 2 api calls with ignore SSL, then within the same script we can update apache config not reject connections that ignore SSL check. In this same exercise I am facing some difficulty when authenticating with certificate. I have the setup below: RootCA --> SubCA (A) --> SubCA (B) --> Hosts Now both SubCA(A) and subCA(B) have different installations of OpenXPKI. At the level of SubCA (A) all the EST calls to this server are authenticated properly by the system However when calling the EST end point to get CSR to be signed by SubCA(B), I am facing some issues with authenticating the requests by certificate. I did the below steps when setting up the OpenXPKI instance at server B: a) I import rootca b) I import the signing CA that is installed on SUbCA(A) c) For the SigningCA at SubCA(B) I generated a CSR and signed it on SubCA(A) using the web interface using the profile user, sign auth certificate. I have updated the default settings for this profile to give the use for the certificates of this profile to include signing certificates and signing CRLs. then the signed certificate is imported as a signing certificate in SUbCA(B). with the above setup EST end point work well when we skip SSL verification only, but when enforcer, the call of the api fails due to "invalid CA certificate)
I tried a workaround that work, and this is by generating the CSR and then sign this CSR using OpenSSL commands manually by the SubCA(A) signing CA. Then importing the signed CSR as a signingCA on subCA(B). This setup is working but now I am managing the certificates manually at SubCA(A). Questions: - Am I doing anything wriong in the inital setup? - If the 2nd solution is going to be followed. Is there a way to import those signed certificates into SubCA(A) as a normal signed cert? Best Regards, On Mon, Aug 26, 2024 at 9:55 AM Oliver Welter <m...@oliwel.de> wrote: > Hi Alaa, > > well, most of our customers do the inital registrar certificate in a > manual (or half manual) way as this is a critical step - you can use EST to > enroll the CSR, approve the request via the WebUI and install it by just > calling the EST endpoint again with the same CSR. > > If you really want to automate this, OpenXPKI brings a multitude of > options - you can setup the endpoint to accept and enroll certificates > either based on a "challenge password" embded into the CSR or by using > basic authentication with username/password or network based rules as > provided by apache mod_authz. Another nice option which is not backed by > the RFC but works as long as you control the HTTP client is to use a HMAC > on the CSR and send this along the request as query parameter - this was > asked and answered in very detail here on the ML some months ago so you > should find this easily in the archives. > > Which way to choose is a matter of design and risk assessment and not a > technical issue > > Oliver > On 24.08.24 14:09, Alaa Hilal wrote: > > Hello, > > please let me clarify what I am trying to do. we are looking at automating > certificate signing operations. For this we are using EST endpoints to get > our CSR signed. Of course we want our api calls to be authenticated with > certificates and here I am facing the "Chicken and egg" problem. in order > call EST api I need key and certificate, but to get a certificate I need to > call the api. From this point of view I was thinking about creating the > initial certificate using cli commands (that I know now that they don't > exist) > > I would like to know if there is another way to generate the 1st > certificate programmatically. Is there a way to do with openssl and then > get it imported? are there commands for these? > > Regards > > On Thu, 22 Aug 2024, 19:32 Alaa Hilal, <alaahi...@gmail.com> wrote: > >> Then is it possible to generate or enroll certificates for a certain DNS? >> >> On Thu, 22 Aug 2024, 19:04 Martin Bartosch via OpenXPKI-users, < >> openxpki-users@lists.sourceforge.net> wrote: >> >>> Hi, >>> >>> > Is it possible to sign a CSR using the command lines? >>> > openxpkicli or openxpkicmd (not through REST API)? >>> >>> Not unless you craft a workflow to provide you with the required >>> functionality. We don't consider this a useful feature, so it is not >>> implemented. Use clca, OpenSSL or Microsoft ADCS if you want to quickly >>> create a certificate from the command line. >>> >>> Cheers >>> >>> Martin >>> >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> OpenXPKI-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>> >> > > _______________________________________________ > OpenXPKI-users mailing > listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
