Hi Alaa,
I do not understand your expecation and yes you are definitely "holding
it wrong" - the OpenXPKI user profile can not be used as SubCA and I
would strongly advise to not mix an end-entity realm and a multi-tier
layout. While OpenXPKI is technically capable to issue SubCA
certificates this is usually nothing you want to have in an online CA (I
known that there are some good reasons for it) and is nothing which is
supported with the default configuration layout. But this discussion is
far beyond the scope of this ML.
Oliver
On 26.08.24 23:24, Alaa Hilal wrote:
Thank you for the information, this was very helpful. I am thinking
that in my automated deploy script, we can 2 api calls with ignore
SSL, then within the same script we can update apache config not
reject connections that ignore SSL check.
In this same exercise I am facing some difficulty when authenticating
with certificate. I have the setup below:
RootCA --> SubCA (A) --> SubCA (B) --> Hosts
Now both SubCA(A) and subCA(B) have different installations of
OpenXPKI. At the level of SubCA (A) all the EST calls to this server
are authenticated properly by the system
However when calling the EST end point to get CSR to be signed by
SubCA(B), I am facing some issues with authenticating the requests by
certificate. I did the below steps when setting up the OpenXPKI
instance at server B:
a) I import rootca
b) I import the signing CA that is installed on SUbCA(A)
c) For the SigningCA at SubCA(B) I generated a CSR and signed it on
SubCA(A) using the web interface using the profile user, sign auth
certificate. I have updated the default settings for this profile to
give the use for the certificates of this profile to include signing
certificates and signing CRLs. then the signed certificate is imported
as a signing certificate in SUbCA(B).
with the above setup EST end point work well when we skip SSL
verification only, but when enforcer, the call of the api fails due to
"invalid CA certificate)
I tried a workaround that work, and this is by generating the CSR and
then sign this CSR using OpenSSL commands manually by the SubCA(A)
signing CA. Then importing the signed CSR as a signingCA on subCA(B).
This setup is working but now I am managing the certificates manually
at SubCA(A).
Questions:
- Am I doing anything wriong in the inital setup?
- If the 2nd solution is going to be followed. Is there a way to
import those signed certificates into SubCA(A) as a normal signed cert?
Best Regards,
On Mon, Aug 26, 2024 at 9:55 AM Oliver Welter <m...@oliwel.de> wrote:
Hi Alaa,
well, most of our customers do the inital registrar certificate in
a manual (or half manual) way as this is a critical step - you can
use EST to enroll the CSR, approve the request via the WebUI and
install it by just calling the EST endpoint again with the same CSR.
If you really want to automate this, OpenXPKI brings a multitude
of options - you can setup the endpoint to accept and enroll
certificates either based on a "challenge password" embded into
the CSR or by using basic authentication with username/password or
network based rules as provided by apache mod_authz. Another nice
option which is not backed by the RFC but works as long as you
control the HTTP client is to use a HMAC on the CSR and send this
along the request as query parameter - this was asked and answered
in very detail here on the ML some months ago so you should find
this easily in the archives.
Which way to choose is a matter of design and risk assessment and
not a technical issue
Oliver
On 24.08.24 14:09, Alaa Hilal wrote:
Hello,
please let me clarify what I am trying to do. we are looking at
automating certificate signing operations. For this we are using
EST endpoints to get our CSR signed. Of course we want our api
calls to be authenticated with certificates and here I am facing
the "Chicken and egg" problem. in order call EST api I need key
and certificate, but to get a certificate I need to call the api.
From this point of view I was thinking about creating the initial
certificate using cli commands (that I know now that they don't
exist)
I would like to know if there is another way to generate the 1st
certificate programmatically. Is there a way to do with openssl
and then get it imported? are there commands for these?
Regards
On Thu, 22 Aug 2024, 19:32 Alaa Hilal, <alaahi...@gmail.com> wrote:
Then is it possible to generate or enroll certificates for a
certain DNS?
On Thu, 22 Aug 2024, 19:04 Martin Bartosch via
OpenXPKI-users, <openxpki-users@lists.sourceforge.net> wrote:
Hi,
> Is it possible to sign a CSR using the command lines?
> openxpkicli or openxpkicmd (not through REST API)?
Not unless you craft a workflow to provide you with the
required functionality. We don't consider this a useful
feature, so it is not implemented. Use clca, OpenSSL or
Microsoft ADCS if you want to quickly create a
certificate from the command line.
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
