Hello, Thank you for the clarification. In that case I will issue the CSR of the lower openxpki manually, then sign it manually by the Signing CA of the upper openxpki. Only one question to ask. In other words, all the CSRs signed by upper openxpki signing ca (manually) will be signing CA for a lower instance of openxpki. Would it be advisable to import those certificates into openxpki at the upper instance for the sake of organization or would you advise against it and keep it manual at that level?
On Wed, 28 Aug 2024, 09:55 Oliver Welter, <m...@oliwel.de> wrote: > Hi Alaa, > > I do not understand your expecation and yes you are definitely "holding it > wrong" - the OpenXPKI user profile can not be used as SubCA and I would > strongly advise to not mix an end-entity realm and a multi-tier layout. > While OpenXPKI is technically capable to issue SubCA certificates this is > usually nothing you want to have in an online CA (I known that there are > some good reasons for it) and is nothing which is supported with the > default configuration layout. But this discussion is far beyond the scope > of this ML. > > Oliver > On 26.08.24 23:24, Alaa Hilal wrote: > > Thank you for the information, this was very helpful. I am thinking that > in my automated deploy script, we can 2 api calls with ignore SSL, then > within the same script we can update apache config not reject connections > that ignore SSL check. > In this same exercise I am facing some difficulty when authenticating with > certificate. I have the setup below: > RootCA --> SubCA (A) --> SubCA (B) --> Hosts > Now both SubCA(A) and subCA(B) have different installations of OpenXPKI. > At the level of SubCA (A) all the EST calls to this server are > authenticated properly by the system > However when calling the EST end point to get CSR to be signed by > SubCA(B), I am facing some issues with authenticating the requests by > certificate. I did the below steps when setting up the OpenXPKI instance at > server B: > a) I import rootca > b) I import the signing CA that is installed on SUbCA(A) > c) For the SigningCA at SubCA(B) I generated a CSR and signed it on > SubCA(A) using the web interface using the profile user, sign auth > certificate. I have updated the default settings for this profile to give > the use for the certificates of this profile to include signing > certificates and signing CRLs. then the signed certificate is imported as a > signing certificate in SUbCA(B). > with the above setup EST end point work well when we skip SSL verification > only, but when enforcer, the call of the api fails due to "invalid CA > certificate) > > I tried a workaround that work, and this is by generating the CSR and then > sign this CSR using OpenSSL commands manually by the SubCA(A) signing CA. > Then importing the signed CSR as a signingCA on subCA(B). This setup is > working but now I am managing the certificates manually at SubCA(A). > > Questions: > - Am I doing anything wriong in the inital setup? > - If the 2nd solution is going to be followed. Is there a way to import > those signed certificates into SubCA(A) as a normal signed cert? > > Best Regards, > > On Mon, Aug 26, 2024 at 9:55 AM Oliver Welter <m...@oliwel.de> wrote: > >> Hi Alaa, >> >> well, most of our customers do the inital registrar certificate in a >> manual (or half manual) way as this is a critical step - you can use EST to >> enroll the CSR, approve the request via the WebUI and install it by just >> calling the EST endpoint again with the same CSR. >> >> If you really want to automate this, OpenXPKI brings a multitude of >> options - you can setup the endpoint to accept and enroll certificates >> either based on a "challenge password" embded into the CSR or by using >> basic authentication with username/password or network based rules as >> provided by apache mod_authz. Another nice option which is not backed by >> the RFC but works as long as you control the HTTP client is to use a HMAC >> on the CSR and send this along the request as query parameter - this was >> asked and answered in very detail here on the ML some months ago so you >> should find this easily in the archives. >> >> Which way to choose is a matter of design and risk assessment and not a >> technical issue >> >> Oliver >> On 24.08.24 14:09, Alaa Hilal wrote: >> >> Hello, >> >> please let me clarify what I am trying to do. we are looking at >> automating certificate signing operations. For this we are using EST >> endpoints to get our CSR signed. Of course we want our api calls to be >> authenticated with certificates and here I am facing the "Chicken and egg" >> problem. in order call EST api I need key and certificate, but to get a >> certificate I need to call the api. From this point of view I was thinking >> about creating the initial certificate using cli commands (that I know now >> that they don't exist) >> >> I would like to know if there is another way to generate the 1st >> certificate programmatically. Is there a way to do with openssl and then >> get it imported? are there commands for these? >> >> Regards >> >> On Thu, 22 Aug 2024, 19:32 Alaa Hilal, <alaahi...@gmail.com> wrote: >> >>> Then is it possible to generate or enroll certificates for a certain DNS? >>> >>> On Thu, 22 Aug 2024, 19:04 Martin Bartosch via OpenXPKI-users, < >>> openxpki-users@lists.sourceforge.net> wrote: >>> >>>> Hi, >>>> >>>> > Is it possible to sign a CSR using the command lines? >>>> > openxpkicli or openxpkicmd (not through REST API)? >>>> >>>> Not unless you craft a workflow to provide you with the required >>>> functionality. We don't consider this a useful feature, so it is not >>>> implemented. Use clca, OpenSSL or Microsoft ADCS if you want to quickly >>>> create a certificate from the command line. >>>> >>>> Cheers >>>> >>>> Martin >>>> >>>> >>>> >>>> _______________________________________________ >>>> OpenXPKI-users mailing list >>>> OpenXPKI-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>>> >>> >> >> _______________________________________________ >> OpenXPKI-users mailing >> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users >> >> -- >> Protect your environment - close windows and adopt a penguin! >> >> _______________________________________________ >> OpenXPKI-users mailing list >> OpenXPKI-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > > > _______________________________________________ > OpenXPKI-users mailing > listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
