Hello OK. I found this section "authorized_signer" in the default.yaml file. When I disable that section I do not have a problem anymore.
But, I don't like that solution. I would prefer to have a line there that works. I have a lot of device that will use their initial certificate to establish the TLS connection. All certificates are issued by the same CA. So, the CN-part will be different in all the certificates but the rest of the subject will be the same. So, my questions are, for these authorized signer rules: * must you use the subject? Is is also possible to have a rule "issuer"? That would be easier for me because that is the same in all certificates * In case subject must be used, can you work with wildcards? What is the syntax then? Example: CN=*, OU=text1, O=text2, L=text3, ST=text4, C=text5 Much thanks in advance! Greetings Stefan. ________________________________ Van: Stefan Goeman <stefan.goe...@hotmail.com> Verzonden: donderdag 12 september 2024 20:06 Aan: OpenXPKI-users@lists.sourceforge.net <openxpki-users@lists.sourceforge.net> Onderwerp: [OpenXPKI-users] est-enrollment: Requestor is not in authorized signer list Hello I am trying to setup automated enrollment with EST. I get the error (error code in the workflow) "Requestor is not in authorized signer list" In the overview of the workflow I also have the following: Request mode: onbehalf Signer is Trusted: No I understand that it is not working because the signer is not trusted. My EST client indeed uses a certificate, not issued by my PKI, as client authentication in TLS towards my PKI-server. What I also did is including the ca-chain that issued my EST client certificate as globally trusted certificates via update-ca-certificates. But, that did not help. So, I guess I need make an additional configuration change? But, I don't know where. Much thanks in advance for your feedback! Greetings, Stefan.
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
