Hi Stefan, > OK. I found this section "authorized_signer" in the default.yaml file. When I > disable that section I do not have a problem anymore. > > But, I don't like that solution. I would prefer to have a line there that > works. > I have a lot of device that will use their initial certificate to establish > the TLS connection. All certificates are issued by the same CA. So, the > CN-part will be different in all the certificates but the rest of the subject > will be the same. > > So, my questions are, for these authorized signer rules: > • must you use the subject? Is is also possible to have a rule "issuer"? > That would be easier for me because that is the same in all certificates > • In case subject must be used, can you work with wildcards? What is the > syntax then? Example: CN=*, OU=text1, O=text2, L=text3, ST=text4, C=text5
OpenXPKI is extremely flexible with regard to authentication and authorization of enrollment requests. This is particularly useful in IoT cases, but how to configure this correctly depends on your PKI design and the particular use case. Please refer to the OpenXPKI::Server::Workflow::Activity::Tools::EvaluateSignerTrust documentation how to configure the authorized_signer check. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
