I finally managed to set up OpenXPKI with Docker and Certmonger to 
automatically retrieve and renew certificates. For anyone who wants the same 
setup, I'll share my experiences.
First, I downloaded the Docker repository and initialized the config folder 
with make init. Before deploying the containers, I had to change a few 
configurations:

  1.  Increase the maximum Transaction ID: OpenXPKI's default transaction ID is 
64. It seems Certmonger is exceeding the limit, so I increased it to 77, as 
suggested in a previous 
conversation<https://sourceforge.net/p/openxpki/mailman/message/37607223/>. The 
file that needs to be changed can be found under 
/openxpki-config/config.d/realm.tpl/workflow/global/field/transaction_id.yaml.
  2.  Enable auto-approval: After requesting a certificate with Certmonger, the 
request moves to the state PENDING and awaits approval by an admin. Apparently, 
OpenXPKI sends a message that Certmonger cannot read. Therefore, the request 
gets stuck in the state CA_UNREACHABLE. As a workaround, I enabled 
auto-approval, as explained in the official 
documentation<https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html#test-drive-insecure>
 (file to change: /openxpki-config/config.d/realm.tpl/scep/generic.yaml).
  3.  Remove authorized signer rules: When trying to renew a certificate, 
Certmonger gets stuck in the state CA_UNREACHABLE again. On the OpenXPKI side, 
I found that Certmonger is not allowed to renew a certificate by default. I 
solved this problem by commenting out the authorized_signer block in the same 
config file as above.
After I deployed the containers (make compose) and executed the sample config, 
I could successfully retrieve and renew certificates with Certmonger using the 
default endpoint and secret:

  *   Endpoint: 
http://<ca-host>:8080/scep/generic<http://%3cca-host%3e:8080/scep/generic>
  *   Secret: SecretChallenge
I hope this instruction will help some of you get OpenXPKI working with 
Certmonger.
Best regards,
Fabian

Von: Fabian Brandmüller
Gesendet: Freitag, 20. September 2024 17:17
An: openxpki-users@lists.sourceforge.net
Cc: Andreas Zingel <andreas.zin...@eviden.com>
Betreff: Certmonger does not retrieve certificate after approval from openxpki 
server

Hello everyone,
I´m currently trying to setup an automated certificate process with SCEP. For 
this I´m using certmonger (version 0.79.17) on Debian Bookworm as client and 
OpenXPKI as CA. I deployed OpenXPKI with the latest docker and used the 
provided sample config (change added as described in mail 
https://sourceforge.net/p/openxpki/mailman/message/37607223/). So far, I 
successfully send a request to the server which is waiting for manual approval. 
But certmonger doesn´t retrieve the certificate after approval.
The configuration of certmonger is as following:
Adding new CA in certmonger:
root@vbox:~/cert-storage# getcert add-scep-ca -c openxpki-docker -u 
http://192.168.178.103:8080/scep/generic
New CA "openxpki-docker" added.
root@vbox:~/cert-storage# getcert list-cas
...
CA 'openxpki-docker':
               is-default: no
               ca-type: EXTERNAL
               helper-location: /usr/lib/certmonger/scep-submit -u 
http://192.168.178.103:8080/scep/generic
               SCEP CA certificate thumbprint (MD5): ECEA4F44 874BCC22 91A6DEFB 
8282C80F
               SCEP CA certificate thumbprint (SHA1): 8FAF290A 7583C3D2 
063C80C1 3E34D1F0 1E8F730A
Request certificate:
root@vbox:~/cert-storage# getcert request -I docker-cert -c openxpki-docker -N 
cn=example.com -k /root/cert-storage/docker-cert-key.pem -f 
/root/cert-storage/docker-cert.pem -L SecretChallenge -v
New signing request "docker-cert" added.
root@vbox:~/cert-storage# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'docker-cert':
               status: CA_UNREACHABLE
               ca-error: Error: failed to verify signature on server response. 
error:1080007A:PKCS7 routines::no content
               stuck: no
               key pair storage: 
type=FILE,location='/root/cert-storage/docker-cert-key.pem'
               certificate: 
type=FILE,location='/root/cert-storage/docker-cert.pem'
               signing request thumbprint (MD5): FAACEAF1 5332FCAB F406285E 
F44BE192
               signing request thumbprint (SHA1): 4024DD5C ACC40F26 7066B473 
9963FCD0 CD798DBA
               CA: openxpki-docker
               issuer:
               subject:
               issued: unknown
               expires: unknown
               pre-save command:
               post-save command:
               track: yes
               auto-renew: yes
Unfortunately, I am stuck at this point. Do I miss any important configuration 
on the server, so the response can be read by certmonger? Is it possible to 
auto-approve the request?
Thank you very much for your help in advance!

Best regards,
Fabian

Attachment: transaction_id.yaml
Description: transaction_id.yaml

Attachment: generic.yaml
Description: generic.yaml

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to