I finally managed to set up OpenXPKI with Docker and Certmonger to automatically retrieve and renew certificates. For anyone who wants the same setup, I'll share my experiences. First, I downloaded the Docker repository and initialized the config folder with make init. Before deploying the containers, I had to change a few configurations:
1. Increase the maximum Transaction ID: OpenXPKI's default transaction ID is 64. It seems Certmonger is exceeding the limit, so I increased it to 77, as suggested in a previous conversation<https://sourceforge.net/p/openxpki/mailman/message/37607223/>. The file that needs to be changed can be found under /openxpki-config/config.d/realm.tpl/workflow/global/field/transaction_id.yaml. 2. Enable auto-approval: After requesting a certificate with Certmonger, the request moves to the state PENDING and awaits approval by an admin. Apparently, OpenXPKI sends a message that Certmonger cannot read. Therefore, the request gets stuck in the state CA_UNREACHABLE. As a workaround, I enabled auto-approval, as explained in the official documentation<https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html#test-drive-insecure> (file to change: /openxpki-config/config.d/realm.tpl/scep/generic.yaml). 3. Remove authorized signer rules: When trying to renew a certificate, Certmonger gets stuck in the state CA_UNREACHABLE again. On the OpenXPKI side, I found that Certmonger is not allowed to renew a certificate by default. I solved this problem by commenting out the authorized_signer block in the same config file as above. After I deployed the containers (make compose) and executed the sample config, I could successfully retrieve and renew certificates with Certmonger using the default endpoint and secret: * Endpoint: http://<ca-host>:8080/scep/generic<http://%3cca-host%3e:8080/scep/generic> * Secret: SecretChallenge I hope this instruction will help some of you get OpenXPKI working with Certmonger. Best regards, Fabian Von: Fabian Brandmüller Gesendet: Freitag, 20. September 2024 17:17 An: openxpki-users@lists.sourceforge.net Cc: Andreas Zingel <andreas.zin...@eviden.com> Betreff: Certmonger does not retrieve certificate after approval from openxpki server Hello everyone, I´m currently trying to setup an automated certificate process with SCEP. For this I´m using certmonger (version 0.79.17) on Debian Bookworm as client and OpenXPKI as CA. I deployed OpenXPKI with the latest docker and used the provided sample config (change added as described in mail https://sourceforge.net/p/openxpki/mailman/message/37607223/). So far, I successfully send a request to the server which is waiting for manual approval. But certmonger doesn´t retrieve the certificate after approval. The configuration of certmonger is as following: Adding new CA in certmonger: root@vbox:~/cert-storage# getcert add-scep-ca -c openxpki-docker -u http://192.168.178.103:8080/scep/generic New CA "openxpki-docker" added. root@vbox:~/cert-storage# getcert list-cas ... CA 'openxpki-docker': is-default: no ca-type: EXTERNAL helper-location: /usr/lib/certmonger/scep-submit -u http://192.168.178.103:8080/scep/generic SCEP CA certificate thumbprint (MD5): ECEA4F44 874BCC22 91A6DEFB 8282C80F SCEP CA certificate thumbprint (SHA1): 8FAF290A 7583C3D2 063C80C1 3E34D1F0 1E8F730A Request certificate: root@vbox:~/cert-storage# getcert request -I docker-cert -c openxpki-docker -N cn=example.com -k /root/cert-storage/docker-cert-key.pem -f /root/cert-storage/docker-cert.pem -L SecretChallenge -v New signing request "docker-cert" added. root@vbox:~/cert-storage# getcert list Number of certificates and requests being tracked: 1. Request ID 'docker-cert': status: CA_UNREACHABLE ca-error: Error: failed to verify signature on server response. error:1080007A:PKCS7 routines::no content stuck: no key pair storage: type=FILE,location='/root/cert-storage/docker-cert-key.pem' certificate: type=FILE,location='/root/cert-storage/docker-cert.pem' signing request thumbprint (MD5): FAACEAF1 5332FCAB F406285E F44BE192 signing request thumbprint (SHA1): 4024DD5C ACC40F26 7066B473 9963FCD0 CD798DBA CA: openxpki-docker issuer: subject: issued: unknown expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Unfortunately, I am stuck at this point. Do I miss any important configuration on the server, so the response can be read by certmonger? Is it possible to auto-approve the request? Thank you very much for your help in advance! Best regards, Fabian
transaction_id.yaml
Description: transaction_id.yaml
generic.yaml
Description: generic.yaml
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users