Hi Immanuel,
regarding your question on the Root CA - we at White Rabbit Security
think, that trust management should be done by explicit distribution of
the root certificate to the clients. As we saw a lot of people just
accepting "anything" they get from an endpoint without doing any
validation on the trustworthiness we built anything in the system to
give you the option to decide weather you want to send the root or not.
If you want to get the root inline with the final response you can
activate this in the SCEP endpoint configuration and then use the
fingerprint of the Root. I would not suggest to use the Issuing CA
fingerprint in general but there might be situations where this is a
good solution - it all depends a bit on your environment and use cases.
Oliver
On 06.02.25 13:41, Immanuel HARTUNG via OpenXPKI-users wrote:
Hi Oliver,
I think the invalid subject was just me using "XX" as country earlier.
I am writing my own SCEP client, which is why I am testing against
different SCEP servers. I noticed (a bit too late ...) that many came
around before the official RFC existed, so most are probably
implementing some sort of draft. It's sometimes not so clear how to
accomodate to all of them :( But I am happy I got it working with
openxpki now.
Another question I have regarding this: most SCEP clients have a cert
fingerprint configured that they trust. I'd expect this to be the
fingerprint of the root cert (since I can then verify the whole chain
against the root). It seems like macOS does it like this. However,
apparently openxpki only later added the "include_root" parameter and
previously did not send the root cert. Which fingerprint would you say
clients should have configured then, just the one from the issuing CA
cert? Isn't it possible that a client then blindly trusts an issuing
cert, but the chain from that cert to the root is actually not valid?
------------------------------------------------------------------------
*Von:* Oliver Welter <m...@oliwel.de>
*Gesendet:* Mittwoch, 5. Februar 2025 19:47
*An:* openxpki-users@lists.sourceforge.net
<openxpki-users@lists.sourceforge.net>
*Betreff:* Re: [OpenXPKI-users] Getting SCEP to run with the sample
config
Sie erhalten nicht häufig E-Mails von m...@oliwel.de. Erfahren Sie,
warum dies wichtig ist <https://aka.ms/LearnAboutSenderIdentification>
Hi Immanuel,
the subject is create from the CN in the csr but there are no special
restrictions on this - so as long as you have a CN set it should work,
the assembly of the certificate is controlled by the profile
definition so if you need something else you just need to change the
configs.
The RenewalReq type was added "recently" to SCEP and as we did not yet
see any customers using this in the wild it was not implemented but if
this now comes along we will add support for it in one of the next
releases. Might you tell us what client you are using?
For reference for future readers - we have updated the default
configuration to better reflect such problems and put a README to the
config repo that explains the basic parts:
https://github.com/openxpki/openxpki-config/blob/community/scep/README.md
<https://github.com/openxpki/openxpki-config/blob/community/scep/README.md>
best regards
Oliver
On 05.02.25 15:57, Immanuel HARTUNG via OpenXPKI-users wrote:
Thanks Oliver, that made it work!
I still had an I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SUBJECT_INVALID
error after that, but I fixed that by using a common name that looks
like a hostname (not entirely sure what the rules here are).
It also looks like openxpki does not accept the message type
RenewalReq, so I had to retry with PKCSReq instead for the renewal.
Maybe this is useful for someone else as well. Thanks again, I
appreciate the quick help.
------------------------------------------------------------------------
*Von:* Oliver Welter <m...@oliwel.de> <mailto:m...@oliwel.de>
*Gesendet:* Mittwoch, 5. Februar 2025 09:16
*An:* openxpki-users@lists.sourceforge.net
<mailto:openxpki-users@lists.sourceforge.net>
<openxpki-users@lists.sourceforge.net>
<mailto:openxpki-users@lists.sourceforge.net>
*Betreff:* Re: [OpenXPKI-users] Getting SCEP to run with the sample
config
Sie erhalten nicht häufig E-Mails von m...@oliwel.de
<mailto:m...@oliwel.de>. Erfahren Sie, warum dies wichtig ist
<https://aka.ms/LearnAboutSenderIdentification>
Hello Immanuel,
you very likley used the wrong SCEP adress - the systems comes with a
special kind of autoconfiguration which currently does not properly
handle cases when you use an incomplete config. The default config
provides an endpoint named "generic", so you have to use the URL
http://yourhost/scep/generic <http://yourhost/scep/generic> in your
SCEP command.
Oliver
On 04.02.25 14:53, Immanuel HARTUNG via OpenXPKI-users wrote:
Sorry for posting to GitHub first! I'll copy my text here:
Hello everyone. I followed the quickstart guide to setup the democa
on a debian 12 VM since I wanted to try out the SCEP workflow. I
tried with different SCEP clients, also with sscep as it is
described in the quickstart guide.
I can send getca / getcacaps requests, but the enrollment always
fails with:
./sscep: pkistatus: FAILURE
./sscep: reason: Transaction not permitted or supported
The GUI shows me that the workflow failed with error "Invalid profile".
On the server side, I see this in the catchall log:
2025/02/04 14:11:26 openxpki.auth.INFO Login successful (user:
Anonymous, role: System) [pid=1532|sid=JhsR|pki_realm=democa]
2025/02/04 14:11:26 openxpki.auth.INFO Login successful (user:
Anonymous, role: System) [pid=1534|sid=2jGu|pki_realm=democa]
2025/02/04 14:11:27 openxpki.auth.INFO Login successful (user:
Anonymous, role: System) [pid=1536|sid=nAWV|pki_realm=democa]
2025/02/04 14:11:27 openxpki.application.WARN No policy params set
in LoadPolicy
[pid=1536|user=Anonymous|role=System|sid=nAWV|wftype=certificate_enroll|wfid=15871|pki_realm=democa]
2025/02/04 14:11:27
OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR
configuration_error exception thrown from
[OpenXPKI::Server::Workflow::Condition::KeyParams: 40; before:
OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the
profile name or the key_rules directly
[pid=1536|user=Anonymous|role=System|sid=nAWV|wftype=certificate_enroll|wfid=15871|pki_realm=democa]
I don't get what I am supposed to do there. I am creating a CSR with
the challenge password "SecretChallenge". I don't think a specific
subject/common name is needed? The cert_profile is set to tls_server
in /etc/openxpki/config.d/realm.tpl/scep/generic.yaml (I haven't
touched these files so I assume they are all set up from the
sampleconfig.sh).
I hope you can help me out here :)
------------------------------------------------------------------------
Ce message, ainsi que tous les fichiers joints à ce message, peuvent
contenir des informations sensibles et/ ou confidentielles ne devant
pas être divulguées. Si vous n'êtes pas le destinataire de ce
message (ou que vous recevez ce message par erreur), nous vous
remercions de le notifier immédiatement à son expéditeur, et de
détruire ce message. Toute copie, divulgation, modification,
utilisation ou diffusion, non autorisée, directe ou indirecte, de
tout ou partie de ce message, est strictement interdite.
This e-mail, and any document attached hereby, may contain
confidential and/or privileged information. If you are not the
intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any
unauthorized, direct or indirect, copying, disclosure, distribution
or other use of the material or parts thereof is strictly forbidden.
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
--
Protect your environment - close windows and adopt a penguin!
------------------------------------------------------------------------
Ce message, ainsi que tous les fichiers joints à ce message, peuvent
contenir des informations sensibles et/ ou confidentielles ne devant
pas être divulguées. Si vous n'êtes pas le destinataire de ce message
(ou que vous recevez ce message par erreur), nous vous remercions de
le notifier immédiatement à son expéditeur, et de détruire ce
message. Toute copie, divulgation, modification, utilisation ou
diffusion, non autorisée, directe ou indirecte, de tout ou partie de
ce message, est strictement interdite.
This e-mail, and any document attached hereby, may contain
confidential and/or privileged information. If you are not the
intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any
unauthorized, direct or indirect, copying, disclosure, distribution
or other use of the material or parts thereof is strictly forbidden.
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
--
Protect your environment - close windows and adopt a penguin!
------------------------------------------------------------------------
Ce message, ainsi que tous les fichiers joints à ce message, peuvent
contenir des informations sensibles et/ ou confidentielles ne devant
pas être divulguées. Si vous n'êtes pas le destinataire de ce message
(ou que vous recevez ce message par erreur), nous vous remercions de
le notifier immédiatement à son expéditeur, et de détruire ce message.
Toute copie, divulgation, modification, utilisation ou diffusion, non
autorisée, directe ou indirecte, de tout ou partie de ce message, est
strictement interdite.
This e-mail, and any document attached hereby, may contain
confidential and/or privileged information. If you are not the
intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any
unauthorized, direct or indirect, copying, disclosure, distribution or
other use of the material or parts thereof is strictly forbidden.
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
