Hi Oli,
I finally got it working.
It's a bit tricky when you build the diagnosis upon a guess (and a wrong
one :).
-> I just recalled from another post that the root_alias was defined in
check_authorized_signer.yaml
--> I thought it would be mapped from the authoriazed_signer rules the same
way identifier, subject, realm etc. are mapped.
---> But that wasn't the case this whole time :)
On top of that, I was also generating the alias the wrong way until you
responded.
It also motivated me to dig into the code and see what's going on (i
learned some perl xD)
*[To sum things up]*
1. I signed a certificate with an "external root CA"
2. I placed my external CA root certificate inside openx config
2a. I Imported the external root CA to openx db (then add intermediate
certificate if any)
openxpkiadm certificate import alias gosigner --file goca.crt --realm democa
2b. I created an alias for the external root CA
openxpkiadm alias --realm democa --identifier 8SUUyO2hC4SCeehX2VjsTSMGQj8
--group goroot (use --gen to specify specific number in alias, otherwise
auto-increment, e.g., goroot-1)
3. I defined the rules to validate against the expected authorized signer
(leaf certificate) in est.default.yaml
3a. Under authorized signer rules
authorized_signer:
rule1:
# Full DN
subject: .+gocert.*
realm: _any
again, subject corresponds to the leaf certificate (not root)
3b. Set allow external flag under policy section
allow_anon_enroll: 0
allow_external_signer: 1
4. I added my root alias in
openxpki-config/config.d/realm.tpl/workflow/global/action/check_authorized_signer.yaml
root_alias: goroot-1
5. I include the certificate chain (the expected authorized signer) in curl
and send the CSR
6. And I got my certificate - and verified it was enrolled onbehalf and was
validated against all (sub)rules
SignerTrust loading rules from est.default.authorized_signer
2025/03/30 14:45:11 16383 Trusted Signer Authorization unknown / external /
CN=gocert / t8-jZUk-8nvD1vW-b62xvGqFlIA
2025/03/30 14:45:11 16383 Trusted Signer Authorization matched subrule
.+gocert.*
2025/03/30 14:45:11 16383 Trusted Signer Authorization matched subrule
t8-jZUk-8nvD1vW-b62xvGqFlIA
2025/03/30 14:45:11 16383 Trusted Signer Authorization matched subrule _any
2025/03/30 14:45:11 16383 Trusted Signer Authorization matched rule rule1
*Note*:
It also works when you have intermediate certificates => just import into
openx db the whole chain starting from root til the intermediate that signs
the leaf certificate (and alias are created for every certificate in that
chain automatically <=> no need to create any alias, even for root)
Thank you again Oli (and Martin and every contributor because there are
other useful posts too)
>
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
