Still struggling, but i think it's related to the alias. Like i said earlier, i'm importing the certificate and it had no alias with it (it did not create the alias i thought it was creating...)
I've been digging a bit in the samplescript and noticed the alias value is always generated by openXPKI. So i gave it a shot and run the following (certsign token was mentionned somewhere in the docs, i tried it out) -> openxpkiadm alias --file goca.crt --realm democa --token certsign And magiacally, it did two things Successfully wrote alias: Alias : ca-signer-2 Identifier: 8SUUyO2hC4SCeehX2VjsTSMGQj8 NotBefore : 2025-03-25 18:41:44 NotAfter : 2035-03-25 17:41:44 Token is certsign, looking for root... Creating alias for root ca: Alias : root-2 Identifier: 8SUUyO2hC4SCeehX2VjsTSMGQj8 NotBefore : 2025-03-25 18:41:44 NotAfter : 2035-03-25 17:41:44 Now i can say - at least I have an alias :) I don't know if it's normal that my external root certificate is both : ca-signer-2 & root-2 In the UI, it's marked as offline (i don't care, i just need it for trusting my external certificate chain - leaf + root) But, i still have the same error with the same logs : Trusted Signer not found in trust list I'm using the authentication system stack, i tried it out with Certificate in case it'd change anything (it didn't). I feel I'm getting closer, but there's still something missing out there. Le mar. 25 mars 2025 à 22:43, Mo Be <mopra...@gmail.com> a écrit : > Hello OpenX community, > > I've been struggling for a while to leverage the external allowed signer > feature. > I found many useful resources and answers in here, but i always end up > with the same error and I can't see what rules it's trying to validate > against. > > [http error response] > Request was rejected: > I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED > > [technical logs] > *** 2025/03/25 21:30:34 255 Rendering subject: CN=test me > *** 2025/03/25 21:30:34 255 Trusted Signer chain validated - trusted root > is 8SUUyO2hC4SCeehX2VjsTSMGQj8 > *** 2025/03/25 21:30:34 255 Trusted Signer not found in trust list > (CN=gocert). > > [webui - workflow context] > error_code: request is not in authorized signer list > p_allow_external_signer: 1 > > request_mode: onbehalf > server: default > > signer_authorized: 0 > signer_subject: CN=gocert > signer_trusted: 1 > signer_validity: 1 > > [webui - workflow history] > state - signed_request -> enroll_set_mode_onbehalf > state - start_onbehalf -> global_set_error_signer_not_authorized > > [what i did] > 1. I signed a certificate with an "external root CA" > 2. I placed my external CA root certificate inside openx config > 3. I changed est.default.yml to take it into account > > 3a. Authorized signer rules > > -> rule1: > # Full DN > subject: CN=gocert > root_alias: gosigner > realm: _any > where CN=gocert corresponds to the CN of the leaf certificate (not root) > > 3b. Set allow external flag > allow_anon_enroll: 0 > allow_external_signer: 1 > > > 4. I imported the external CA to openxpki db with the following command > -> openxpkiadm certificate import alias gosigner --file goca.crt --realm > democa > 5. I include the certificate chain (the signer) in curl and send the CSR > 6. And I get my error :) > > The certificate chain = leaf + root > I tried again with chain = leaf + intermediate + root (i also added > external_issuer alias and imported the certificate with its corresponding > alias) > > Also, when I run > -> openxpkiadm alias list > I don't see the alias i created for my external CA, but ... i guess it's > not an issue since the signer was trusted (it's just not in the authorized > signer list, the missing part) > > By the way, when I enrolled on-behalf a signer issued by the same OpenXPKI > (aka, internal signer), it worked fine. > > Working environment > *** I'm using the docker approach. > *** OpenXPKI system version 3.30.9 > *** OpenXPKI config version 3.28 > > If you were able to sport the missing piece to my success, i'd appreciate > the hint :) > And if you need any more details, please let me know. > > Cheers, > Mohamed >
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
