Hello OpenX community,
I've been struggling for a while to leverage the external allowed signer
feature.
I found many useful resources and answers in here, but i always end up with
the same error and I can't see what rules it's trying to validate against.
[http error response]
Request was rejected:
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED
[technical logs]
*** 2025/03/25 21:30:34 255 Rendering subject: CN=test me
*** 2025/03/25 21:30:34 255 Trusted Signer chain validated - trusted root
is 8SUUyO2hC4SCeehX2VjsTSMGQj8
*** 2025/03/25 21:30:34 255 Trusted Signer not found in trust list
(CN=gocert).
[webui - workflow context]
error_code: request is not in authorized signer list
p_allow_external_signer: 1
request_mode: onbehalf
server: default
signer_authorized: 0
signer_subject: CN=gocert
signer_trusted: 1
signer_validity: 1
[webui - workflow history]
state - signed_request -> enroll_set_mode_onbehalf
state - start_onbehalf -> global_set_error_signer_not_authorized
[what i did]
1. I signed a certificate with an "external root CA"
2. I placed my external CA root certificate inside openx config
3. I changed est.default.yml to take it into account
3a. Authorized signer rules
-> rule1:
# Full DN
subject: CN=gocert
root_alias: gosigner
realm: _any
where CN=gocert corresponds to the CN of the leaf certificate (not root)
3b. Set allow external flag
allow_anon_enroll: 0
allow_external_signer: 1
4. I imported the external CA to openxpki db with the following command
-> openxpkiadm certificate import alias gosigner --file goca.crt --realm
democa
5. I include the certificate chain (the signer) in curl and send the CSR
6. And I get my error :)
The certificate chain = leaf + root
I tried again with chain = leaf + intermediate + root (i also added
external_issuer alias and imported the certificate with its corresponding
alias)
Also, when I run
-> openxpkiadm alias list
I don't see the alias i created for my external CA, but ... i guess it's
not an issue since the signer was trusted (it's just not in the authorized
signer list, the missing part)
By the way, when I enrolled on-behalf a signer issued by the same OpenXPKI
(aka, internal signer), it worked fine.
Working environment
*** I'm using the docker approach.
*** OpenXPKI system version 3.30.9
*** OpenXPKI config version 3.28
If you were able to sport the missing piece to my success, i'd appreciate
the hint :)
And if you need any more details, please let me know.
Cheers,
Mohamed
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
