Re: [OpenXPKI-users] unique certificate subject across all realms
It worked! Thank you for your help Martin! On Mon, Aug 2, 2021 at 4:11 PM Martin Bartosch via OpenXPKI-users < openxpki-users@lists.sourceforge.net> wrote: > Hi, > > > Is it possible to check if the certificate subject is unique across all > realms on the openxpki server? I am using openxpki community edition. > > OpenXPKI is a workflow based system, so literally almost any conceivable > business logic can be implemented. We distribute a set of default workflows > which implement some common and sensible assumptions. One of the > assumptions is that PKI Realms are logically separate name spaces, making > it possible to any number of distinct and independent CAs on the same > OpenXPKI instance. The default system hence only considers uniqueness of > subjects within the same PKI Realm, not across other realms. > > I am not sure and have not tested this, but by looking at the code and > configuration you could try the following: > > In the workflow/def/certificate_signing_request_v2.yaml of your desired > realm change the subject policy test from > > check_policy_subject_duplicate: > class: > OpenXPKI::Server::Workflow::Activity::CSR::CheckPolicySubjectDuplicate > param: >allow_renewal_period: "+0003" > > > to > > check_policy_subject_duplicate: > class: > OpenXPKI::Server::Workflow::Activity::CSR::CheckPolicySubjectDuplicate > param: >any_realm: 1 >allow_renewal_period: "+0003" > > > This should consider the subject test across all realms. This is untested. > > Cheers > > Martin > > > > ___ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users > ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] unique certificate subject across all realms
Hi, > Is it possible to check if the certificate subject is unique across all > realms on the openxpki server? I am using openxpki community edition. OpenXPKI is a workflow based system, so literally almost any conceivable business logic can be implemented. We distribute a set of default workflows which implement some common and sensible assumptions. One of the assumptions is that PKI Realms are logically separate name spaces, making it possible to any number of distinct and independent CAs on the same OpenXPKI instance. The default system hence only considers uniqueness of subjects within the same PKI Realm, not across other realms. I am not sure and have not tested this, but by looking at the code and configuration you could try the following: In the workflow/def/certificate_signing_request_v2.yaml of your desired realm change the subject policy test from check_policy_subject_duplicate: class: OpenXPKI::Server::Workflow::Activity::CSR::CheckPolicySubjectDuplicate param: allow_renewal_period: "+0003" to check_policy_subject_duplicate: class: OpenXPKI::Server::Workflow::Activity::CSR::CheckPolicySubjectDuplicate param: any_realm: 1 allow_renewal_period: "+0003" This should consider the subject test across all realms. This is untested. Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] unique certificate subject across all realms
Hello! Is it possible to check if the certificate subject is unique across all realms on the openxpki server? I am using openxpki community edition. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users