Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call to http://localhost:8080/rpc/enroll/SearchCertificate

[Oliver Welter]

Hi Andreas,

looks like there is a bug in the docs, the value set for "profile" is
mapped to the internal profile names in the file "rpc/enroll.yaml" in
the key "profile_map" and there the profile is written with a dash.

Regarding REST: Have a look at the EST protocol, this will give you a
very clean interface that requests a plain PKCS10 container as payload
and returns a "raw" PKCS7 structure with the certificate without any
encoding around.

Oliver

Am 24.09.21 um 16:26 schrieb andreas.so...@t-systems.com:
>
> Hi all,
>
>  
>
> @Oliver: thanks for this hint, but writing such a “RPC <-> REST”
> converter is kind of “overkill” for my purposes.
>
> Meanwhile I found out, that sending REST-Requests with the right
> header works fine for me:
>
>  
>
> curl -s  -X POST  http://localhost:8080/rpc/enroll/SearchCertificate
>   -H
> 'Content-Type: application/json' -d '{"common_name":"Rob Roberts"}' |
> python -m json.tool
>
>  
>
> One problem solved, another problem arises:
> I try to “automatically” process a CSR, which I want to send via
> RPC/REST to the openXPKI Server.
>
>  
>
> Tried this (and several other things), but failed:
>
>  
>
> --
>
> # Generate a PKCS#10 CSR file “certreq.pem”
>
> openssl req -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT
> Department/CN=example.com" -nodes -newkey rsa:2048 -sha256 -outform
> PEM -out certreq.pem
>
>  
>
> # Try to upload the CSR file – without success
>
> curl -s -F "method=RequestCertificate" -F "profile=tls_server"  -F
> "comment=test" -F pkcs10="$(cat certreq.pem)" 
> http://localhost:8080/rpc/enroll | python -m json.tool
>
> {
>
>     "result": {
>
>     "data": {
>
>     "error_code": "Invalid Profile",
>
>     "transaction_id": "a8cf0ec19b79c3ed0d434c66b3d54880c67f47be"
>
>     },
>
>     "id": 2815,
>
>     "pid": 94,
>
>     "proc_state": "finished",
>
>     "state": "FAILURE"
>
>     }
>
> }
>
>  
>
> --
>
>  
>
> Any idea, what to do?
>
>  
>
> Kind regards
>
>  
>
> Andreas
>
>  
>
> PS:     To be honest: I am struggeling hard with openXPKI server’s
> documentation – the software itself seems to be quite promising, but
> documentation is hard to understand and quite limited (at least from
> my point of view).
>
>    
>
>  
>
>  
>
> *Von: *Oliver Welter 
> *Antworten an: *"openxpki-users@lists.sourceforge.net"
> 
> *Datum: *Freitag, 24. September 2021 um 15:17
> *An: *"openxpki-users@lists.sourceforge.net"
> 
> *Betreff: *Re: [OpenXPKI-users] How do I retrieve a Certificates key
> via RPC-call to http://localhost:8080/rpc/enroll/SearchCertificate
>
>  
>
> Hi Andreas,
>
>  
>
> to have "real" REST API you need to write a wrapper yourself that
> translates a REST path to a call to the RPC system and rewrites the
> result to the expected return structure. There is no ready-to-go
> component in OpenXPKI CE for this as such an interface is always very
> customer specific.
>
>  
>
> Oliver
>
>  
>
> Am 23.09.21 um 18:23 schrieb andreas.so...@t-systems.com
> :
>
> Hi Oliver,
>
>  
>
> thanks a lot!
>
> Your reference to
>
>  
>
> "_map_certificate: [% Certificate.pem(...) %]“
>
>  
>
> … was close and guided me to the right direction, but – big
> surprise – it didn’t work.
> Finally I found out that the following line works:
>
>  
>
> “_map_pem: "[% USE Certificate %][%
> Certificate.pem(context.cert_identifier) %]"
>
>  
>
> Of cause, I had to adjust the file enroll.yaml appropriately too:
>
>  
>
> [SearchCertificate]
>
> workflow = certificate_search
>
> param = common_name
>
> output = cert_identifier, pem, notbefore, notafter, status
>
>  
>
> The result was pretty much what I had been searching for:
>
>  
>
> curl -s -F "method=SearchCertificate"  -F "common_name=Rob
> Roberts" http://localhost:8080/rpc/enroll
>  | python -m json.tool
>
> {
>
>     "result": {
>
>     "data": {
>
>     "cert_identifier": "jLy7gIbwwvnvOCMRpTPgdw6uVpg",
>
>     "notafter": "2022-03-16T16:54:56",
>
>     "notbefore": "2021-09-16T16:54:56",
>
>     "pem": "-BEGIN CERTIFICATE-\nm ……..
> v9MRebfA=\n-END CERTIFICATE-",
>
>     "status": "ISSUED"
>
>     },
>
>     "id": 0,
>
>     "pid": 70,
>
>     "proc_state": "finished",
>
>     "state": "SUCCESS"
>
>     }
>
> }
>
>  
>
> So far, so good (and once again: thank you for your help!)
>
>  
>
> What remains open, is my question, how to switch from RPC to REST.
>
> Could you give me a hint, how to achieve that?
>
>  
>
> Kind regards
>
>  
>
> Andreas
>
>  
>
>  
>
>  
>
>
>
>
> ___
>
> 

Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call to http://localhost:8080/rpc/enroll/SearchCertificate

[Martin Bartosch via OpenXPKI-users]

Hi,

> Meanwhile I found out, that sending REST-Requests with the right header works 
> fine for me:
>  
> curl -s  -X POST  http://localhost:8080/rpc/enroll/SearchCertificate  -H 
> 'Content-Type: application/json' -d '{"common_name":"Rob Roberts"}' | python 
> -m json.tool

I don't really know your use case but I assume you would be much better served 
with properly adapting the Enrollment Workflow to your needs.

> PS: To be honest: I am struggeling hard with openXPKI server’s 
> documentation – the software itself seems to be quite promising, but 
> documentation is hard to understand and quite limited (at least from my point 
> of view).

The publicly available documentation of the OpenXPKI Community Edition provides 
an overview and a quickstart guide on the software, covering a simple use case 
of OpenXPKI to get things up and running. 

From my observation most OpenXPKI CE users seem to be able to get their system 
up and running with this documentation, and with help on this mailing list it 
looks like we were also able to support users with some more advanced questions.

OpenXPKI is a very powerful and complex PKI software product - after all it is 
enterprise grade software. So due to the amount of features and functionality 
the CE documentation naturally only covers a tiny fraction of the available 
feature set.
However, we will gladly accept user contributions to improve the quality of the 
OpenXPKI CE documentation. 

Beyond the quickstart guide there is also a significant amount of class 
documentation within the OpenSource code base itself, as most internals are 
properly documented within the class structure of OpenXPKI. A developer or 
designer with more specific goals will have to learn how OpenXPKI works and dig 
into the details. 

Becoming familiar with the features of OpenXPKI takes time, we have found that 
even with extensive mentoring from our OpenXPKI core team a new developer or 
integrator will take a few months to become productive with the system.

That said, I would like to mention that the Enterprise Edition of OpenXPKI is 
available as a commercial product from our company White Rabbit Security GmbH 
which comes with extensive (400+ pages) of configuration, integration, 
operation and development documentation covering all aspects of the system.

Cheers,

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call to http://localhost:8080/rpc/enroll/SearchCertificate

[Andreas.Soika]

Hi all,

@Oliver: thanks for this hint, but writing such a “RPC <-> REST” converter is 
kind of “overkill” for my purposes.
Meanwhile I found out, that sending REST-Requests with the right header works 
fine for me:

curl -s  -X POST  http://localhost:8080/rpc/enroll/SearchCertificate  -H 
'Content-Type: application/json' -d '{"common_name":"Rob Roberts"}' | python -m 
json.tool

One problem solved, another problem arises:
I try to “automatically” process a CSR, which I want to send via RPC/REST to 
the openXPKI Server.

Tried this (and several other things), but failed:

--
# Generate a PKCS#10 CSR file “certreq.pem”
openssl req -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT 
Department/CN=example.com" -nodes -newkey rsa:2048 -sha256 -outform PEM -out 
certreq.pem

# Try to upload the CSR file – without success
curl -s -F "method=RequestCertificate" -F "profile=tls_server"  -F 
"comment=test" -F pkcs10="$(cat certreq.pem)"  http://localhost:8080/rpc/enroll 
| python -m json.tool
{
"result": {
"data": {
"error_code": "Invalid Profile",
"transaction_id": "a8cf0ec19b79c3ed0d434c66b3d54880c67f47be"
},
"id": 2815,
"pid": 94,
"proc_state": "finished",
"state": "FAILURE"
}
}

--

Any idea, what to do?

Kind regards

Andreas

PS: To be honest: I am struggeling hard with openXPKI server’s 
documentation – the software itself seems to be quite promising, but 
documentation is hard to understand and quite limited (at least from my point 
of view).



Von: Oliver Welter 
Antworten an: "openxpki-users@lists.sourceforge.net" 

Datum: Freitag, 24. September 2021 um 15:17
An: "openxpki-users@lists.sourceforge.net" 

Betreff: Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call 
to http://localhost:8080/rpc/enroll/SearchCertificate

Hi Andreas,

to have "real" REST API you need to write a wrapper yourself that translates a 
REST path to a call to the RPC system and rewrites the result to the expected 
return structure. There is no ready-to-go component in OpenXPKI CE for this as 
such an interface is always very customer specific.

Oliver

Am 23.09.21 um 18:23 schrieb 
andreas.so...@t-systems.com:
Hi Oliver,

thanks a lot!
Your reference to

"_map_certificate: [% Certificate.pem(...) %]“

… was close and guided me to the right direction, but – big surprise – it 
didn’t work.
Finally I found out that the following line works:

“_map_pem: "[% USE Certificate %][% Certificate.pem(context.cert_identifier) %]"

Of cause, I had to adjust the file enroll.yaml appropriately too:

[SearchCertificate]
workflow = certificate_search
param = common_name
output = cert_identifier, pem, notbefore, notafter, status

The result was pretty much what I had been searching for:

curl -s -F "method=SearchCertificate"  -F "common_name=Rob Roberts" 
http://localhost:8080/rpc/enroll | python -m json.tool
{
"result": {
"data": {
"cert_identifier": "jLy7gIbwwvnvOCMRpTPgdw6uVpg",
"notafter": "2022-03-16T16:54:56",
"notbefore": "2021-09-16T16:54:56",
"pem": "-BEGIN CERTIFICATE-\nm …….. v9MRebfA=\n-END 
CERTIFICATE-",
"status": "ISSUED"
},
"id": 0,
"pid": 70,
"proc_state": "finished",
"state": "SUCCESS"
}
}

So far, so good (and once again: thank you for your help!)

What remains open, is my question, how to switch from RPC to REST.
Could you give me a hint, how to achieve that?

Kind regards

Andreas








___

OpenXPKI-users mailing list

OpenXPKI-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/openxpki-users



--

Protect your environment -  close windows and adopt a penguin!
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] How enable Intermediate certificate CRL.

[Joachim Astel]

Just a random thought, maybe into a wrong direction:
Looks like you have a load balancer or web proxy inbetween, which does a 
permanent web redirect to another FQDN with a HTTP status code „301 Moved 
permanently“.
Please try do implement a reverse proxy instead which does hide the redirect to 
the actual web server / OpenXPKI instance, containing the CRL.

Greetings
Achim

> Am 24.09.2021 um 15:04 schrieb Martin Bartosch via OpenXPKI-users 
> :
> 
> Hi,
> 
>> We are facing the issue while validating the certificate using ocsp. We did 
>> a bit of R from our side and we found the following issue when we tried to 
>> use the following command.
>> screenshot attached.
> 
> The OpenXPKI OpenSource edition does not include an OCSP server, this is a 
> component of the OpenXPKI Enterprise Edition.
> 
> I suggest you raise a support ticket with the vendor of your OCSP responder.
> 
> Best regards,
> 
> Martin
> 
> 
> 
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call to http://localhost:8080/rpc/enroll/SearchCertificate

[Oliver Welter]

Hi Andreas,

to have "real" REST API you need to write a wrapper yourself that
translates a REST path to a call to the RPC system and rewrites the
result to the expected return structure. There is no ready-to-go
component in OpenXPKI CE for this as such an interface is always very
customer specific.

Oliver

Am 23.09.21 um 18:23 schrieb andreas.so...@t-systems.com:
>
> Hi Oliver,
>
>  
>
> thanks a lot!
>
> Your reference to
>
>  
>
> "_map_certificate: [% Certificate.pem(...) %]“
>
>  
>
> … was close and guided me to the right direction, but – big surprise –
> it didn’t work.
> Finally I found out that the following line works:
>
>  
>
> “_map_pem: "[% USE Certificate %][%
> Certificate.pem(context.cert_identifier) %]"
>
>  
>
> Of cause, I had to adjust the file enroll.yaml appropriately too:
>
>  
>
> [SearchCertificate]
>
> workflow = certificate_search
>
> param = common_name
>
> output = cert_identifier, pem, notbefore, notafter, status
>
>  
>
> The result was pretty much what I had been searching for:**
>
>  
>
> curl -s -F "method=SearchCertificate"  -F "common_name=Rob Roberts"
> http://localhost:8080/rpc/enroll | python -m json.tool
>
> {
>
>     "result": {
>
>     "data": {
>
>     "cert_identifier": "jLy7gIbwwvnvOCMRpTPgdw6uVpg",
>
>     "notafter": "2022-03-16T16:54:56",
>
>     "notbefore": "2021-09-16T16:54:56",
>
>     "pem": "-BEGIN CERTIFICATE-\nm ……..
> v9MRebfA=\n-END CERTIFICATE-",
>
>     "status": "ISSUED"
>
>     },
>
>     "id": 0,
>
>     "pid": 70,
>
>     "proc_state": "finished",
>
>     "state": "SUCCESS"
>
>     }
>
> }
>
>  
>
> So far, so good (and once again: thank you for your help!)
>
>  
>
> What remains open, is my question, how to switch from RPC to REST.
>
> Could you give me a hint, how to achieve that?
>
>  
>
> Kind regards
>
>  
>
> Andreas
>
>  
>
>  
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users


-- 
Protect your environment -  close windows and adopt a penguin! 

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] How enable Intermediate certificate CRL.

[Martin Bartosch via OpenXPKI-users]

Hi,

> We are facing the issue while validating the certificate using ocsp. We did a 
> bit of R from our side and we found the following issue when we tried to 
> use the following command.
> screenshot attached.

The OpenXPKI OpenSource edition does not include an OCSP server, this is a 
component of the OpenXPKI Enterprise Edition.

I suggest you raise a support ticket with the vendor of your OCSP responder.

Best regards,

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] OCSP responder configuration.

[Oliver Welter]

Hi Sanju,

an OCSP Responder is a separate component and not part of OpenXPKI.
There is an OCSP Responder with an integration module for OpenXPKI
available as commercial product from our company - please contact us in
case you are interested in it.

Oliver

Am 24.09.21 um 14:33 schrieb Sanju Kundu:
> Hello,
> Kindly help us to configure OCSP responder in the openxpki
> environment. We are using openxpki version 3.12. We have done R at
> my side. We have got an error when verifying the certificate with OCSP
> using openssl command.
>
>
> Thanking you,
> Sanju Kundu
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users


-- 
Protect your environment -  close windows and adopt a penguin! 

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] OCSP responder configuration.

[Sanju Kundu]

Hello,
Kindly help us to configure OCSP responder in the openxpki environment. We
are using openxpki version 3.12. We have done R at my side. We have got
an error when verifying the certificate with OCSP using openssl command.


Thanking you,
Sanju Kundu
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] How enable Intermediate certificate CRL.

[Sanju Kundu]

Hi Martin,
We are facing the issue while validating the certificate using ocsp. We did
a bit of R from our side and we found the following issue when we tried
to use the following command.
screenshot attached.

Thanking you,
Sanju Kundu

On Thu, Sep 23, 2021 at 7:15 PM Martin Bartosch  wrote:

> > We have already configured the above mentioned file.But We need to
> enable CRL for Issuer (Issuer: CN=OpenXPKI Demo Issuing CA 20210917,) this
> certificate. So that we can verify the  intermediate certificate. Please
> guide us which configuration file need to change.
> >  Also we are trying to enable CRL using the below command.
> >
> >  # openxpkicmd  --realm democa crl_issuance
> > Workflow created (ID: 63743), State: CANCELED
> > But we got a State: CANCELED message.
>
> This error message means that there are no usable Issuing CAs within the
> specified PKI Realm which are due for a regular CRL issuance (and CRL
> issuance was not forced).
>
> Without knowing your environment I can only guess that you either have no
> active Issuing CAs configured at all or that the configured CRL renewal
> period for each active Issuing CAs has not yet expired.
>
> Cheers
>
> Martin
>
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users