Hi Florian,
the subject templates receive only the content of the cert_subject_parts
hash from the workflow, which is created from the input fields in the
profile.
The likely easiest way is to create a profile field, use the "preset"
property to fill it with the session information and set "type: static"
which makes it non-editable on the UI. CAVEAT: This is an UI feature and
I am not a 100% sure that there is no way to trick the UI to accept
other values as this was not designed to be "secure"!
The bulletproof solution is writing your own workflow logic to force the
session data to be in this hash instead of using the "edit_subject"
forms magic.
HTH
Oliver
On 22.11.23 16:57, Cramoisan, Florian (Aruba PoC) wrote:
Hi folks,
I’m looking to build a certificate request profile where users can
only generate a certificate for themselves.
In order to do that I was thinking of adapting the existing user_cert
and make it so that the cn is equal to the username used during
authentication (basic auth).
Therefore the idea would be to
1 – if using CSR, use only the key in csr and ignore everything else
2 – if using the form, then do not ask for anything, use the
“username” for the subject
#1 - These various user information are accessible from apache HTTP
env as well as from openxpki environment as well – however I cannot
find a way to access them
/Stack.yaml/
BasicAuth:
handler: ExternalAuth
type: client
param:
envkeys:
username: OIDC_CLAIM_unique_name
email: OIDC_CLAIM_unique_name
role: OPENXPKI_SSO_ROLE
firstname: OIDC_CLAIM_given_name
lastname: OIDC_CLAIM_family_name
nickname: OIDC_CLAIM_name
/user_cert.yaml/
label: Lab User Certificate
validity:
#-15min --> 1year - format +YYMMDDhhmmss
notafter: +01
notbefore: -1500
style:
00_user_basic_style:
label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
ui:
info:
- comment
subject:
dn: "[% userinfo.email %], OU=Test"
san:
otherName: "1.3.6.1.4.1.311.20.2.3;UTF8:[% userinfo.email.lower %]"
Unfortunately this gives me an empty CN.
I couldn’t find anything documented for this, any idea how I can proceed ?
Thanks,
*Florian Cramoisan*
*PoC Engineer - WW**| **HPE Aruba Global Solutions | PoC*
*ACEX #102 – ACMX#831**|**ACCX#1261**|**ACDX#1282 **| ACSX#1475*
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France
Image result for aruba logo
/This e-mail may contain confidential and/or legally privileged
material for the sole use of the intended recipient. If you are
not the intended recipient (or authorized to receive for the
recipient) please contact the sender by reply e-mail and delete all
copies of this message. If you are receiving this message
internally within the Hewlett Packard Enterprise company, you should
consider the contents “CONFIDENTIAL”./
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users