Re: [OpenXPKI-users] EST renewal/reenrollment

2024-04-10 Thread Oliver Welter 

Hi Mo,

I understand the implications in the protocol but this is somewhat 
different from the concept OpenXPKI uses.


We do not give away any certificate without making a decission on the 
certified properies - the self-renwal ability is covered by the 
assumption that an entity that was granted this certificate can use this 
"grant" forever so it can renew the certificate with the same grants. A 
renewal with a different SAN item is from this perspective not a renewal 
but a request for a new grant and therefore needs an active decission 
which is almost the same process as an initial enrollment. Strictly 
speaking there are some differences as the entity can proof its identity 
with the old certificate but we never came across a use case where this 
was relevant and so its just not implemented.


As said, we can read and process this extension technically but there is 
no path in the business logic yet to support this.


Oliver

On 08.04.24 12:25, Mo Be wrote:

Hi Oli,

I don't know if it could be useful for OpenXPKI though.
It's a nice to have, but, like how complicated would that be in terms 
of implemenation...


As for the use-case, from an EST standpoint, it is simply reenrolling 
with a different subject or subject alternative name.


If the user, for some reason, wishes to reenroll a certificate about 
to expire, but this time, would like use  instead of , 
then in this case, the CSR with Change Subject Name attribute could be 
useful and would avoid the user to go through the enroll process which 
would require a potential different way of authentication, whether 
it's a challenge password, or an http basic password, or a certificate 
signed by another trusted entity etc.


Mo

Le sam. 6 avr. 2024 à 20:28, Oliver Welter  a écrit :

Hi Mo,

OpenXPKI uses only the DN to decide weather this is a renewal or
not but than copies over the SAN items from the old certificate to
the new request, so the renewed certificate is an "exact copy" of
the old one, besides validity and signature of course.

Handling around the "ChangeSubjectName" extension was not
implemented so far as we never got a request on this and it does
not really match the way how approvals are currently handled in
the standard workflows. If you can make up a proper use case how
to handle this, we can of course implement this in the workflows.

Oliver

On 06.04.24 14:52, Mo Be wrote:

Hi,

I realized i overlooked the answer : it's the subject and the
renewal period, but there is no mention of the SAN.
I thought that renewal must happen at least if the CSR and the
certificate to be renewed have
- same subject
- same SAN

Which brought me back to RFC 7030 - section 4.2.2
,
and made me wonder if we could make use of the ChangeSubjectName
attribute in OpenXPKI.

That being said, do we have a way to check for the SAN as well
during renewal workflow? I'm still looking at different .yaml
files but the answer is no so far.
And does OpenX handle the ChangeUserName attribute ?

Thank you

Le mar. 26 mars 2024 à 13:30, Mo Be  a écrit :

Yes yes yes Martin...
That was it !

I still don't know how to play on that renewal_period though.
By default, enrolled certificates are given a validity of one
year.
I added in my EST .yaml an initial validity, something I
found in rpc .yaml
 initial_validity: +01 (which translates to 1 day
starting from today)

I left the renewal period intact, i'm not sure how to
interpret it
(can be renewed only if within this period of time, that I
know for sure)
 renewal_period: 60

In the documentation, I have read it was following this
format MMDDhhmmss in case of absolute date.
I guess in renewal, it's different => YYMMDD (perhaps hhmmss
as well),
That translates to 60 days maybe.

/https://openxpki.readthedocs.io/en/develop/reference/configuration/profile.html/
Still need to figure out exactly what's happening regarding
that renwal period because,
OpenXPKI dates are also not in sync with my VM, which makes
it a bit hard to know what's wrong and why.
Anyway, thanks for your help Martin, got that renewed
certificate working

Mohamed


Le mar. 26 mars 2024 à 10:16, Martin Bartosch via
OpenXPKI-users  a écrit :

Hi,


> 5- I do get authenticated through basic auth AND
through the certificates i'm passing to cURL.
> But I keep getting back the same certificate.
> No workflow is triggered.
> And in EST.log
>   INF authenticated client DN: CN=same cn,DC=Test
Deployment,DC=OpenXPKI,DC=org [pid=91|ep=[undef]]

Re: [OpenXPKI-users] Installing mariadb schema

2024-04-10 Thread Oliver Welter 

Hi Stefan,


might it be the cast that you ran this command twice (or used the sample 
config script before?)



I just tried this here and do not get any warnings or errors and the 
table is properly built:



mysql -e "create database oxitest"
cat  /usr/share/doc/libopenxpki-perl/examples/schema-mariadb.sql | mysql 
oxitest


mysql oxitest -e "describe aliases;"
++--+--+-+-+---+
| Field  | Type | Null | Key | Default | Extra |
++--+--+-+-+---+
| identifier | varchar(64)  | YES  | | NULL    |   |
| pki_realm  | varchar(255) | NO   | PRI | NULL    |   |
| alias  | varchar(255) | NO   | PRI | NULL    |   |
| group_id   | varchar(255) | YES  | | NULL    |   |
| generation | smallint(6)  | YES  | | NULL    |   |
| notafter   | int(10) unsigned | YES  | | NULL    |   |
| notbefore  | int(10) unsigned | YES  | | NULL    |   |
++--+--+-+-+---+




Oli


On 08.04.24 17:50, Stefan Goeman wrote:

Hi

I am trying to install openxpki on Debian 12

When I run this command:
cat /usr/share/doc/libopenxpki-perl/examples/schema-mariadb.sql |\     
mysql -u root --password --database  openxpki


I get the following error message:
ERROR 1068 (42000) at line 201: Multiple primary key defined

I think I did everything correctly according to the quick start guide. 
Did I overlooked something?


When I look into the schema file on line 201 and 202 I see this:
ALTER TABLE 'aliases'
 ADD PRIMARY KEY (`pki_realm`,`alias`),

I see two things there for the primary key. Is this correct?

Much thanks in advance for your help!


Greetings,
Stefan.


___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Mapping openssl cnf options to openxpki yaml profiles

2024-04-10 Thread Martin Bartosch via OpenXPKI-users 
James,

> I have been struggling with the yaml profile mapping of certificate extensions
> to openxpki profiles. I need some examples or a profile node key legend to
> assist me in understanding how this works.

I think the example configuration in the configuration repository is pretty 
self explanatory. 

Please take your time to look at it, understand it and map it to your use case. 
You will find it is not that hard.

Also, I recommend to take this as an opportunity to clean up your existing 
certificate profile, you seem to have a lot of unnecessary legacy cruft in your 
existing certificates which I would recommend to get rid of.

Cheers

Martin




___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users