Re: [OpenXPKI-users] Allow additional Elliptic Curves
Hi, > I have created a csr using the elliptic curve secp256k1. When I copy this csr > in the web interface and try to request a certificate, I get this error: > "Used key parameter is not allowed by policy (curve_name: 1.3.132.0.10)" > > When I do the exact same thing but using the curve secp512r1, I don't have > this problem. > > Further, I edited a few things in the file democa/profile/default.yaml: > • I added the curve secp256k1 in the section ec: curve_name: > • at the end of the file I added the string > "#I18N_OPENXPKI_UI_KEY_CURVE_NAME_SECP256K1" > But, this does not seem to solve the problem. > > Do I have to make some additional changes somewhere else? Have a look at the comments above the key constraints setting in config.d/realm.tpl/profile/default.yaml ... ec: # those names are used for validation and to render the # option lit when server key generation is allowed # The preset is the recommended list from RFC5480 # The possbile "named" curves are limited by the ones supported # by Crypt::PKCS10 at the moment. For NIST P-192/256 you can use # either the secpXXXr1 or primeXXXv1 alias curve_name: - prime256v1 - secp384r1 - secp521r1 ... As mentioned in the comment, only named curves supported by Crypt::PKCS10 are accepted here. If you check the documentation of this module you will find that the curve secp256k1 is not supported by Crypt::PKCS#10. If you feel you need it (and/or possibly others), I suggest you take the time to collect a list of OIDs and curve names and submit a pull request via https://github.com/openxpki/Crypt-PKCS10 BTW, adding the string "#I18N_OPENXPKI_UI_KEY_CURVE_NAME_SECP256K1" literally does nothing (short of informing the Gnu GetText about a possible translation). Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] EST Endpoint / RFC 7030
Hi, > For authenticated EST the OpenXPKI documentation says: Use the UI to obtain a > TLS Client certificate with the application name *pkiclient* > > I don't understand in which field of the X.509 certficate should the > "application name" go. Our default configuration ships with the following EST endpoint configuration: config.d/realm.tpl/est/default.yaml: label: EST Default Endpoint authorized_signer: rule1: # Full DN subject: CN=.+:pkiclient,.* ... This basically means "extract the CN from the subject and check if it ends with :pkiclient". This can be used to perform some sort of authorization for the "enrollment on behalf" case in which a client certificate is used to obtain multiple certificates with different subjects. Basically this feature can be used to centralize automatic issuance for certificates of other subscribers (and needs a properly configured OpenXPKI EST/SCEP/RPC endpoint). In order to facilitate issuing a certificate with subject with CN=foo:pkiclient, O=... can be created during the request process. Our default GUI configuration provides a field "Application Name". If this is non-empty, the subject rendering rule in the default configuration will append ":ApplicationName" to the CN value. The purpose of this is to be able to have multiple distinct certificates for one single host (for different purposes). One of these purposes could be enrollment-on-behalf, in which case you could input "pkiclient" as application name, giving you a TLS Client certificate which would match above rule. Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] Allow additional Elliptic Curves
Hello I have a default installation on Debian 12 with the democa I have created a csr using the elliptic curve secp256k1. When I copy this csr in the web interface and try to request a certificate, I get this error: "Used key parameter is not allowed by policy (curve_name: 1.3.132.0.10)" When I do the exact same thing but using the curve secp512r1, I don't have this problem. Further, I edited a few things in the file democa/profile/default.yaml: * I added the curve secp256k1 in the section ec: curve_name: * at the end of the file I added the string "#I18N_OPENXPKI_UI_KEY_CURVE_NAME_SECP256K1" But, this does not seem to solve the problem. Do I have to make some additional changes somewhere else? Much thanks in advance for your help! Greetings, Stefan. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] EST Endpoint / RFC 7030
For authenticated EST the OpenXPKI documentation says: Use the UI to obtain a TLS Client certificate with the application name *pkiclient* I don't understand in which field of the X.509 certficate should the "application name" go. -- Wolfram Wadepohl Plattform Technology Storopack Deutschland GmbH & Co. KG ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
