Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi Antonio,
sorry I did not see the changes you made in the code. When using the RPC
Layer the signature parameter is in context.signature, the stuff with
the url_ prefix is only used in SCEP and EST to map metadata into the
context. The RPC implementation does NOT allow arbitraty parameters in
the context, if you need additional parameters you need to add them to
the parameter list in the "outer" wrapper configuration as well as to
the initialize method of the workflow.
Oliver
On 13.08.23 17:57, Antonio Gamboa wrote:
Hello Oliver.
Sorry, maybe I couldn't explain my situation as well.
The original example (in the config repository) has eligibility check
based on the subject of the CSR using the regex (matching every FQDN
having openxpki.test)
For testing purposes, I keep this regex but to matching against the
MAC query string (url parameter )
So, I sent a valid domain as MAC parameter
In order to pass the check using the url parameter
(?mac=demo.openxpki.test)
It is possible to read an url parameter in the eligibility check ?
Like this example :
https://openxpki.readthedocs.io/en/develop/reference/configuration/workflows/enroll.html?highlight=eligible#eligibility
Best regards
Gamboa
On Sun, Aug 13, 2023, 3:56 AM Oliver Welter wrote:
Hello Antonio,
if you see a state PENDING, the MAC signature was accepted. The
example eligibility code generates the required approval point if
the FQDN used as the common name ends on "openxpki.test". I am
pretty sure you will see the certificate being issued when you use
such a CSR. If you want to approve any request having a valid
HMAC, just set the value in the eligibility iniital section to a
literal "1" as seen in the other sections. For more details please
have a look at the quite extensive documentataion here
https://openxpki.readthedocs.io/en/stable/reference/configuration/workflows/enroll.html.
Oliver
Regarding a donation: I appreciate this but I do the community
support for fun. If you feel you want to give back something, make
a donation to the United Nations educational program or some other
NGO around you feel comfortable with.
On 12.08.23 22:47, Antonio Gamboa wrote:
Hello Oliver.
A really appreciate your support. I was able to authenticate the
RPC request.
Now, I want to auto-approve the request based on the Eligibility
criteria set in the *my-realm/rpc/enroll.yaml:*
eligible:
initial:
value@: connector:rpc.enroll.connector.intranet
args: '[% context.url_mac %]'
renewal:
value: 1
onbehalf:
value: 1
connector:
intranet:
class: OpenXPKI::Connector::Regex
LOCATION: \w+\.openxpki.test(:[\w]+)?\z
macs:
*In the RPC request:
*
*
*
POST /rpc/enroll?mac=demo.openxpki.test HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost:8443
Content-Length: 1195
method=RequestCertificate&
pkcs10={CSR}&
comment=test&
signature=a254eb2c1b2087ef190024cc7a3edfb75454a7c77bf8ce0badabeb54bfc2adb7
I am just testing the functionality but have not been successful.
I set the mac in query string with a valid string (must pass the
regex evaluation)
*This is the RPC response I receive :
*
{
"result": {
"pid": 1313,
"retry_after": 300,
"data": {
"error_code": "Request was not approved",
"transaction_id": "b760bc72a3a4281c1550df20c2814d52a5e6b92a"
},
"proc_state": "manual",
"state": "PENDING",
"id": 6143
}
}
What am I missing?
An apology for being such a nuisance. If you are able to
receive donations, I would like to support with a donation.
Best regards.
El dom, 6 ago 2023 a las 1:03, Oliver Welter ()
escribió:
Hello Antonio,
the HMAC Secret is defined in the rpc/enroll.yaml
configuration and the
expected value is an HMAC256 (hex notation) of the DER
encoded CSR.
best regards
Oliver
On 05.08.23 06:36, Antonio Gamboa wrote:
> Hi Oliver.
>
> I could set up the RPC API successfully, thanks.
>
> But, I have the following question, How I could create the
signature
> parameter in the RPC request? It is the HMAC
authentication, right?
> I want to send this signature to make an authenticated
request in
> order to avoid manual authorization in the UI
>
>
> Best regards.
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hello Oliver.
Sorry, maybe I couldn't explain my situation as well.
The original example (in the config repository) has eligibility check based
on the subject of the CSR using the regex (matching every FQDN having
openxpki.test)
For testing purposes, I keep this regex but to matching against the MAC
query string (url parameter )
So, I sent a valid domain as MAC parameter
In order to pass the check using the url parameter (?mac=demo.openxpki.test)
It is possible to read an url parameter in the eligibility check ?
Like this example :
https://openxpki.readthedocs.io/en/develop/reference/configuration/workflows/enroll.html?highlight=eligible#eligibility
Best regards
Gamboa
On Sun, Aug 13, 2023, 3:56 AM Oliver Welter wrote:
> Hello Antonio,
>
> if you see a state PENDING, the MAC signature was accepted. The example
> eligibility code generates the required approval point if the FQDN used as
> the common name ends on "openxpki.test". I am pretty sure you will see the
> certificate being issued when you use such a CSR. If you want to approve
> any request having a valid HMAC, just set the value in the eligibility
> iniital section to a literal "1" as seen in the other sections. For more
> details please have a look at the quite extensive documentataion here
> https://openxpki.readthedocs.io/en/stable/reference/configuration/workflows/enroll.html
> .
>
> Oliver
>
> Regarding a donation: I appreciate this but I do the community support for
> fun. If you feel you want to give back something, make a donation to the
> United Nations educational program or some other NGO around you feel
> comfortable with.
>
> On 12.08.23 22:47, Antonio Gamboa wrote:
>
> Hello Oliver.
>
> A really appreciate your support. I was able to authenticate the RPC
> request.
>
> Now, I want to auto-approve the request based on the Eligibility criteria
> set in the *my-realm/rpc/enroll.yaml:*
>
> eligible:
> initial:
>value@: connector:rpc.enroll.connector.intranet
>args: '[% context.url_mac %]'
>
> renewal:
>value: 1
>
> onbehalf:
>value: 1
>
> connector:
> intranet:
> class: OpenXPKI::Connector::Regex
> LOCATION: \w+\.openxpki.test(:[\w]+)?\z
> macs:
>
>
> *In the RPC request: *
>
> POST /rpc/enroll?mac=demo.openxpki.test HTTP/1.1
> Accept: application/json
> Content-Type: application/x-www-form-urlencoded
> Host: localhost:8443
> Content-Length: 1195
>
> method=RequestCertificate&
> pkcs10={CSR}&
> comment=test&
> signature=a254eb2c1b2087ef190024cc7a3edfb75454a7c77bf8ce0badabeb54bfc2adb7
>
>
> I am just testing the functionality but have not been successful. I set
> the mac in query string with a valid string (must pass the regex
> evaluation)
>
> *This is the RPC response I receive : *
> {
> "result": {
> "pid": 1313,
> "retry_after": 300,
> "data": {
> "error_code": "Request was not approved",
> "transaction_id": "b760bc72a3a4281c1550df20c2814d52a5e6b92a"
> },
> "proc_state": "manual",
> "state": "PENDING",
> "id": 6143
> }
> }
>
>
> What am I missing?
>
> An apology for being such a nuisance. If you are able to
> receive donations, I would like to support with a donation.
>
> Best regards.
>
> El dom, 6 ago 2023 a las 1:03, Oliver Welter () escribió:
>
>> Hello Antonio,
>>
>> the HMAC Secret is defined in the rpc/enroll.yaml configuration and the
>> expected value is an HMAC256 (hex notation) of the DER encoded CSR.
>>
>> best regards
>>
>> Oliver
>>
>> On 05.08.23 06:36, Antonio Gamboa wrote:
>> > Hi Oliver.
>> >
>> > I could set up the RPC API successfully, thanks.
>> >
>> > But, I have the following question, How I could create the signature
>> > parameter in the RPC request? It is the HMAC authentication, right?
>> > I want to send this signature to make an authenticated request in
>> > order to avoid manual authorization in the UI
>> >
>> >
>> > Best regards.
>> >
>> >
>> > ___
>> > OpenXPKI-users mailing list
>> > OpenXPKI-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>> --
>> Protect your environment - close windows and adopt a penguin!
>>
>>
>>
>> ___
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
> ___
> OpenXPKI-users mailing
> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hello Antonio,
if you see a state PENDING, the MAC signature was accepted. The example
eligibility code generates the required approval point if the FQDN used
as the common name ends on "openxpki.test". I am pretty sure you will
see the certificate being issued when you use such a CSR. If you want to
approve any request having a valid HMAC, just set the value in the
eligibility iniital section to a literal "1" as seen in the other
sections. For more details please have a look at the quite extensive
documentataion here
https://openxpki.readthedocs.io/en/stable/reference/configuration/workflows/enroll.html.
Oliver
Regarding a donation: I appreciate this but I do the community support
for fun. If you feel you want to give back something, make a donation to
the United Nations educational program or some other NGO around you feel
comfortable with.
On 12.08.23 22:47, Antonio Gamboa wrote:
Hello Oliver.
A really appreciate your support. I was able to authenticate the RPC
request.
Now, I want to auto-approve the request based on the Eligibility
criteria set in the *my-realm/rpc/enroll.yaml:*
eligible:
initial:
value@: connector:rpc.enroll.connector.intranet
args: '[% context.url_mac %]'
renewal:
value: 1
onbehalf:
value: 1
connector:
intranet:
class: OpenXPKI::Connector::Regex
LOCATION: \w+\.openxpki.test(:[\w]+)?\z
macs:
*In the RPC request:
*
*
*
POST /rpc/enroll?mac=demo.openxpki.test HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost:8443
Content-Length: 1195
method=RequestCertificate&
pkcs10={CSR}&
comment=test&
signature=a254eb2c1b2087ef190024cc7a3edfb75454a7c77bf8ce0badabeb54bfc2adb7
I am just testing the functionality but have not been successful. I
set the mac in query string with a valid string (must pass the regex
evaluation)
*This is the RPC response I receive :
*
{
"result": {
"pid": 1313,
"retry_after": 300,
"data": {
"error_code": "Request was not approved",
"transaction_id": "b760bc72a3a4281c1550df20c2814d52a5e6b92a"
},
"proc_state": "manual",
"state": "PENDING",
"id": 6143
}
}
What am I missing?
An apology for being such a nuisance. If you are able to
receive donations, I would like to support with a donation.
Best regards.
El dom, 6 ago 2023 a las 1:03, Oliver Welter () escribió:
Hello Antonio,
the HMAC Secret is defined in the rpc/enroll.yaml configuration
and the
expected value is an HMAC256 (hex notation) of the DER encoded CSR.
best regards
Oliver
On 05.08.23 06:36, Antonio Gamboa wrote:
> Hi Oliver.
>
> I could set up the RPC API successfully, thanks.
>
> But, I have the following question, How I could create the
signature
> parameter in the RPC request? It is the HMAC authentication, right?
> I want to send this signature to make an authenticated request in
> order to avoid manual authorization in the UI
>
>
> Best regards.
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hello Oliver.
A really appreciate your support. I was able to authenticate the RPC
request.
Now, I want to auto-approve the request based on the Eligibility criteria
set in the *my-realm/rpc/enroll.yaml:*
eligible:
initial:
value@: connector:rpc.enroll.connector.intranet
args: '[% context.url_mac %]'
renewal:
value: 1
onbehalf:
value: 1
connector:
intranet:
class: OpenXPKI::Connector::Regex
LOCATION: \w+\.openxpki.test(:[\w]+)?\z
macs:
*In the RPC request:*
POST /rpc/enroll?mac=demo.openxpki.test HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost:8443
Content-Length: 1195
method=RequestCertificate&
pkcs10={CSR}&
comment=test&
signature=a254eb2c1b2087ef190024cc7a3edfb75454a7c77bf8ce0badabeb54bfc2adb7
I am just testing the functionality but have not been successful. I set the
mac in query string with a valid string (must pass the regex evaluation)
*This is the RPC response I receive :*
{
"result": {
"pid": 1313,
"retry_after": 300,
"data": {
"error_code": "Request was not approved",
"transaction_id": "b760bc72a3a4281c1550df20c2814d52a5e6b92a"
},
"proc_state": "manual",
"state": "PENDING",
"id": 6143
}
}
What am I missing?
An apology for being such a nuisance. If you are able to
receive donations, I would like to support with a donation.
Best regards.
El dom, 6 ago 2023 a las 1:03, Oliver Welter () escribió:
> Hello Antonio,
>
> the HMAC Secret is defined in the rpc/enroll.yaml configuration and the
> expected value is an HMAC256 (hex notation) of the DER encoded CSR.
>
> best regards
>
> Oliver
>
> On 05.08.23 06:36, Antonio Gamboa wrote:
> > Hi Oliver.
> >
> > I could set up the RPC API successfully, thanks.
> >
> > But, I have the following question, How I could create the signature
> > parameter in the RPC request? It is the HMAC authentication, right?
> > I want to send this signature to make an authenticated request in
> > order to avoid manual authorization in the UI
> >
> >
> > Best regards.
> >
> >
> > ___
> > OpenXPKI-users mailing list
> > OpenXPKI-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> --
> Protect your environment - close windows and adopt a penguin!
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hello Antonio, the HMAC Secret is defined in the rpc/enroll.yaml configuration and the expected value is an HMAC256 (hex notation) of the DER encoded CSR. best regards Oliver On 05.08.23 06:36, Antonio Gamboa wrote: Hi Oliver. I could set up the RPC API successfully, thanks. But, I have the following question, How I could create the signature parameter in the RPC request? It is the HMAC authentication, right? I want to send this signature to make an authenticated request in order to avoid manual authorization in the UI Best regards. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi Oliver. I could set up the RPC API successfully, thanks. But, I have the following question, How I could create the signature parameter in the RPC request? It is the HMAC authentication, right? I want to send this signature to make an authenticated request in order to avoid manual authorization in the UI Best regards. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi Antonio, I am sorry that all looks fine and I have no clue why this is not working. Oliver On 17.07.23 17:43, Antonio Gamboa wrote: Hi Oliver. I think a have the correct realm [rpc/enroll.conf] :( [global] log_config = /etc/openxpki/rpc/log.conf log_facility = client.rpc socket = /var/openxpki/openxpki.socket realm = df #locale_directory: /usr/share/locale default_language = en_US [auth] stack = _System [input] allow_raw_post = 1 parse_depth = 5 [output] use_http_status_codes=1 [RequestCertificate] workflow = certificate_enroll param = pkcs10, profile, comment, signature output = cert_identifier, certificate, chain, error_code, transaction_id env = signer_cert, server pickup = pkcs10, transaction_id pickup_workflow = check_enrollment ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi Oliver. I think a have the correct realm [rpc/enroll.conf] :( [global] log_config = /etc/openxpki/rpc/log.conf log_facility = client.rpc socket = /var/openxpki/openxpki.socket realm = df #locale_directory: /usr/share/locale default_language = en_US [auth] stack = _System [input] allow_raw_post = 1 parse_depth = 5 [output] use_http_status_codes=1 [RequestCertificate] workflow = certificate_enroll param = pkcs10, profile, comment, signature output = cert_identifier, certificate, chain, error_code, transaction_id env = signer_cert, server pickup = pkcs10, transaction_id pickup_workflow = check_enrollment ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi Antonio, it seems you have changed the name of the realm - did you also changed this in the rpc/enroll.conf ? Oli Am 15.07.23 um 20:17 schrieb Antonio Gamboa: Hi Oliver, thanks I am sorry to be such a bother with this configuration. I have the endpoint definitions in //etc/openxpki/rpc/enroll.conf,/ so I guess the configuration for certificate profile must be in /config.d/realm/df/rpc/enroll.yaml / (it's there) My rpc call/enpoint is [POST] https://127.0.0.1/rpc/enroll Thanks so much for your support ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi Oliver, thanks I am sorry to be such a bother with this configuration. I have the endpoint definitions in */etc/openxpki/rpc/enroll.conf,* so I guess the configuration for certificate profile must be in *config.d/realm/df/rpc/enroll.yaml * (it's there) My rpc call/enpoint is [POST] https://127.0.0.1/rpc/enroll Thanks so much for your support ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hello Antonio, there is one pitfall that has not been fixed in the community workflow yet :( The name of the endpoint is derived from the URL path and used to find the configuration file. Due to the nature of the configuration tree of OpenXPKI, no error is triggered when this configuration file is not found and the result is that the workflow is started without any configuration items which is then caught by the profile check. Long story short - make sure you have a the endpoint configured properly, details are here https://openxpki.readthedocs.io/en/latest/subsystems/index.html#wrapper-configuration Oliver On 13.07.23 18:05, Antonio Gamboa wrote: Hi Martin. Thanks for your response. I think the certificate profile 'tls_server' is OK (I have the profile in the profiles' directory) even, I can see it and use it on the web UI. I tried specifying the certificate profile in the RPC request (tls-server, due to the mapping) but the message is the same. What happens if the CSR not has the required subject data? The message is different from "Invalid Profile" Cheers. Gamboa ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi Martin. Thanks for your response. I think the certificate profile 'tls_server' is OK (I have the profile in the profiles' directory) even, I can see it and use it on the web UI. I tried specifying the certificate profile in the RPC request (tls-server, due to the mapping) but the message is the same. What happens if the CSR not has the required subject data? The message is different from "Invalid Profile" Cheers. Gamboa ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi,
> I'm trying to issue a certificate using the default RPC configuration
> (RequestCertificate method) but a get :
> {
> "result": {
> "id": 3583,
> "proc_state": "finished",
> "state": "FAILURE",
> "data": {
> "transaction_id": "723c94cd1fba71e96d1a5c240fdebf9801f74a1d",
> "error_code": "Invalid Profile"
> },
> "pid": 3481
> }
> }
>
> I'm not setting a certificate profile in the request, I guess it's
> determining the certificate profile from my realm configuration
> (config.d/realm/df/rpc/enroll.yaml)
>
> profile:
> cert_profile: tls_server
> cert_subject_style: enroll
>
> # Mapping of names to OpenXPKI profiles to be used with the
> # Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2)
> profile_map:
> pc-client: tls_client
> tls-server: tls_server
> tls-client: tls_client
> #renewal-test: renewal_test
>
> But honestly I don't understand the message "Invalid Profile"
The system is telling you that it does not know which profile to use: the error
happens if the enrollment workflow does not have information about the
certificate profile to use.
Make sure that the profile tls_server (the default profile as per the above
configuration) exists or specify an existing profile in the RPC request.
Note that the value you are sending is mapped via profile_map to the actual
profiles in your PKI Realm.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi Oliver.
I'm trying to issue a certificate using the default RPC configuration
(RequestCertificate method) but a get :
{
"result": {
"id": 3583,
"proc_state": "finished",
"state": "FAILURE",
"data": {
"transaction_id": "723c94cd1fba71e96d1a5c240fdebf9801f74a1d",
"error_code": "Invalid Profile"
},
"pid": 3481
}
}
I'm not setting a certificate profile in the request, I guess it's
determining the certificate profile from my realm configuration
(config.d/realm/df/rpc/enroll.yaml)
profile:
cert_profile: tls_server
cert_subject_style: enroll
# Mapping of names to OpenXPKI profiles to be used with the
# Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2)
profile_map:
pc-client: tls_client
tls-server: tls_server
tls-client: tls_client
#renewal-test: renewal_test
But honestly I don't understand the message "Invalid Profile"
best regards
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi Oliver. I really appreciate your quick response. I will give it a try. Thanks. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi Antonio, the certificate_privkey_export workflow is for downloading a key from the datapool that was generated earlier by the WebUI based CSR workflow so this is not really what you are looking for. The regular enrollment workflow expects a properly formated CSR and there is nothing inside it to generate a key pair or pass subject data alongside in the published default workflows. I guess the best way would be to use two workflows, one to generate the private key and a matching CSR (needs to be build from scratch, likely based on the WebUI workflow) and then send this CSR to the regular enrollment workflow. best regards Oliver Am 05.07.23 um 18:09 schrieb Antonio Gamboa: Hi there. I have been reading the documentation on workflows, but I can't figure out how to define the process to generate the certificate and private key on the server side (by using RPC API) I think I need to use the workflow *def/certificate_privkey_expor*t, but I am not sure how to pass the subject data in the RPC API POST request. Another question is about the certificate request approval, can it be done from the RPC API? I would really appreciate any information that can help me with this configuration. Thanks in advance. I really appreciate this project. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] [RPC API] Workflow definition for server-side key generation
Hi there. I have been reading the documentation on workflows, but I can't figure out how to define the process to generate the certificate and private key on the server side (by using RPC API) I think I need to use the workflow *def/certificate_privkey_expor*t, but I am not sure how to pass the subject data in the RPC API POST request. Another question is about the certificate request approval, can it be done from the RPC API? I would really appreciate any information that can help me with this configuration. Thanks in advance. I really appreciate this project. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
