subject:"\[OpenXPKI\-users\] EST using different profiles"

Re: [OpenXPKI-users] EST using different profiles

2023-02-03 Thread Lixin Liu

I think I figured out what I missed. I need to create a custom.conf file in 
global est directory.
I can now create new request with proper profile option now.

Cheers,

Lixin.

On 2023-02-02, 10:46 AM, "Lixin Liu" mailto:l...@sfu.ca>> wrote:




Turning on DEBUG, I am seeing


2023/02/02 10:43:32 openxpki.application.WARN No policy params set in 
LoadPolicy 
[pid=107385|user=Anonymous|role=System|sid=Ki4O|wftype=certificate_enroll|wfid=22527]
2023/02/02 10:43:32 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR 
configuration_error exception thrown from 
[OpenXPKI::Server::Workflow::Condition::KeyParams: 40; before: 
OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the profile 
name or the key_rules directly 
[pid=107385|user=Anonymous|role=System|sid=Ki4O|wftype=certificate_enroll|wfid=22527]
2023/02/02 10:43:32 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR 
configuration_error exception thrown from 
[OpenXPKI::Server::Workflow::Condition::KeyParams: 40; before: 
OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the profile 
name or the key_rules directly 
[pid=107385|user=Anonymous|role=System|sid=Ki4O|wftype=certificate_enroll|wfid=22527]


Any hint how where I should look?


Thanks,


Lixin.




On 2023-02-02, 8:19 AM, "Lixin Liu" mailto:l...@sfu.ca> 
>> wrote:




Hi Oliver,




Thanks for your reply. 




I followed your suggestion to create estcustom.yaml file with only change in 
cert_profile.
I can get CA certs using




curl -s https:///.well-known/est/custom/cacerts




But when I try to submit a CSR, it returns an invalid profile error:




# curl -s -H "Content-Type: application/pkcs10" --data @test-req.pem 
https:///.well-known/est/custom/simplereenroll
I18N_OPENXPKI_UI_INVALID_PROFILE




RA Web site shows:




FAILURE
This workflow failed finally and can not be restarted
Error Code Invalid Profile
API Endpoint custom
Server Interface est
Transaction ID 641418b87c6467502b977d722eeff4e0b5b929f7




Save yaml file works if I move it to default.yaml.




What did I miss?




Thanks again.




Lixin.




On 2023-02-01, 10:32 PM, "Oliver Welter" mailto:m...@oliwel.de> > 
  Hi Martin,
>
> Sorry I am new to OpenXPKI product and still trying to learn how to customize 
> to my need.
>
> I am not sure how to define a new endpoint. Should I create a new ScriptAlias 
> in Apache
> configuration to, say /.well-known/user-est and then create a directory 
> user-est with its
> configuration in realm directory?
>
> Could you provide an example how this is done?
>
> I also had issue using user_auth_enc profile with EST and found the "enroll" 
> style wasn't
> defined in the user_auth_enc.yaml. Worked after I added it.
>
> Thanks,
>
> Lixin.
>
> On 2023-02-01, 1:08 AM, "Martin Bartosch via OpenXPKI-users" 
>   
>  > 
>   
>  >> 
>   
>  > 
>   
>   wrote:
>
>
> Hi,
>
>
>> I have only one CA, but is it possible to configure EST with 2 different 
>> profiles?
>> I would like to setup one for User certs. and one for TLS server certs.
>
> Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST, 
> SCEP and RPC endpoints.
>
>
> Each endpoint has its own distinct configuration, making it possible to 
> provide endpoints, e. g. specific for a device group. (In terms of

Re: [OpenXPKI-users] EST using different profiles

2023-02-02 Thread Lixin Liu

Turning on DEBUG, I am seeing

2023/02/02 10:43:32 openxpki.application.WARN No policy params set in 
LoadPolicy 
[pid=107385|user=Anonymous|role=System|sid=Ki4O|wftype=certificate_enroll|wfid=22527]
2023/02/02 10:43:32 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR 
configuration_error exception thrown from 
[OpenXPKI::Server::Workflow::Condition::KeyParams: 40; before: 
OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the profile 
name or the key_rules directly 
[pid=107385|user=Anonymous|role=System|sid=Ki4O|wftype=certificate_enroll|wfid=22527]
2023/02/02 10:43:32 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR 
configuration_error exception thrown from 
[OpenXPKI::Server::Workflow::Condition::KeyParams: 40; before: 
OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the profile 
name or the key_rules directly 
[pid=107385|user=Anonymous|role=System|sid=Ki4O|wftype=certificate_enroll|wfid=22527]

Any hint how where I should look?

Thanks,

Lixin.


On 2023-02-02, 8:19 AM, "Lixin Liu" mailto:l...@sfu.ca>> wrote:


Hi Oliver,


Thanks for your reply. 


I followed your suggestion to create estcustom.yaml file with only change in 
cert_profile.
I can get CA certs using


curl -s https:///.well-known/est/custom/cacerts


But when I try to submit a CSR, it returns an invalid profile error:


# curl -s -H "Content-Type: application/pkcs10" --data @test-req.pem 
https:///.well-known/est/custom/simplereenroll
I18N_OPENXPKI_UI_INVALID_PROFILE


RA Web site shows:


FAILURE
This workflow failed finally and can not be restarted
Error Code Invalid Profile
API Endpoint custom
Server Interface est
Transaction ID 641418b87c6467502b977d722eeff4e0b5b929f7


Save yaml file works if I move it to default.yaml.


What did I miss?


Thanks again.


Lixin.


On 2023-02-01, 10:32 PM, "Oliver Welter" mailto:m...@oliwel.de> >> wrote:




Hi Lixin,




as long as you have only one realm and do not need any special setup, it 
is sufficient to add a new configuration item in config.d/democa/est/ 
with the expected settings. This will be automatically picked up when 
you use the name of the file as a EST ca label: /.well-known/est/.




By example: Copy config.d/democa/est/default.yaml to 
config.d/democa/estcustom.yaml - change the "profile" entry and use 
/.well-known/est/custom as URL for your EST client. Some clients will 
autocomplete the URL and only accept a "calabel" which ist "custom" in 
this case. If you need more control over the "outer" wrapper 
configuration, also create an appropriate file est/custom.conf - if this 
is not present, it will inherit from default.




HTH




Oliver




On 02.02.23 04:31, Lixin Liu wrote:
> Hi Martin,
>
> Sorry I am new to OpenXPKI product and still trying to learn how to customize 
> to my need.
>
> I am not sure how to define a new endpoint. Should I create a new ScriptAlias 
> in Apache
> configuration to, say /.well-known/user-est and then create a directory 
> user-est with its
> configuration in realm directory?
>
> Could you provide an example how this is done?
>
> I also had issue using user_auth_enc profile with EST and found the "enroll" 
> style wasn't
> defined in the user_auth_enc.yaml. Worked after I added it.
>
> Thanks,
>
> Lixin.
>
> On 2023-02-01, 1:08 AM, "Martin Bartosch via OpenXPKI-users" 
>   
>  > 
>   
>  
>
> Hi,
>
>
>> I have only one CA, but is it possible to configure EST with 2 different 
>> profiles?
>> I would like to setup one for User certs. and one for TLS server certs.
>
> Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST, 
> SCEP and RPC endpoints.
>
>
> Each endpoint has its own distinct configuration, making it possible to 
> provide endpoints, e. g. specific for a device group. (In terms of long term 
> manageability this is an important feature, making it possible to modify the 
> enrollment policy e. g. only for your printers while leaving the enrollment 
> policy for phones unchanged.)
>
>
> Each endpoint has a default certificate profile configuration which is 
> selected if no other supported profile is requested by the client (and 
> accepted by the endpoint).
>
>
> The client may override the configured default profile by including the 
> Microsoft specific extension 1.3.6.1.4.1.311.20.2 
> (szOID_ENROLL_CERTTYPE_EXTENSION, 
> http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2=display 
> 
>  
> 
>  
>

Re: [OpenXPKI-users] EST using different profiles

2023-02-02 Thread Lixin Liu

Hi Oliver,

Thanks for your reply. 

I followed your suggestion to create estcustom.yaml file with only change in 
cert_profile.
I can get CA certs using

curl -s https:///.well-known/est/custom/cacerts

But when I try to submit a CSR, it returns an invalid profile error:

# curl -s -H "Content-Type: application/pkcs10" --data @test-req.pem 
https:///.well-known/est/custom/simplereenroll
I18N_OPENXPKI_UI_INVALID_PROFILE

RA Web site shows:

FAILURE
This workflow failed finally and can not be restarted
  Error CodeInvalid Profile
  API Endpoint  custom
  Server Interface  est
  Transaction ID641418b87c6467502b977d722eeff4e0b5b929f7

Save yaml file works if I move it to default.yaml.

What did I miss?

Thanks again.

Lixin.

On 2023-02-01, 10:32 PM, "Oliver Welter" mailto:m...@oliwel.de>> wrote:


Hi Lixin,


as long as you have only one realm and do not need any special setup, it 
is sufficient to add a new configuration item in config.d/democa/est/ 
with the expected settings. This will be automatically picked up when 
you use the name of the file as a EST ca label: /.well-known/est/.


By example: Copy config.d/democa/est/default.yaml to 
config.d/democa/estcustom.yaml - change the "profile" entry and use 
/.well-known/est/custom as URL for your EST client. Some clients will 
autocomplete the URL and only accept a "calabel" which ist "custom" in 
this case. If you need more control over the "outer" wrapper 
configuration, also create an appropriate file est/custom.conf - if this 
is not present, it will inherit from default.


HTH


Oliver


On 02.02.23 04:31, Lixin Liu wrote:
> Hi Martin,
>
> Sorry I am new to OpenXPKI product and still trying to learn how to customize 
> to my need.
>
> I am not sure how to define a new endpoint. Should I create a new ScriptAlias 
> in Apache
> configuration to, say /.well-known/user-est and then create a directory 
> user-est with its
> configuration in realm directory?
>
> Could you provide an example how this is done?
>
> I also had issue using user_auth_enc profile with EST and found the "enroll" 
> style wasn't
> defined in the user_auth_enc.yaml. Worked after I added it.
>
> Thanks,
>
> Lixin.
>
> On 2023-02-01, 1:08 AM, "Martin Bartosch via OpenXPKI-users" 
>   
>  >> wrote:
>
>
> Hi,
>
>
>> I have only one CA, but is it possible to configure EST with 2 different 
>> profiles?
>> I would like to setup one for User certs. and one for TLS server certs.
>
> Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST, 
> SCEP and RPC endpoints.
>
>
> Each endpoint has its own distinct configuration, making it possible to 
> provide endpoints, e. g. specific for a device group. (In terms of long term 
> manageability this is an important feature, making it possible to modify the 
> enrollment policy e. g. only for your printers while leaving the enrollment 
> policy for phones unchanged.)
>
>
> Each endpoint has a default certificate profile configuration which is 
> selected if no other supported profile is requested by the client (and 
> accepted by the endpoint).
>
>
> The client may override the configured default profile by including the 
> Microsoft specific extension 1.3.6.1.4.1.311.20.2 
> (szOID_ENROLL_CERTTYPE_EXTENSION, 
> http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2=display 
> 
>  
> 
>  
> )
>  in the submitted CSR.
>
>
> If the profile requested by the client is contained in the profile mapping of 
> the endpoint configuration, the mapped profile is used for the incoming 
> certificate request, otherwise the default is used.
>
>
> HTH
>
>
> Martin
>
>
>
>
>
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net 
>  
>  >
> https://lists.sourceforge.net/lists/listinfo/openxpki-users 
>  
>  
> 
>
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/openxpki-users 
> 


-- 
Protect your environment - close windows and adopt a penguin!






___
OpenXPKI-users mailing

Re: [OpenXPKI-users] EST using different profiles

2023-02-01 Thread Oliver Welter

Hi Lixin,

as long as you have only one realm and do not need any special setup, it
is sufficient to add a new configuration item in config.d/democa/est/
with the expected settings. This will be automatically picked up when
you use the name of the file as a EST ca label: /.well-known/est/.

By example: Copy config.d/democa/est/default.yaml to
config.d/democa/estcustom.yaml - change the "profile" entry and use
/.well-known/est/custom as URL for your EST client. Some clients will
autocomplete the URL and only accept a "calabel" which ist "custom" in
this case. If you need more control over the "outer" wrapper
configuration, also create an appropriate file est/custom.conf - if this
is not present, it will inherit from default.

HTH

Oliver

On 02.02.23 04:31, Lixin Liu wrote:

Hi Martin,

Sorry I am new to OpenXPKI product and still trying to learn how to customize
to my need.

I am not sure how to define a new endpoint. Should I create a new ScriptAlias
in Apache
configuration to, say /.well-known/user-est and then create a directory
user-est with its
configuration in realm directory?

Could you provide an example how this is done?

I also had issue using user_auth_enc profile with EST and found the "enroll"
style wasn't
defined in the user_auth_enc.yaml. Worked after I added it.

Thanks,

Lixin.

On 2023-02-01, 1:08 AM, "Martin Bartosch via OpenXPKI-users"
mailto:openxpki-users@lists.sourceforge.net>>
wrote:

Hi,

I have only one CA, but is it possible to configure EST with 2 different
profiles?
I would like to setup one for User certs. and one for TLS server certs.

Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST,
SCEP and RPC endpoints.

Each endpoint has its own distinct configuration, making it possible to provide
endpoints, e. g. specific for a device group. (In terms of long term
manageability this is an important feature, making it possible to modify the
enrollment policy e. g. only for your printers while leaving the enrollment
policy for phones unchanged.)

Each endpoint has a default certificate profile configuration which is selected
if no other supported profile is requested by the client (and accepted by the
endpoint).

The client may override the configured default profile by including the Microsoft specific
extension 1.3.6.1.4.1.311.20.2 (szOID_ENROLL_CERTTYPE_EXTENSION,
http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2=display
)
in the submitted CSR.

If the profile requested by the client is contained in the profile mapping of
the endpoint configuration, the mapped profile is used for the incoming
certificate request, otherwise the default is used.

HTH

Martin

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/openxpki-users

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

--
Protect your environment - close windows and adopt a penguin!

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] EST using different profiles

2023-02-01 Thread Lixin Liu

Hi Martin,

Sorry I am new to OpenXPKI product and still trying to learn how to customize 
to my need.

I am not sure how to define a new endpoint. Should I create a new ScriptAlias 
in Apache
configuration to, say /.well-known/user-est and then create a directory 
user-est with its
configuration in realm directory?

Could you provide an example how this is done?

I also had issue using user_auth_enc profile with EST and found the "enroll" 
style wasn't 
defined in the user_auth_enc.yaml. Worked after I added it.

Thanks,

Lixin.

On 2023-02-01, 1:08 AM, "Martin Bartosch via OpenXPKI-users" 
mailto:openxpki-users@lists.sourceforge.net>> wrote:

Hi,

> I have only one CA, but is it possible to configure EST with 2 different 
> profiles?
> I would like to setup one for User certs. and one for TLS server certs.

Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST, 
SCEP and RPC endpoints. 

Each endpoint has its own distinct configuration, making it possible to provide 
endpoints, e. g. specific for a device group. (In terms of long term 
manageability this is an important feature, making it possible to modify the 
enrollment policy e. g. only for your printers while leaving the enrollment 
policy for phones unchanged.)

Each endpoint has a default certificate profile configuration which is selected 
if no other supported profile is requested by the client (and accepted by the 
endpoint).

The client may override the configured default profile by including the 
Microsoft specific extension 1.3.6.1.4.1.311.20.2 
(szOID_ENROLL_CERTTYPE_EXTENSION, 
http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2=display 
)
 in the submitted CSR.

If the profile requested by the client is contained in the profile mapping of 
the endpoint configuration, the mapped profile is used for the incoming 
certificate request, otherwise the default is used.

HTH

Martin

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net 

https://lists.sourceforge.net/lists/listinfo/openxpki-users 

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] EST using different profiles

2023-02-01 Thread Martin Bartosch via OpenXPKI-users

Hi,

> I have only one CA, but is it possible to configure EST with 2 different 
> profiles?
> I would like to setup one for User certs. and one for TLS server certs.

Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST, 
SCEP and RPC endpoints. 

Each endpoint has its own distinct configuration, making it possible to provide 
endpoints, e. g. specific for a device group. (In terms of long term 
manageability this is an important feature, making it possible to modify the 
enrollment policy e. g. only for your printers while leaving the enrollment 
policy for phones unchanged.)

Each endpoint has a default certificate profile configuration which is selected 
if no other supported profile is requested by the client (and accepted by the 
endpoint).

The client may override the configured default profile by including the 
Microsoft specific extension 1.3.6.1.4.1.311.20.2 
(szOID_ENROLL_CERTTYPE_EXTENSION, 
http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2=display) in 
the submitted CSR.

If the profile requested by the client is contained in the profile mapping of 
the endpoint configuration, the mapped profile is used for the incoming 
certificate request, otherwise the default is used.

HTH

Martin




___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] EST using different profiles

2023-01-31 Thread Lixin Liu

Hi,

I have only one CA, but is it possible to configure EST with 2 different 
profiles?
I would like to setup one for User certs. and one for TLS server certs.

Thanks,

Lixin.


___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] EST using different profiles

Re: [OpenXPKI-users] EST using different profiles

Re: [OpenXPKI-users] EST using different profiles

Re: [OpenXPKI-users] EST using different profiles

Re: [OpenXPKI-users] EST using different profiles

Re: [OpenXPKI-users] EST using different profiles

[OpenXPKI-users] EST using different profiles

7 matches

Site Navigation

Mail list logo

Footer information