Hi,
I am trying to configure OpenXPKI with EST to use the client certificate for
authorisation of the CSR to /simpleenroll, but keep getting the following error
‘I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED'
Do have any examples on how to configure this? Most of the examples seem to use
the ‘identifier’ keyword, but does not explain how to create the identifier
hash.
File est.default
rule3:
identifier: <hash>
The client certificate is not signed by the same CA as OpenXPKI is issuing for
and the CN is not the same.
The client certificate has been added to /etc/ssl/certs so Apache can
authenticate the client certificate.
The client provides both the client certificate and intermediate certificate,
to form the chain of trust.
Thanks in advance,
James
2020/01/20 13:45:33 DEBUG:1507 Config for service est loaded
2020/01/20 13:45:33 TRACE:1507 Global config: $VAR1 = {
'global' => {
'realm' => 'democa',
'servername' => 'default',
'log_config' => '/etc/openxpki/est/log.conf',
'log_facility' => 'client.est',
'socket' => '/var/openxpki/openxpki.socket'
},
'auth' => {
'stack' => '_System'
}
};
2020/01/20 13:45:33 INFO:1507 EST handler initialized
2020/01/20 13:45:33 DEBUG:1507 Incoming request /.well-known/est/simpleenroll
2020/01/20 13:45:33 DEBUG:1507 calling context is https
2020/01/20 13:45:33 INFO:1507 EST authenticated client DN: CN=Product1,O=Equip
Man 1 PLtd,ST=England,C=GB
2020/01/20 13:45:34 DEBUG:1507 Initialize client
2020/01/20 13:45:34 DEBUG:1507 Started volatile session with id:
8QLF2DPNT+y2ZaK/owPb9g==
2020/01/20 13:45:34 DEBUG:1507 Selecting auth stack _System
2020/01/20 13:45:35 DEBUG:1507 Workflow created (ID: 21503), State: FAILURE
2020/01/20 13:45:35 TRACE:1507 Result of workflow action: $VAR1 = {
'workflow' => {
'title' =>
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL',
'context' => {
'csr_digest_alg' => 'sha256',
'workflow_id' => '21503',
'p_approval_points' => '1',
'request_mode' => 'onbehalf',
'csr_subject_key_identifier' =>
'94:EF:8F:84:B9:B3:B5:4B:EB:42:38:4F:23:C5:FF:EE:44:1D:F5:19',
'cert_subject_parts' =>
'req_extensions' => {},
'cert_san_parts' => '',
'p_allow_replace' => '1',
'signer_cert' => '-----BEGIN
CERTIFICATE-----
Xxxxx
-----END CERTIFICATE-----
',
'creator' => 'anonymous',
'transaction_id' =>
'bf5aaee3061d69b25cd77d4c0812c7ba27334096',
'sources' =>
'OXJSF1:{"signer_cert":"api","req_extensions":"PKCS10","pkcs10":"api","req_attributes":"PKCS10","interface":"api","cert_subject_parts":"PKCS10","cert_subject_alt_name":"PROFILE","transaction_id":"api","server":"api"}',
'signer_in_current_realm' => 0,
'server' => 'default',
'wf_current_action' => undef,
'signer_authorized' => 0,
'p_allow_man_authen' => '1',
'p_auto_revoke_existing_certs' => '1',
'req_attributes' => {},
'signer_subject' =>
'CN=Product1,O=Equip Man 1 PLtd,ST=England,C=GB',
'p_max_active_certs' => '1',
'signer_validity_ok' => '1',
'pkcs10' => '-----BEGIN CERTIFICATE
REQUEST-----
Xxxxxxx
-----END CERTIFICATE REQUEST-----
',
'p_allow_anon_enroll' => '0',
'p_allow_eligibility_recheck' => '1',
'cert_subject_alt_name' => 'OXJSF1:[]',
'error_code' =>
'I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED',
'p_export_certificate' => 'chain',
'signer_revoked' => 0,
'cert_subject_style' => 'enroll',
'interface' => 'est',
'cert_profile' => 'tls_nmos',
'cert_info' => '',
'p_allow_man_approv' => '1',
'csr_key_alg' => 'rsa',
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
