Hi Perryn,
First of all, in the default config the name is not „tls_client“, but
„pc-client“. Have a look into /etc/openxpki/.../scep/generic.yaml,
„profile_map“, which converts the 1.3.6.1.4.1.311.20.2 names to OpenXPKI
profile names. The default looks like this:
# Mapping of names to OpenXPKI profiles to be used with the
# Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2)
profile_map:
pc-client: tls_client
I use openssl with a config. The following works for me (some parts I skipped
with „...“):
oid_section = new_oids
[ req ]
...
distinguished_name = req_dn
attributes = req_attributes
req_extensions = req_ext
[ new_oids ]
certTemplateName = 1.3.6.1.4.1.311.20.2
[ req_dn ]
[ req_attributes ]
[ req_ext ]
...
certTemplateName = ASN1:UTF8String:pc-client
and then
openssl req -new -config my.cnf -subj "..." -out my.csr
The oid_section must be on the top-level, above [ req ].
Regards
Petr
From: Perryn Gordon [mailto:[email protected]]
Sent: Tuesday, August 4, 2020 4:30 AM
To: mail <[email protected]>
Cc: openxpki-users <[email protected]>
Subject: Re: [OpenXPKI-users] Workflow selection and SCEP
CAUTION: This email originated from outside of the Advantech organization. Do
not click any link or open any attachment unless you recognize the sender and
know the content is 100% safe! If you are not sure this email is legitimate,
please contact IT.Helpdesk immediately.
Here is one of the methods I have tried:
[root@bf1c2596355e ~]# openssl req -new -keyout tmp/scep-test.key -out
tmp/scep-test.csr -newkey rsa:2048 -nodes -subj "/CN=Perryn Gordon:tls_client"
-addext "1.3.6.1.4.1.311.20.2=tls_client"
Error Loading command line extensions
139633151907648:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension
name:crypto/x509v3/v3_conf.c:78:
139633151907648:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:crypto/x509v3/v3_conf.c:47:name=1.3.6.1.4.1.311.20.2, value=tls_client
________________________________
From: "mail" <[email protected]<mailto:[email protected]>>
To: "mail" <[email protected]<mailto:[email protected]>>,
"openxpki-users"
<[email protected]<mailto:[email protected]>>
Sent: Monday, August 3, 2020 7:54:36 PM
Subject: Re: [OpenXPKI-users] Workflow selection and SCEP
In regards to SCEP,
I see references to different ways to set the profile for the request, but I am
not able to implement any of them successfully.
What is the correct way, or ways, to indicate a non-default profile. I am
trying to get a tls_client in particular at the moment.
Thank-you!!!
Perryn
________________________________
From: "mail" <[email protected]<mailto:[email protected]>>
To: "openxpki-users"
<[email protected]<mailto:[email protected]>>
Sent: Monday, August 3, 2020 2:24:41 PM
Subject: Re: [OpenXPKI-users] Workflow selection and SCEP
Yes, thank-you Oliver!!
This fixed my issue as well.
Perryn
________________________________
From: "Petr Gotthard"
<[email protected]<mailto:[email protected]>>
To: "openxpki-users"
<[email protected]<mailto:[email protected]>>
Sent: Monday, August 3, 2020 4:09:21 AM
Subject: Re: [OpenXPKI-users] Workflow selection and SCEP
Solved! That was the issue.
Thanks, Oliver!
Regards,
Petr
-----Original Message-----
From: Oliver Welter [mailto:[email protected]]
Sent: Thursday, July 30, 2020 5:00 PM
To:
[email protected]<mailto:[email protected]>
Subject: Re: [OpenXPKI-users] Workflow selection and SCEP
CAUTION: This email originated from outside of the Advantech organization. Do
not click any link or open any attachment unless you recognize the sender and
know the content is 100% safe! If you are not sure this email is legitimate,
please contact IT.Helpdesk immediately.
Hi Petr,
there was a migration bug in the config in 3.4 which is fixed in v3.6 - I
assume this line starts with "ds_key" in your config, you need to change this
to "hash_key":
https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/workflow/def/certificate_enroll.yaml#L629
Oliver
Am 30.07.20 um 13:46 schrieb Petr Gotthard:
> Hi Oliver,
> There is nothing else between PARSED and PROFILE_SET. The flow looks starts
> like this:
>
> INITIAL enroll_initialize EXECUTE
> INITIAL_ENROLL_INITIALIZE_0 global_map_url_params AUTORUN
> INITIAL_ENROLL_INITIALIZE_1 enroll_set_transaction_id AUTORUN
> INITIAL_ENROLL_INITIALIZE_2 enroll_set_workflow_attributes AUTORUN
> INITIAL_ENROLL_INITIALIZE_3 global_load_policy AUTORUN
> INITIAL_ENROLL_INITIALIZE_4 global_set_profile AUTORUN
> INITIAL_ENROLL_INITIALIZE_5 enroll_parse_pkcs10 AUTORUN PARSED
> global_noop AUTORUN PROFILE_SET enroll_render_subject AUTORUN
> PROFILE_SET_ENROLL_RENDER_SUBJECT_0 enroll_set_workflow_attributes
> AUTORUN READY_TO_PROCESS global_check_authorized_signer AUTORUN
> SIGNED_REQUEST enroll_set_mode_initial AUTORUN START_INITIAL
> enroll_calculate_hmac AUTORUN
>
>
> The CSR (for this request) is this:
>
> Certificate Request:
> Data:
> Version: 0 (0x0)
> Subject:
> commonName = mujrouter:test
> domainComponent = Test Deployment
> domainComponent = OpenXPKI
> domainComponent = org
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:d3:9e:76:e7:cb:25:76:b6:77:3f:7a:5b:92:2e:
> <snip>
> 88:a1
> Exponent: 65537 (0x10001)
> Attributes:
> Requested Extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Extended Key Usage: critical
> TLS Web Server Authentication
> X509v3 Subject Alternative Name:
> DNS:zabbix.conel.cz
> 1.3.6.1.4.1.311.20.2:
> ..pc-client
> Signature Algorithm: sha256WithRSAEncryption
> 59:27:5f:64:86:3f:5e:95:68:1a:89:f6:9d:c5:05:8e:75:49:
> <snip>
> 75:1a:ca:9c
>
> I did notice two dots before the "pc-client" string above. That's the
> "ASN1:UTF8String" encoding-- 0x0C as the UTF8String type and then 0x09 as the
> length of the string:
>
> SEQUENCE {
> OBJECT IDENTIFIER
> enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)
> OCTET STRING 0C 09 70 63 2D 63 6C 69 65 6E 74
> }
>
> Is that the expected encoding, or am I doing something wrong? The examples
> accross internet are not very consistent.
>
>
> Regards,
> Petr
>
> -----Original Message-----
> From: Oliver Welter [mailto:[email protected]]
> Sent: Thursday, July 30, 2020 10:00 AM
> To:
> [email protected]<mailto:[email protected]>
> Subject: Re: [OpenXPKI-users] Workflow selection and SCEP
>
>
> Hi Petr,
>
> yes it should work this way - can you please check if your workflow
> history contains the step
>
> PARSED > set_profile_from_extension > PROFILE_SET
>
> If not, whats the action used between those two states?
>
>
> Oliver
>
> Am 29.07.20 um 18:38 schrieb Petr Gotthard:
>> Hello,
>>
>> I am using OpenXPKI 3.4.0 and I want to issue both client and server
>> certificates via SCEP. I found in the docs that the
>> "1.3.6.1.4.1.311.20.2" extension can be used to select the
>> certificate template, so I tried.
>>
>>
>>
>> In /etc/openxpki/config.d/realm.tpl/scep/generic.yaml I have the
>> default configuration, which says:
>>
>>
>>
>> profile:
>>
>> cert_profile: tls_server
>>
>> cert_subject_style: enroll
>>
>>
>>
>> profile_map:
>>
>> pc-client: tls_client
>>
>>
>>
>>
>>
>> Now, when I issue an enrollment request via SCEP with this extension
>> I can see in the Workflow Context an entry "req_extensions" with
>> "certificateTemplateName, pc-client", so I guess the parameter was
>> encoded correctly. I thought that inclusion of "pc-client" will
>> select the "tls_client" from the profile map, but it seems to not work this
>> way.
>>
>>
>>
>> Am I doing something wrong, please?
>>
>>
>>
>>
>>
>> Petr Gotthard
>>
>>
>>
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]<mailto:[email protected]>
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]<mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]<mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
