Hi Oliver With a new CSR it worked, thanks for your help! This is good for a test drive, what does the production use case look like? Would you normally have a client certificate issued by the same PKI to request the signing of the CSR?
Many thanks Enrique On 02/09/2020, 22:37, "Cano Carballar, Enrique (GE Digital)" <[email protected]> wrote: Hi Oliver Appreciate your prompt reply. No, I reused the same CSR, will try a brand new one and see how it goes. Yes, I restarted the server. Many thanks for your help Enrique On 02/09/2020, 19:48, "Oliver Welter" <[email protected]> wrote: Hi Enrique, did you create a new CSR ? The pickup works based on the csr/key hash so if you resue the same CSR/key the old workflow is picked up. You also need to restart the server to activate the config changes. Oliver Am 02.09.20 um 19:18 schrieb Cano Carballar, Enrique (GE Digital): > Oliver > > Thank you, I appreciate your time helping me out with this. > > I have this in democa/est/default.yaml: > > label: Enrollment > > authorized_signer: > rule1: > # Full DN > subject: CN=.+:scepclient,.* > rule2: > # Full DN > subject: CN=.+:pkiclient,.* > > renewal_period: 000060 > > # You must set at least one of both options or remove the is_policy_loaded > # condition in the workflow definition > policy: > allow_anon_enroll: 1 > approval_points: 0 > max_active_certs: 0 > allow_replace: 0 > export_certificate: chain > > profile: > cert_profile: tls_server > cert_subject_style: enroll > > > eligible: > initial: > value: 1 > > renewal: > value: 1 > > onbehalf: > value: 1 > > Still, when I do: > > $ curl -k https://localhost:8443/.well-known/est/simpleenroll -s --data-binary @req.p10 -H "Content-Type: application/pkcs10" > > I get: > > Request was rejected: I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED > > Am I missing anything? > > Thanks again for your help > > Enrique > > On 02/09/2020, 08:21, "Oliver Welter" <[email protected]> wrote: > > Hello Enrqiue, > > thats intended behaviour - the default configuration expects an "on > behalf" request authenticated with a TLS signer certificate. Using Basic > Auth is not supported at the moment. > > Please see this - very detailed - documentation of the enrollment > workflow and its configuration: > https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html > > There is also a section for a "sign all" testdrive configuration > https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html#test-drive-insecure > > best regards > > Oliver > > Am 01.09.20 um 16:12 schrieb Cano Carballar, Enrique (GE Digital): > > Hi! > > > > > > > > I’ve got openxpki running with docker-composer, pretty much following > > the instructions as described here: > > https://github.com/openxpki/openxpki-docker. > > > > I’m trying to use the EST protocol to sign a certificate request, and > > I’m using the following URL: > > > > curl -k -v https://localhost:8443/.well-known/est/simpleenroll -s -o > > cert.p7 --data-binary @req.p10 -H "Content-Type: application/pkcs10" > > > > > > > > But instead of the certificate, I’m getting this error message: > > > > $ cat cert.p7 > > > > Request was rejected: I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED > > > > > > > > My questions are: > > > > 1. Do I need to create a user and send username and password using > > basic authentication? > > 2. Do I need to use a client certificate instead? > > 3. Can I accept anonymous requests for testing purposes? > > > > > > > > Many thanks in advance > > > > > > > > Enrique > > > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
