Hi,
I am doing a bit of a self-taught crash course into how CA's operate so you'll have to excuse me if I get some terminology wrong. But I think you actually answered almost all of my questions, I had not dug deep into the workflow configs and missed the eligibility connectors. The only thing I am unclear of right now is if a cert is or can be blocked for renewal if it has been revoked. I am somewhat assuming this is standard behavior but I just can't find it. Van: Oliver Welter [mailto:[email protected]] Verzonden: donderdag 8 oktober 2020 12:58 Aan: [email protected] Onderwerp: Re: [OpenXPKI-users] questions about usage in bastion style setup Hi, I did not get in total what you are trying to achieve For the renewal topic you can use the enrollment workflow via RPC, EST or SCEP to let a user create a new certificate with the same properties as the one he already has by proving the ownership of the old key. See https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/ enroll.html#renewal For the initial request I dont know what your intention/problem is - yes anyone can create a CSR but it needs to be approved by an Operator. In case you have any external data sources, the system offers plenty of options to handle authentication and authorization by checking relations in those systems. Oliver Am 08.10.20 um 11:15 schrieb Conz: Hi, I'm looking into the possibility of using openxpki in a bastion setup to lock down access to a few linux servers and I currently have the demo running in a vm but I have some requirements that I don't know if it's possible or not. The setup I have in mind is ssh into the bastion with a password + 2fa and then get a short term cert from the CA requested by the bastion host that allows access to other machines based on the principals in the certificate. So what I need from openxpki is that users can request an initial certificate with a certain access (profile?) that initially needs to be manually approved but can then be automatically renewed upon login to the bastion host unless the last cert was revoked with for example the 'affiliation has changed' reason and not just expired. I think apache can be used to restrict where new cert requests / renews can originate from unless there is a better way to do a little access control on that, the demo seems to allow anyone to request a cert. Is there actually a better way to do some access control and not allow the whole world to request certificates ? (Obviously it'd be firewalled off so only the figurative world ;) ) _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
