Hi, a certificate that is expired or has been revoked can - of course - not be used in a PoP renewal: https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/workflow/def/certificate_enroll.yaml#L100
Oliver Am 08.10.20 um 14:30 schrieb Conz: > > Hi, > > > > I am doing a bit of a self-taught crash course into how CA’s operate > so you’ll have to excuse me if I get some terminology wrong. > > But I think you actually answered almost all of my questions, I had > not dug deep into the workflow configs and missed the eligibility > connectors. > > The only thing I am unclear of right now is if a cert is or can be > blocked for renewal if it has been revoked. I am somewhat assuming > this is standard behavior but I just can’t find it. > > > > *Van:*Oliver Welter [mailto:[email protected]] > *Verzonden:* donderdag 8 oktober 2020 12:58 > *Aan:* [email protected] > *Onderwerp:* Re: [OpenXPKI-users] questions about usage in bastion > style setup > > > > Hi, > > > > I did not get in total what you are trying to achieve > > > > For the renewal topic you can use the enrollment workflow via RPC, EST > or SCEP to let a user create a new certificate with the same > properties as the one he already has by proving the ownership of the > old key. > > See > https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html#renewal > > > > For the initial request I dont know what your intention/problem is - > yes anyone can create a CSR but it needs to be approved by an > Operator. In case you have any external data sources, the system > offers plenty of options to handle authentication and authorization by > checking relations in those systems. > > > > Oliver > > > > > > Am 08.10.20 um 11:15 schrieb Conz: > > Hi, > > > > I’m looking into the possibility of using openxpki in a bastion > setup to lock down access to a few linux servers and I currently > have the demo running in a vm but I have some requirements that I > don’t know if it’s possible or not. > > > > The setup I have in mind is ssh into the bastion with a password + > 2fa and then get a short term cert from the CA requested by the > bastion host that allows access to other machines based on the > principals in the certificate. > > So what I need from openxpki is that users can request an initial > certificate with a certain access (profile?) that initially needs > to be manually approved but can then be automatically renewed upon > login to the bastion host unless the last cert was revoked with > for example the ‘affiliation has changed’ reason and not just expired. > > I think apache can be used to restrict where new cert requests / > renews can originate from unless there is a better way to do a > little access control on that, the demo seems to allow anyone to > request a cert. > > Is there actually a better way to do some access control and not > allow the whole world to request certificates ? (Obviously it’d be > firewalled off so only the figurative world ;) ) > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
