Hello Mr Martin, About this answer: "When using the enrollment interfaces the client generates its private key, creates a PKCS#10 request from it and sends the request to the PKI for certification. The PKCS#10 request does not include the private key, so it is only public information. PKCS#12 contains both the certificate and the private key - which the PKI does not have."
So all I need is to manually generate PKCS12 with my own private key and protect them with a password via OpenSSL? I just tried this and it worked: https://www.ibm.com/support/knowledgecenter/en/SSCRJU_4.1.1/com.ibm.streams.cfg.doc/doc/creating-pkcs12-file.html And there is no way to do it from OpenXPKI? Thankyou. Regards, Sandy Kristiawan. Pada tanggal Rab, 24 Mar 2021 pukul 14.42 Martin Bartosch via OpenXPKI-users <[email protected]> menulis: > Hi Sandy, > > > I am very new at using OpenXPKI. > > Welcome to the crowd! > > > I just installed the OpenXPKI on my Debian VM and run the configuration > through sampleconfig script (for learning purpose and hope that I can use > it in the future for projects). > > Sounds good. But do not use sampleconfig for anything that is meant to > work in some sort of production environment. > > > But I tried requesting a certificate through an API call, and I cannot > define the profile that I want to use. Because whenever I set the profile > to anything known like tls_server, tls_client, user_auth_enc it always > gives an error message: "Invalid Profile". > > The profile specified via the API needs to be explicitly whitelisted, > otherwise the system will reject the client choice. > > profile_map: > pc-client: tls_client > tls-server: tls_server > tls-client: tls_client > > This map keys list the logical profile names accepted from the client, the > corresponding values are the resulting internal profile names. > > > The process will succeed if I don't define the profile but the used > profile for making the certificate become "tls_server" by default. > > This is the default profile defined in profile.cert_profile > > > And I find that I cannot find the download PKCS12 button (on certificate > details) when the certificate is generated, unlike if I generate the > certificate through Web UI the Download Private key as PKCS12 button is > shown. Because I need the PKCS12 file for certifying a PDF. > > > > The body that I sent to the API URL is the PKCS10 and also the profile > (string). But like I have said before, when I put the profile in the body > it just gives me Invalid profile response. > > > > How do I request a certificate correctly through an API call? I want the > generated certificate to also have an option for downloading the private > key as PKCS12 too just like if I request the certificate through the Web UI. > > When using the enrollment interfaces the client generates its private key, > creates a PKCS#10 request from it and sends the request to the PKI for > certification. The PKCS#10 request does not include the private key, so it > is only public information. > PKCS#12 contains both the certificate and the private key - which the PKI > does not have. > > > Cheers > > Martin > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
