Hi Eddy, my colleague Martin had a deeper look into your data and we found the problem :)
The construction of the "key identifier" is only loosely defined in RFC5280 but we never saw any tools with a different behaviour - as of today. As a CSR does not include a key identifier the ASN1 structure, we use the definition from the RFC and use the sha1 hash of the public key. Fpr the certificate, we read the key identifier from the ASN1 structure (if set) and surprisingly the value in your signature certificate does not match the expected one. Bottom line: You are using the correct key/certificate but the assumption we made is wrong and we therefore fail to detect this properly. We are currently discussion how to solve this properly in OpenXPKI but at the moment there is no "quick hack" I can offer on this side other then reworking the conditions in the workflow as described in my last post. Oliver Am 07.05.21 um 08:00 schrieb Oliver Welter: > Hello Eddy, > > as I already said last week > https://sourceforge.net/p/openxpki/mailman/message/37269596/ - to be > recognized as an "initial enrollment" the request must be self-signed > - at least in our world this means that the public key used in the CSR > must also be used to sign the SCEP envelope. > > As you can see here, this is not the case > > csr_subject_key_identifier > A4:50:D7:F8:BA:A5:1D:EB:3B:C6:9D:AB:EB:9C:00:12:8A:DA:81:D0 > signer_subject_key_identifier > 60:A2:93:80:F1:F5:58:93:59:4B:80:CA:13:EE:50:DA:4F:7C:80:6F > > The complete enrollment workflow is described here > https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html > > If you want to change this detection logic you can rework the > conditions in the workflow, you find this here > https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/workflow/def/certificate_enroll.yaml#L30 > > The better way would be IMHO to try to fix this in your SCEP client. > > best regards > > Oliver > > Am 06.05.21 um 22:27 schrieb Eddy BODIN via OpenXPKI-users: >> >> Hello, >> >> we're trying to enroll with SCEP a newly created certificate, using a >> Cryptlb based client, on an openXpki server on the default realm >> called "democa". We expect to have an initial enrolment but instead >> of it regarding the workflow we reach state "START_RENEWAL" after >> "SIGNED_REQUEST". In the workflow the CSR is not considered as >> self-signed, leading to this issue. >> >> The newly created certificate has a new transaction_id and a new DN >> and common name. >> >> What possible reason could lead to this issue ? >> >> >> >> Thanks. >> >> >> >> >> >> *_Workflow Context :_* >> >> >> >> cert_profile tls_server >> >> cert_subject CN=20210506-C-220638,DC=Test >> Deployment,DC=OpenXPKI,DC=org >> >> cert_subject_parts >> >> C >> >> FR >> >> CN >> >> 20210506-C-220638 >> >> O >> >> MYORGANISATION >> >> OU >> >> MYUNIT >> >> cert_subject_style enroll >> >> creator generic >> >> csr_digest_alg sha256 >> >> csr_key_alg rsa >> >> csr_key_params >> >> key_length >> >> 4096 >> >> csr_subject CN=20210506-C-220638,OU=MYUNIT,O=MYORGANISATION,C=FR >> >> csr_subject_key_identifier >> A4:50:D7:F8:BA:A5:1D:EB:3B:C6:9D:AB:EB:9C:00:12:8A:DA:81:D0 >> >> error_code Renewal request is for certificate from foreign realm! >> >> interface scep >> >> p_allow_anon_enroll 0 >> >> p_allow_eligibility_recheck 1 >> >> p_allow_man_approv 1 >> >> p_allow_man_authen 0 >> >> p_allow_replace 1 >> >> p_approval_points 0 >> >> p_auto_revoke_existing_certs 1 >> >> p_max_active_certs 1 >> >> pkcs10 >> >> -----BEGIN CERTIFICATE REQUEST----- >> >> MIIEuTCCAqECAQAwUzELMAkGA1UEBhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FU >> >> SU9OMQ8wDQYDVQQLEwZNWVVOSVQxGjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4 >> >> MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvFMd313lzD1i+A5u2l7i >> >> 9oLQnZXhG6usD2tYJq1NcuUE++YTxQ+PDbb2EPfcClEc7/Xyurn+TMPeU7opPdxP >> >> 3IQx23H1Y4UbIzv0k8WJckCj1zwnSgQllJzXefAImezJTSlV9IAo8UB9uXTxbbzu >> >> CipYD+GcbDMKN1Wjjn6ngtjIdmYgnsc1x/UBUsmb7rrtWcI7dMEgrw7hkJThw+EW >> >> XwL7l1TnVPUVTFxkIvrOzCatWA/HUNCeiE5XeERYwyZ6WwkpVv+ufO3tMVxhsu5r >> >> TzxxAr1Xk1P7/9izAYzJ4CwRI2UuTqo5nOXNHdqcQpcJWqHwpYfCqwtlPZdOyx6a >> >> fuEnvQW7V8P/PQ2ttbJ9CGk4sWB7Y2GHAEPCb1gxKl9rEHAh3b/uNvXHaBo09F6G >> >> JCDQqZpVVAxcZkHSuf9BMJzU3A8mkxdONWDd6q4VYvMN+5eSJHEgT5r15nEStmUD >> >> e/UFGW/2WouYxONASVFbljm6JjsOX49p6zhh4Fq0vZM1YETbIqhYCN3CPibgYXQn >> >> nBKHCnCInLi0pM3fqIE+HAFSI8/0Rbp38kbfNCkjyVGyjBED4MUVJeIlemgop0Jk >> >> pFFtv2JZjIbagjm8OqJ4UnRtCELinGnQeWCyya4gX5KnWZUEEojNQmUJKVO34eHF >> >> L7MQvfrZK50f875rbwTuEEcCAwEAAaAhMB8GCSqGSIb3DQEJBzESExB4eHh4WFhY >> >> WHh4eHhYWFhYMA0GCSqGSIb3DQEBCwUAA4ICAQCLorLSJgWwsXD50uWlUtyHdcSY >> >> nDygUe6l9gb53tuvsrMpqTcPOUcTFUJys4OtQ8gcN0HPfhO/O6LUoNx9kYpJc4Xd >> >> iaRscx+u2FetQbpwsO8D1JZeMfvBz3R7Znpu8mZm/aggX8ZRE184/Cok9kJIcGbI >> >> 4dhJ2Qw6/H3rjnn+0PenqHXH97WuVYpmJDHJuHvX4YWY4X4LF46sMObT3+JoBYNR >> >> c7EKVRyoYGltcoOEVjQLSi86992V5R5Ddd3x1pfLcMOnK8lGLUxIZhfqY6IWPiRo >> >> tyINtQn1egS6Jwohns5qU5YLEsZcfdzywwDc/cvP/7n2qpzrYxv9zXd0P91OVS3P >> >> Pr+rE794N8kQmS4y671aoq/UCwAFMbP5YS4zmhfjA0iKJvTYSOGp8RjofKjUC7IZ >> >> 2mYC1YgDo4uudzyCquJlHSAVV85K+qV4urjtIT7vFgNcduQbtK44+pU0zc7QQY+r >> >> EWacWNMeOORbH9FUrfQ3svoFNY962glfSbAi8ssYkOfFjgW8yKDj1DRc5BpIPwr1 >> >> ZhegqYZLDvYDNEPmcmh0fQXHL6x4MT75S6k/zZqPhJrBq+ESL6aRq29nHUat+Z5N >> >> +XhEcNCh/66rDV3bKNoudMbTFyQir4GXEErKaVzXH/WxRlkSuz6j3l+Kz3uZ7wOo >> >> ztPnfK1IJ95lb9Frfw== >> >> -----END CERTIFICATE REQUEST----- >> >> >> >> req_attributes challengePassword >> >> xxxxXXXXxxxxXXXX >> >> request_mode renewal >> >> server generic >> >> signer_authorized 0 >> >> signer_cert >> >> -----BEGIN CERTIFICATE----- >> >> MIIFZzCCA0+gAwIBAgIIakzaLfQ1P5wwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UE >> >> BhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FUSU9OMQ8wDQYDVQQLEwZNWVVOSVQx >> >> GjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4MB4XDTIxMDUwNjIwMDYwMFoXDTIx >> >> MDUwNzIwMDYwMFowUzELMAkGA1UEBhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FU >> >> SU9OMQ8wDQYDVQQLEwZNWVVOSVQxGjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4 >> >> MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvFMd313lzD1i+A5u2l7i >> >> 9oLQnZXhG6usD2tYJq1NcuUE++YTxQ+PDbb2EPfcClEc7/Xyurn+TMPeU7opPdxP >> >> 3IQx23H1Y4UbIzv0k8WJckCj1zwnSgQllJzXefAImezJTSlV9IAo8UB9uXTxbbzu >> >> CipYD+GcbDMKN1Wjjn6ngtjIdmYgnsc1x/UBUsmb7rrtWcI7dMEgrw7hkJThw+EW >> >> XwL7l1TnVPUVTFxkIvrOzCatWA/HUNCeiE5XeERYwyZ6WwkpVv+ufO3tMVxhsu5r >> >> TzxxAr1Xk1P7/9izAYzJ4CwRI2UuTqo5nOXNHdqcQpcJWqHwpYfCqwtlPZdOyx6a >> >> fuEnvQW7V8P/PQ2ttbJ9CGk4sWB7Y2GHAEPCb1gxKl9rEHAh3b/uNvXHaBo09F6G >> >> JCDQqZpVVAxcZkHSuf9BMJzU3A8mkxdONWDd6q4VYvMN+5eSJHEgT5r15nEStmUD >> >> e/UFGW/2WouYxONASVFbljm6JjsOX49p6zhh4Fq0vZM1YETbIqhYCN3CPibgYXQn >> >> nBKHCnCInLi0pM3fqIE+HAFSI8/0Rbp38kbfNCkjyVGyjBED4MUVJeIlemgop0Jk >> >> pFFtv2JZjIbagjm8OqJ4UnRtCELinGnQeWCyya4gX5KnWZUEEojNQmUJKVO34eHF >> >> L7MQvfrZK50f875rbwTuEEcCAwEAAaM/MD0wHQYDVR0OBBYEFGCik4Dx9ViTWUuA >> >> yhPuUNpPfIBvMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3 >> >> DQEBCwUAA4ICAQCUP4YDL3y3RpSU4HBU3OmsqcEYWr6jzvA95ZIHsGX08fp+GJi4 >> >> GJdkOBQmli6kY2OZ5H7t/7cLqGtwIlmflfEM4bcdOdhxUqRpiIkzmJeEUBYINJLk >> >> WTjBV1RVtwGY2zdqSiLmLBcAZZXCdD8BiGpObKRnBO++UOsz9JLvGUF7SG24tScE >> >> OPBpFDgqH0O9JfJgcK2+/6EZFzPyBnqnEWOhuSkw2ErH05hJdsBDh2QGe0X321FU >> >> vAhm/nEiFsiO0r8zHrNYDsgYbpMblCYfhTJON67SYxMf3okv4WP+DU62hmJ9Iq9p >> >> wcka2C4D3RoU7rff+9CpssvWY5mSlfWQwASd+iKNuKndtGHWqScQDyK2Gbkr7uIA >> >> GTdGImA61TQpn5Bv9Zvq+SO6C1qQJSAgsP0jfS6iYRJNeMlBIFmmgDNMSRUbC7ny >> >> 4Z1I1rnzkwqZQ7NeHFp+ZRR0r0FZbMGFlZ/YzsbkjUSD8j1jRbWdTHKcsVAiXWsh >> >> fQA014vSAyjVBkteFKNT0uDPCYgEc+oWt2DctaPw/yZcwz1iiP1Be82q70kAIKsj >> >> vTuNEIvxE/9I1uCSfvdVDAs+leRFrF0IQfvk3r1k77kU2BiriQmEYegziQJUhIfY >> >> fuUB62a9TPUtdJp1YQzSkEuZl/3AIaAPFLn1ZtHLGC6nJTDcPHUqfO42sQ== >> >> -----END CERTIFICATE----- >> >> >> >> signer_in_current_realm 0 >> >> signer_revoked 0 >> >> signer_subject CN=20210506-C-220638,OU=MYUNIT,O=MYORGANISATION,C=FR >> >> signer_subject_key_identifier >> 60:A2:93:80:F1:F5:58:93:59:4B:80:CA:13:EE:50:DA:4F:7C:80:6F >> >> signer_trusted 0 >> >> signer_validity_ok 1 >> >> sources >> >> _url_params >> >> api >> >> cert_subject_alt_name >> >> PROFILE >> >> cert_subject_parts >> >> PKCS10 >> >> interface >> >> api >> >> pkcs10 >> >> api >> >> req_attributes >> >> PKCS10 >> >> req_extensions >> >> PKCS10 >> >> server >> >> api >> >> signer_cert >> >> api >> >> transaction_id >> >> api >> >> transaction_id 8a0b3dcb6ee61c88e7fe9d49063181bb >> >> url_remote_addr 192.168.100.50 >> >> workflow_id 51199 >> >> >> >> *_Workflow history :_* >> >> >> >> Execution time >> State >> Action Description >> User Node >> >> 2021-05-06 19:56:08 >> INITIAL >> enroll_initialize EXECUTE >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> INITIAL_ENROLL_INITIALIZE_0 >> global_map_url_params AUTORUN >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> INITIAL_ENROLL_INITIALIZE_1 >> enroll_set_transaction_id AUTORUN >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> INITIAL_ENROLL_INITIALIZE_2 >> enroll_set_workflow_attributes AUTORUN >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> INITIAL_ENROLL_INITIALIZE_3 >> global_load_policy AUTORUN >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> INITIAL_ENROLL_INITIALIZE_4 >> global_set_profile AUTORUN >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> INITIAL_ENROLL_INITIALIZE_5 >> enroll_parse_pkcs10 AUTORUN generic >> openxpki-debian >> >> 2021-05-06 19:56:08 >> PARSED >> global_noop AUTORUN >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> PROFILE_SET >> enroll_render_subject AUTORUN >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> PROFILE_SET_ENROLL_RENDER_SUBJECT_0 >> enroll_set_workflow_attributes AUTORUN >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> READY_TO_PROCESS >> global_check_authorized_signer AUTORUN >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> SIGNED_REQUEST >> enroll_set_mode_renewal AUTORUN >> generic openxpki-debian >> >> 2021-05-06 19:56:08 >> START_RENEWAL >> global_set_error_not_in_current_realm AUTORUN >> generic openxpki-debian >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
