Hi Oliver, Thanks you for your help. Do you think that a fix will be develop for this issue?
I have another questions, I read in the documentation : https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html#enrollment-on-behalf, according this chapter, it seems possible to request a certificate, signed by another PKI e.g. PKI#2, to get a certificate signed by PKI#1. Maybe my comprehension of this feature is wrong. Every tests I made never match the state "On Behalf" so my question is: First, it's possible to do that? If yes, what I need to add in my CSR (maybe something around extensions)? And where I have to specify the other trusted PKI in OpenXpki configuration file? Regards Eddy De : Oliver Welter <[email protected]> Envoyé : vendredi 7 mai 2021 08:48 À : [email protected] Objet : Re: [OpenXPKI-users] SCEP enrolment: problem to reach "Initial enrolment" [External email: Use caution with links and attachments] ________________________________ Hi Eddy, my colleague Martin had a deeper look into your data and we found the problem :) The construction of the "key identifier" is only loosely defined in RFC5280 but we never saw any tools with a different behaviour - as of today. As a CSR does not include a key identifier the ASN1 structure, we use the definition from the RFC and use the sha1 hash of the public key. Fpr the certificate, we read the key identifier from the ASN1 structure (if set) and surprisingly the value in your signature certificate does not match the expected one. Bottom line: You are using the correct key/certificate but the assumption we made is wrong and we therefore fail to detect this properly. We are currently discussion how to solve this properly in OpenXPKI but at the moment there is no "quick hack" I can offer on this side other then reworking the conditions in the workflow as described in my last post. Oliver Am 07.05.21 um 08:00 schrieb Oliver Welter: Hello Eddy, as I already said last week https://sourceforge.net/p/openxpki/mailman/message/37269596/<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceforge.net%2Fp%2Fopenxpki%2Fmailman%2Fmessage%2F37269596%2F&data=04%7C01%7Ceddy.bodin%40non.se.com%7C14f63a9ff6684ec9024408d911244413%7C6e51e1adc54b4b39b5980ffe9ae68fef%7C0%7C0%7C637559669725397575%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sRRG8qd0NxsKWUO8HbJ1xtTS08cHV6JgYqyp045WZrU%3D&reserved=0> - to be recognized as an "initial enrollment" the request must be self-signed - at least in our world this means that the public key used in the CSR must also be used to sign the SCEP envelope. As you can see here, this is not the case csr_subject_key_identifier A4:50:D7:F8:BA:A5:1D:EB:3B:C6:9D:AB:EB:9C:00:12:8A:DA:81:D0 signer_subject_key_identifier 60:A2:93:80:F1:F5:58:93:59:4B:80:CA:13:EE:50:DA:4F:7C:80:6F The complete enrollment workflow is described here https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2Flatest%2Freference%2Fconfiguration%2Fworkflows%2Fenroll.html&data=04%7C01%7Ceddy.bodin%40non.se.com%7C14f63a9ff6684ec9024408d911244413%7C6e51e1adc54b4b39b5980ffe9ae68fef%7C0%7C0%7C637559669725397575%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zlR8FNuFIswtQ8qUYbdALk1xjMezVVU3GINPb91qZDg%3D&reserved=0> If you want to change this detection logic you can rework the conditions in the workflow, you find this here https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/workflow/def/certificate_enroll.yaml#L30<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenxpki%2Fopenxpki-config%2Fblob%2Fcommunity%2Fconfig.d%2Frealm.tpl%2Fworkflow%2Fdef%2Fcertificate_enroll.yaml%23L30&data=04%7C01%7Ceddy.bodin%40non.se.com%7C14f63a9ff6684ec9024408d911244413%7C6e51e1adc54b4b39b5980ffe9ae68fef%7C0%7C0%7C637559669725407570%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WdOfE56xBecyVMx1DGi2hmb3h9a0TIWgvaBFXH%2BPNsk%3D&reserved=0> The better way would be IMHO to try to fix this in your SCEP client. best regards Oliver Am 06.05.21 um 22:27 schrieb Eddy BODIN via OpenXPKI-users: Hello, we're trying to enroll with SCEP a newly created certificate, using a Cryptlb based client, on an openXpki server on the default realm called "democa". We expect to have an initial enrolment but instead of it regarding the workflow we reach state "START_RENEWAL" after "SIGNED_REQUEST". In the workflow the CSR is not considered as self-signed, leading to this issue. The newly created certificate has a new transaction_id and a new DN and common name. What possible reason could lead to this issue ? Thanks. Workflow Context : cert_profile tls_server cert_subject CN=20210506-C-220638,DC=Test Deployment,DC=OpenXPKI,DC=org cert_subject_parts C FR CN 20210506-C-220638 O MYORGANISATION OU MYUNIT cert_subject_style enroll creator generic csr_digest_alg sha256 csr_key_alg rsa csr_key_params key_length 4096 csr_subject CN=20210506-C-220638,OU=MYUNIT,O=MYORGANISATION,C=FR csr_subject_key_identifier A4:50:D7:F8:BA:A5:1D:EB:3B:C6:9D:AB:EB:9C:00:12:8A:DA:81:D0 error_code Renewal request is for certificate from foreign realm! interface scep p_allow_anon_enroll 0 p_allow_eligibility_recheck 1 p_allow_man_approv 1 p_allow_man_authen 0 p_allow_replace 1 p_approval_points 0 p_auto_revoke_existing_certs 1 p_max_active_certs 1 pkcs10 -----BEGIN CERTIFICATE REQUEST----- MIIEuTCCAqECAQAwUzELMAkGA1UEBhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FU SU9OMQ8wDQYDVQQLEwZNWVVOSVQxGjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvFMd313lzD1i+A5u2l7i 9oLQnZXhG6usD2tYJq1NcuUE++YTxQ+PDbb2EPfcClEc7/Xyurn+TMPeU7opPdxP 3IQx23H1Y4UbIzv0k8WJckCj1zwnSgQllJzXefAImezJTSlV9IAo8UB9uXTxbbzu CipYD+GcbDMKN1Wjjn6ngtjIdmYgnsc1x/UBUsmb7rrtWcI7dMEgrw7hkJThw+EW XwL7l1TnVPUVTFxkIvrOzCatWA/HUNCeiE5XeERYwyZ6WwkpVv+ufO3tMVxhsu5r TzxxAr1Xk1P7/9izAYzJ4CwRI2UuTqo5nOXNHdqcQpcJWqHwpYfCqwtlPZdOyx6a fuEnvQW7V8P/PQ2ttbJ9CGk4sWB7Y2GHAEPCb1gxKl9rEHAh3b/uNvXHaBo09F6G JCDQqZpVVAxcZkHSuf9BMJzU3A8mkxdONWDd6q4VYvMN+5eSJHEgT5r15nEStmUD e/UFGW/2WouYxONASVFbljm6JjsOX49p6zhh4Fq0vZM1YETbIqhYCN3CPibgYXQn nBKHCnCInLi0pM3fqIE+HAFSI8/0Rbp38kbfNCkjyVGyjBED4MUVJeIlemgop0Jk pFFtv2JZjIbagjm8OqJ4UnRtCELinGnQeWCyya4gX5KnWZUEEojNQmUJKVO34eHF L7MQvfrZK50f875rbwTuEEcCAwEAAaAhMB8GCSqGSIb3DQEJBzESExB4eHh4WFhY WHh4eHhYWFhYMA0GCSqGSIb3DQEBCwUAA4ICAQCLorLSJgWwsXD50uWlUtyHdcSY nDygUe6l9gb53tuvsrMpqTcPOUcTFUJys4OtQ8gcN0HPfhO/O6LUoNx9kYpJc4Xd iaRscx+u2FetQbpwsO8D1JZeMfvBz3R7Znpu8mZm/aggX8ZRE184/Cok9kJIcGbI 4dhJ2Qw6/H3rjnn+0PenqHXH97WuVYpmJDHJuHvX4YWY4X4LF46sMObT3+JoBYNR c7EKVRyoYGltcoOEVjQLSi86992V5R5Ddd3x1pfLcMOnK8lGLUxIZhfqY6IWPiRo tyINtQn1egS6Jwohns5qU5YLEsZcfdzywwDc/cvP/7n2qpzrYxv9zXd0P91OVS3P Pr+rE794N8kQmS4y671aoq/UCwAFMbP5YS4zmhfjA0iKJvTYSOGp8RjofKjUC7IZ 2mYC1YgDo4uudzyCquJlHSAVV85K+qV4urjtIT7vFgNcduQbtK44+pU0zc7QQY+r EWacWNMeOORbH9FUrfQ3svoFNY962glfSbAi8ssYkOfFjgW8yKDj1DRc5BpIPwr1 ZhegqYZLDvYDNEPmcmh0fQXHL6x4MT75S6k/zZqPhJrBq+ESL6aRq29nHUat+Z5N +XhEcNCh/66rDV3bKNoudMbTFyQir4GXEErKaVzXH/WxRlkSuz6j3l+Kz3uZ7wOo ztPnfK1IJ95lb9Frfw== -----END CERTIFICATE REQUEST----- req_attributes challengePassword xxxxXXXXxxxxXXXX request_mode renewal server generic signer_authorized 0 signer_cert -----BEGIN CERTIFICATE----- MIIFZzCCA0+gAwIBAgIIakzaLfQ1P5wwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UE BhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FUSU9OMQ8wDQYDVQQLEwZNWVVOSVQx GjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4MB4XDTIxMDUwNjIwMDYwMFoXDTIx MDUwNzIwMDYwMFowUzELMAkGA1UEBhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FU SU9OMQ8wDQYDVQQLEwZNWVVOSVQxGjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvFMd313lzD1i+A5u2l7i 9oLQnZXhG6usD2tYJq1NcuUE++YTxQ+PDbb2EPfcClEc7/Xyurn+TMPeU7opPdxP 3IQx23H1Y4UbIzv0k8WJckCj1zwnSgQllJzXefAImezJTSlV9IAo8UB9uXTxbbzu CipYD+GcbDMKN1Wjjn6ngtjIdmYgnsc1x/UBUsmb7rrtWcI7dMEgrw7hkJThw+EW XwL7l1TnVPUVTFxkIvrOzCatWA/HUNCeiE5XeERYwyZ6WwkpVv+ufO3tMVxhsu5r TzxxAr1Xk1P7/9izAYzJ4CwRI2UuTqo5nOXNHdqcQpcJWqHwpYfCqwtlPZdOyx6a fuEnvQW7V8P/PQ2ttbJ9CGk4sWB7Y2GHAEPCb1gxKl9rEHAh3b/uNvXHaBo09F6G JCDQqZpVVAxcZkHSuf9BMJzU3A8mkxdONWDd6q4VYvMN+5eSJHEgT5r15nEStmUD e/UFGW/2WouYxONASVFbljm6JjsOX49p6zhh4Fq0vZM1YETbIqhYCN3CPibgYXQn nBKHCnCInLi0pM3fqIE+HAFSI8/0Rbp38kbfNCkjyVGyjBED4MUVJeIlemgop0Jk pFFtv2JZjIbagjm8OqJ4UnRtCELinGnQeWCyya4gX5KnWZUEEojNQmUJKVO34eHF L7MQvfrZK50f875rbwTuEEcCAwEAAaM/MD0wHQYDVR0OBBYEFGCik4Dx9ViTWUuA yhPuUNpPfIBvMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3 DQEBCwUAA4ICAQCUP4YDL3y3RpSU4HBU3OmsqcEYWr6jzvA95ZIHsGX08fp+GJi4 GJdkOBQmli6kY2OZ5H7t/7cLqGtwIlmflfEM4bcdOdhxUqRpiIkzmJeEUBYINJLk WTjBV1RVtwGY2zdqSiLmLBcAZZXCdD8BiGpObKRnBO++UOsz9JLvGUF7SG24tScE OPBpFDgqH0O9JfJgcK2+/6EZFzPyBnqnEWOhuSkw2ErH05hJdsBDh2QGe0X321FU vAhm/nEiFsiO0r8zHrNYDsgYbpMblCYfhTJON67SYxMf3okv4WP+DU62hmJ9Iq9p wcka2C4D3RoU7rff+9CpssvWY5mSlfWQwASd+iKNuKndtGHWqScQDyK2Gbkr7uIA GTdGImA61TQpn5Bv9Zvq+SO6C1qQJSAgsP0jfS6iYRJNeMlBIFmmgDNMSRUbC7ny 4Z1I1rnzkwqZQ7NeHFp+ZRR0r0FZbMGFlZ/YzsbkjUSD8j1jRbWdTHKcsVAiXWsh fQA014vSAyjVBkteFKNT0uDPCYgEc+oWt2DctaPw/yZcwz1iiP1Be82q70kAIKsj vTuNEIvxE/9I1uCSfvdVDAs+leRFrF0IQfvk3r1k77kU2BiriQmEYegziQJUhIfY fuUB62a9TPUtdJp1YQzSkEuZl/3AIaAPFLn1ZtHLGC6nJTDcPHUqfO42sQ== -----END CERTIFICATE----- signer_in_current_realm 0 signer_revoked 0 signer_subject CN=20210506-C-220638,OU=MYUNIT,O=MYORGANISATION,C=FR signer_subject_key_identifier 60:A2:93:80:F1:F5:58:93:59:4B:80:CA:13:EE:50:DA:4F:7C:80:6F signer_trusted 0 signer_validity_ok 1 sources _url_params api cert_subject_alt_name PROFILE cert_subject_parts PKCS10 interface api pkcs10 api req_attributes PKCS10 req_extensions PKCS10 server api signer_cert api transaction_id api transaction_id 8a0b3dcb6ee61c88e7fe9d49063181bb url_remote_addr 192.168.100.50 workflow_id 51199 Workflow history : Execution time State Action Description User Node 2021-05-06 19:56:08 INITIAL enroll_initialize EXECUTE generic openxpki-debian 2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_0 global_map_url_params AUTORUN generic openxpki-debian 2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_1 enroll_set_transaction_id AUTORUN generic openxpki-debian 2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_2 enroll_set_workflow_attributes AUTORUN generic openxpki-debian 2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_3 global_load_policy AUTORUN generic openxpki-debian 2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_4 global_set_profile AUTORUN generic openxpki-debian 2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_5 enroll_parse_pkcs10 AUTORUN generic openxpki-debian 2021-05-06 19:56:08 PARSED global_noop AUTORUN generic openxpki-debian 2021-05-06 19:56:08 PROFILE_SET enroll_render_subject AUTORUN generic openxpki-debian 2021-05-06 19:56:08 PROFILE_SET_ENROLL_RENDER_SUBJECT_0 enroll_set_workflow_attributes AUTORUN generic openxpki-debian 2021-05-06 19:56:08 READY_TO_PROCESS global_check_authorized_signer AUTORUN generic openxpki-debian 2021-05-06 19:56:08 SIGNED_REQUEST enroll_set_mode_renewal AUTORUN generic openxpki-debian 2021-05-06 19:56:08 START_RENEWAL global_set_error_not_in_current_realm AUTORUN generic openxpki-debian _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=04%7C01%7Ceddy.bodin%40non.se.com%7C14f63a9ff6684ec9024408d911244413%7C6e51e1adc54b4b39b5980ffe9ae68fef%7C0%7C0%7C637559669725407570%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=96s%2B1ZPrfW92XuV3fTVyCv5%2BChuuty7N0vTF%2BHZcsf0%3D&reserved=0> -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=04%7C01%7Ceddy.bodin%40non.se.com%7C14f63a9ff6684ec9024408d911244413%7C6e51e1adc54b4b39b5980ffe9ae68fef%7C0%7C0%7C637559669725417565%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=i3GSOGBHyh%2FSuhHorcgHUPMkO9Di8WpPiACMgTLMi5E%3D&reserved=0> -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
