Re: [OpenXPKI-users] unique certificate subject across all realms

Mon, 09 Aug 2021 00:39:33 -0700 

 Hi,
I am trying to do the same on openxpki 3.10.2 but it still accepts the same 
subject.
Please verify the version of your deployment.
Regards

    On Monday, 2 August 2021, 07:01:40 pm GMT+5, Kseniya Blashchuk 
<[email protected]> wrote:  
 
 It worked! Thank you for your help Martin!
On Mon, Aug 2, 2021 at 4:11 PM Martin Bartosch via OpenXPKI-users 
<[email protected]> wrote:

Hi,

> Is it possible to check if the certificate subject is unique across all 
> realms on the openxpki server? I am using openxpki community edition.

OpenXPKI is a workflow based system, so literally almost any conceivable 
business logic can be implemented. We distribute a set of default workflows 
which implement some common and sensible assumptions. One of the assumptions is 
that PKI Realms are logically separate name spaces, making it possible to any 
number of distinct and independent CAs on the same OpenXPKI instance. The 
default system hence only considers uniqueness of subjects within the same PKI 
Realm, not across other realms.

I am not sure and have not tested this, but by looking at the code and 
configuration you could try the following:

In the workflow/def/certificate_signing_request_v2.yaml of your desired realm 
change the subject policy test from

    check_policy_subject_duplicate:
        class: 
OpenXPKI::Server::Workflow::Activity::CSR::CheckPolicySubjectDuplicate
        param:
           allow_renewal_period: "+0003"


to

    check_policy_subject_duplicate:
        class: 
OpenXPKI::Server::Workflow::Activity::CSR::CheckPolicySubjectDuplicate
        param:
           any_realm: 1
           allow_renewal_period: "+0003"


This should consider the subject test across all realms. This is untested.

Cheers

Martin



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
  
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to