Hi Oliver,
> you must use a new CSR - the RPC wrapper uses the PKCS10 container from the
> input to search for existing workflows for this container
> to allow asynchronous operations without the need to deal with explicit
> transaction ids.
> Therefore you are redirected to the old workflow (see the content of the id
> field) which is already failed.
Ahhh! Didn’t notice, that the server was trying to use the old workflow –
thank you for this hint !!!
So I created a new CSR and it worked like a charme:
-----------------
openssl req -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT
Department/CN=example100.com" \
-nodes -newkey rsa:2048 -sha256 -outform PEM -out certreq.pem
curl -s -F method=RequestCertificate -F comment=test -F pkcs10="$(cat
certreq.pem)" \
-F "profile=tls-server" http://localhost:8080/rpc/enroll |
python -m json.tool
{
"result": {
"data": {
"cert_identifier": "IEhFdcfJIxHqxsu9hFC_KMIHewg",
"certificate": "-----BEGIN CERTIFICATE-----\n ..... ==\n-----END
CERTIFICATE-----", # deleted a lot of characters from this line at …..
"chain": "-----BEGIN CERTIFICATE-----\n ….. =\n-----END
CERTIFICATE-----", # deleted a lot of characters from this line at …..
"transaction_id": "3ab1ea270e34fe3bb4de45343276a7c9e36a4f22"
},
"id": 3839,
"pid": 94,
"proc_state": "finished",
"state": "SUCCESS"
}
}
-----------------
Finally I fiddeled around in the policy-setting in enroll.yaml and managed to
switch off
manual approvement. So I am able now, to send CSR’s and get the corresponding
signed (?)
certificate stored in openxpki server, where it can be retrieved via REST-Call.
For the moment, this seems to fulfill my requirements (at least, I hope it
does, as I am
far away from really understanding all this PKI – sorcery)
So, thanks a lot for your help, Oliver! You are definitely a PKI-Wizard!
Kind regards
Andreas
Von: Oliver Welter <[email protected]>
Antworten an: "[email protected]"
<[email protected]>
Datum: Montag, 27. September 2021 um 13:04
An: "[email protected]"
<[email protected]>
Betreff: Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call
to http://localhost:8080/rpc/enroll/SearchCertificate
Hi Andreas,
you must use a new CSR - the RPC wrapper uses the PKCS10 container from the
input to search for existing workflows for this container to allow asynchronous
operations without the need to deal with explicit transaction ids. Therefore
you are redirected to the old workflow (see the content of the id field) which
is already failed.
Oliver
Am 25.09.21 um 17:49 schrieb
[email protected]<mailto:[email protected]>:
Hi all,
I changed the RPC-Call according to Olivers hints, but it still doesn’t work:
---------------------------------------------
curl -s -F method=RequestCertificate -F comment=test -F pkcs10="$(cat
certreq.pem)" -F "profile=tls-server" http://localhost:8080/rpc/enroll |
python -m json.tool
{
"result": {
"data": {
"error_code": "Invalid Profile",
"transaction_id": "a8cf0ec19b79c3ed0d434c66b3d54880c67f47be"
},
"id": 2815,
"pid": 94,
"proc_state": "finished",
"state": "FAILURE"
}
}
---------------------------------------------
Any further ideas/hints?
Kind regards
Andreas
Von: Oliver Welter <[email protected]><mailto:[email protected]>
Antworten an:
"[email protected]"<mailto:[email protected]>
<[email protected]><mailto:[email protected]>
Datum: Freitag, 24. September 2021 um 18:56
An:
"[email protected]"<mailto:[email protected]>
<[email protected]><mailto:[email protected]>
Betreff: Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call
to http://localhost:8080/rpc/enroll/SearchCertificate
Hi Andreas,
looks like there is a bug in the docs, the value set for "profile" is mapped to
the internal profile names in the file "rpc/enroll.yaml" in the key
"profile_map" and there the profile is written with a dash.
Regarding REST: Have a look at the EST protocol, this will give you a very
clean interface that requests a plain PKCS10 container as payload and returns a
"raw" PKCS7 structure with the certificate without any encoding around.
Oliver
Am 24.09.21 um 16:26 schrieb
[email protected]<mailto:[email protected]>:
Hi all,
@Oliver: thanks for this hint, but writing such a “RPC <-> REST” converter is
kind of “overkill” for my purposes.
Meanwhile I found out, that sending REST-Requests with the right header works
fine for me:
curl -s -X POST http://localhost:8080/rpc/enroll/SearchCertificate -H
'Content-Type: application/json' -d '{"common_name":"Rob Roberts"}' | python -m
json.tool
One problem solved, another problem arises:
I try to “automatically” process a CSR, which I want to send via RPC/REST to
the openXPKI Server.
Tried this (and several other things), but failed:
------
# Generate a PKCS#10 CSR file “certreq.pem”
openssl req -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT
Department/CN=example.com" -nodes -newkey rsa:2048 -sha256 -outform PEM -out
certreq.pem
# Try to upload the CSR file – without success
curl -s -F "method=RequestCertificate" -F "profile=tls_server" -F
"comment=test" -F pkcs10="$(cat certreq.pem)" http://localhost:8080/rpc/enroll
| python -m json.tool
{
"result": {
"data": {
"error_code": "Invalid Profile",
"transaction_id": "a8cf0ec19b79c3ed0d434c66b3d54880c67f47be"
},
"id": 2815,
"pid": 94,
"proc_state": "finished",
"state": "FAILURE"
}
}
------
Any idea, what to do?
Kind regards
Andreas
PS: To be honest: I am struggeling hard with openXPKI server’s
documentation – the software itself seems to be quite promising, but
documentation is hard to understand and quite limited (at least from my point
of view).
Von: Oliver Welter <[email protected]><mailto:[email protected]>
Antworten an:
"[email protected]"<mailto:[email protected]>
<[email protected]><mailto:[email protected]>
Datum: Freitag, 24. September 2021 um 15:17
An:
"[email protected]"<mailto:[email protected]>
<[email protected]><mailto:[email protected]>
Betreff: Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call
to http://localhost:8080/rpc/enroll/SearchCertificate
Hi Andreas,
to have "real" REST API you need to write a wrapper yourself that translates a
REST path to a call to the RPC system and rewrites the result to the expected
return structure. There is no ready-to-go component in OpenXPKI CE for this as
such an interface is always very customer specific.
Oliver
Am 23.09.21 um 18:23 schrieb
[email protected]<mailto:[email protected]>:
Hi Oliver,
thanks a lot!
Your reference to
"_map_certificate: [% Certificate.pem(...) %]“
… was close and guided me to the right direction, but – big surprise – it
didn’t work.
Finally I found out that the following line works:
“_map_pem: "[% USE Certificate %][% Certificate.pem(context.cert_identifier) %]"
Of cause, I had to adjust the file enroll.yaml appropriately too:
[SearchCertificate]
workflow = certificate_search
param = common_name
output = cert_identifier, pem, notbefore, notafter, status
The result was pretty much what I had been searching for:
curl -s -F "method=SearchCertificate" -F "common_name=Rob Roberts"
http://localhost:8080/rpc/enroll | python -m json.tool
{
"result": {
"data": {
"cert_identifier": "jLy7gIbwwvnvOCMRpTPgdw6uVpg",
"notafter": "2022-03-16T16:54:56",
"notbefore": "2021-09-16T16:54:56",
"pem": "-----BEGIN CERTIFICATE-----\nm …….. v9MRebfA=\n-----END
CERTIFICATE-----",
"status": "ISSUED"
},
"id": 0,
"pid": 70,
"proc_state": "finished",
"state": "SUCCESS"
}
}
So far, so good (and once again: thank you for your help!)
What remains open, is my question, how to switch from RPC to REST.
Could you give me a hint, how to achieve that?
Kind regards
Andreas
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
