Hi Andreas, it is not a good idea to turn off any authentication and approval mechanism as this gives ANYONE with access to the webservice the opportunity to get a certificate. You should really have a look at the description of the enrollment workflow https://openxpki.readthedocs.io/en/develop/reference/configuration/workflows/enroll.html and use at least an HMAC to authenticate the requests.
best regards Oliver Am 27.09.21 um 23:18 schrieb [email protected]: > > Hi Oliver, > > > > > you must use a new CSR - the RPC wrapper uses the PKCS10 container > from the input to search for existing workflows for this container > > > to allow asynchronous operations without the need to deal with explicit > transaction ids. > > > Therefore you are redirected to the old workflow (see the content of the id > > field) > which is already failed. > > > > Ahhh! Didn’t notice, that the server was trying to use the old > workflow – thank you for this hint !!! > > So I created a new CSR and it worked like a charme: > > > > ----------------- > > openssl req -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT > Department/CN=example100.com" \ > > -nodes -newkey rsa:2048 -sha256 -outform PEM -out > certreq.pem > > > > curl -s -F method=RequestCertificate -F comment=test -F pkcs10="$(cat > certreq.pem)" \ > > -F "profile=tls-server" > http://localhost:8080/rpc/enroll | python -m json.tool > > > > { > > "result": { > > "data": { > > "cert_identifier": "IEhFdcfJIxHqxsu9hFC_KMIHewg", > > "certificate": "-----BEGIN CERTIFICATE-----\n ..... > ==\n-----END CERTIFICATE-----", # deleted a lot of characters from > this line at ….. > > "chain": "-----BEGIN CERTIFICATE-----\n ….. > =\n-----END CERTIFICATE-----", # deleted a lot of characters > from this line at ….. > > "transaction_id": "3ab1ea270e34fe3bb4de45343276a7c9e36a4f22" > > }, > > "id": 3839, > > "pid": 94, > > "proc_state": "finished", > > "state": "SUCCESS" > > } > > } > > ----------------- > > > > Finally I fiddeled around in the policy-setting in enroll.yaml and > managed to switch off > > manual approvement. So I am able now, to send CSR’s and get the > corresponding signed (?) > > certificate stored in openxpki server, where it can be retrieved via > REST-Call. > > > > For the moment, this seems to fulfill my requirements (at least, I > hope it does, as I am > far away from really understanding all this PKI – sorcery) > > > > So, thanks a lot for your help, Oliver! You are definitely a PKI-Wizard! > > > > Kind regards > > > > Andreas > > > > *Von: *Oliver Welter <[email protected]> > *Antworten an: *"[email protected]" > <[email protected]> > *Datum: *Montag, 27. September 2021 um 13:04 > *An: *"[email protected]" > <[email protected]> > *Betreff: *Re: [OpenXPKI-users] How do I retrieve a Certificates key > via RPC-call to http://localhost:8080/rpc/enroll/SearchCertificate > > > > Hi Andreas, > > > > you must use a new CSR - the RPC wrapper uses the PKCS10 container > from the input to search for existing workflows for this container to > allow asynchronous operations without the need to deal with explicit > transaction ids. Therefore you are redirected to the old workflow (see > the content of the id field) which is already failed. > > > > Oliver > > > > Am 25.09.21 um 17:49 schrieb [email protected] > <mailto:[email protected]>: > > Hi all, > > > > I changed the RPC-Call according to Olivers hints, but it still > doesn’t work: > > > > --------------------------------------------- > > curl -s -F method=RequestCertificate -F comment=test -F > pkcs10="$(cat certreq.pem)" -F "profile=tls-server" > http://localhost:8080/rpc/enroll > <http://localhost:8080/rpc/enroll> | python -m json.tool > > { > > "result": { > > "data": { > > "error_code": "Invalid Profile", > > "transaction_id": > "a8cf0ec19b79c3ed0d434c66b3d54880c67f47be" > > }, > > "id": 2815, > > "pid": 94, > > "proc_state": "finished", > > "state": "FAILURE" > > } > > } > > --------------------------------------------- > > > > Any further ideas/hints? > > > > Kind regards > > > > Andreas > > > > *Von: *Oliver Welter <[email protected]> <mailto:[email protected]> > *Antworten an: *"[email protected]" > <mailto:[email protected]> > <[email protected]> > <mailto:[email protected]> > *Datum: *Freitag, 24. September 2021 um 18:56 > *An: *"[email protected]" > <mailto:[email protected]> > <[email protected]> > <mailto:[email protected]> > *Betreff: *Re: [OpenXPKI-users] How do I retrieve a Certificates > key via RPC-call to > http://localhost:8080/rpc/enroll/SearchCertificate > <http://localhost:8080/rpc/enroll/SearchCertificate> > > > > Hi Andreas, > > > > looks like there is a bug in the docs, the value set for "profile" > is mapped to the internal profile names in the file > "rpc/enroll.yaml" in the key "profile_map" and there the profile > is written with a dash. > > > > Regarding REST: Have a look at the EST protocol, this will give > you a very clean interface that requests a plain PKCS10 container > as payload and returns a "raw" PKCS7 structure with the > certificate without any encoding around. > > > > Oliver > > > > Am 24.09.21 um 16:26 schrieb [email protected] > <mailto:[email protected]>: > > Hi all, > > > > @Oliver: thanks for this hint, but writing such a “RPC <-> > REST” converter is kind of “overkill” for my purposes. > > Meanwhile I found out, that sending REST-Requests with the > right header works fine for me: > > > > curl -s -X POST > http://localhost:8080/rpc/enroll/SearchCertificate > <http://localhost:8080/rpc/enroll/SearchCertificate> -H > 'Content-Type: application/json' -d '{"common_name":"Rob > Roberts"}' | python -m json.tool > > > > One problem solved, another problem arises: > I try to “automatically” process a CSR, which I want to send > via RPC/REST to the openXPKI Server. > > > > Tried this (and several other things), but failed: > > > > ------ > > # Generate a PKCS#10 CSR file “certreq.pem” > > openssl req -subj "/C=GB/ST=London/L=London/O=Global > Security/OU=IT Department/CN=example.com" -nodes -newkey > rsa:2048 -sha256 -outform PEM -out certreq.pem > > > > # Try to upload the CSR file – without success > > curl -s -F "method=RequestCertificate" -F > "profile=tls_server" -F "comment=test" -F pkcs10="$(cat > certreq.pem)" http://localhost:8080/rpc/enroll > <http://localhost:8080/rpc/enroll> | python -m json.tool > > { > > "result": { > > "data": { > > "error_code": "Invalid Profile", > > "transaction_id": > "a8cf0ec19b79c3ed0d434c66b3d54880c67f47be" > > }, > > "id": 2815, > > "pid": 94, > > "proc_state": "finished", > > "state": "FAILURE" > > } > > } > > > > ------ > > > > Any idea, what to do? > > > > Kind regards > > > > Andreas > > > > PS: To be honest: I am struggeling hard with openXPKI > server’s documentation – the software itself seems to be quite > promising, but documentation is hard to understand and quite > limited (at least from my point of view). > > > > > > > > *Von: *Oliver Welter <[email protected]> <mailto:[email protected]> > *Antworten an: *"[email protected]" > <mailto:[email protected]> > <[email protected]> > <mailto:[email protected]> > *Datum: *Freitag, 24. September 2021 um 15:17 > *An: *"[email protected]" > <mailto:[email protected]> > <[email protected]> > <mailto:[email protected]> > *Betreff: *Re: [OpenXPKI-users] How do I retrieve a > Certificates key via RPC-call to > http://localhost:8080/rpc/enroll/SearchCertificate > <http://localhost:8080/rpc/enroll/SearchCertificate> > > > > Hi Andreas, > > > > to have "real" REST API you need to write a wrapper yourself > that translates a REST path to a call to the RPC system and > rewrites the result to the expected return structure. There is > no ready-to-go component in OpenXPKI CE for this as such an > interface is always very customer specific. > > > > Oliver > > > > Am 23.09.21 um 18:23 schrieb [email protected] > <mailto:[email protected]>: > > Hi Oliver, > > > > thanks a lot! > > Your reference to > > > > "_map_certificate: [% Certificate.pem(...) %]“ > > > > … was close and guided me to the right direction, but – > big surprise – it didn’t work. > Finally I found out that the following line works: > > > > “_map_pem: "[% USE Certificate %][% > Certificate.pem(context.cert_identifier) %]" > > > > Of cause, I had to adjust the file enroll.yaml > appropriately too: > > > > [SearchCertificate] > > workflow = certificate_search > > param = common_name > > output = cert_identifier, pem, notbefore, notafter, status > > > > The result was pretty much what I had been searching for: > > > > curl -s -F "method=SearchCertificate" -F "common_name=Rob > Roberts" http://localhost:8080/rpc/enroll > <http://localhost:8080/rpc/enroll> | python -m json.tool > > { > > "result": { > > "data": { > > "cert_identifier": "jLy7gIbwwvnvOCMRpTPgdw6uVpg", > > "notafter": "2022-03-16T16:54:56", > > "notbefore": "2021-09-16T16:54:56", > > "pem": "-----BEGIN CERTIFICATE-----\nm …….. > v9MRebfA=\n-----END CERTIFICATE-----", > > "status": "ISSUED" > > }, > > "id": 0, > > "pid": 70, > > "proc_state": "finished", > > "state": "SUCCESS" > > } > > } > > > > So far, so good (and once again: thank you for your help!) > > > > What remains open, is my question, how to switch from RPC > to REST. > > Could you give me a hint, how to achieve that? > > > > Kind regards > > > > Andreas > > > > > > > > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > > -- > > Protect your environment - close windows and adopt a penguin! > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > > -- > > Protect your environment - close windows and adopt a penguin! > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
