Hi Oliver, don’t worry – it perfectly suits our needs and is just for testing purposes. The whole thing will never go productive like that.
Nevertheless – thanks for your carefull hints. Cheers Andreas Von: Oliver Welter <[email protected]> Antworten an: "[email protected]" <[email protected]> Datum: Freitag, 1. Oktober 2021 um 07:35 An: "[email protected]" <[email protected]> Betreff: Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call to http://localhost:8080/rpc/enroll/SearchCertificate Hi Andreas, it is not a good idea to turn off any authentication and approval mechanism as this gives ANYONE with access to the webservice the opportunity to get a certificate. You should really have a look at the description of the enrollment workflow https://openxpki.readthedocs.io/en/develop/reference/configuration/workflows/enroll.html and use at least an HMAC to authenticate the requests. best regards Oliver Am 27.09.21 um 23:18 schrieb [email protected]<mailto:[email protected]>: Hi Oliver, > you must use a new CSR - the RPC wrapper uses the PKCS10 container from the > input to search for existing workflows for this container > to allow asynchronous operations without the need to deal with explicit > transaction ids. > Therefore you are redirected to the old workflow (see the content of the id > field) which is already failed. Ahhh! Didn’t notice, that the server was trying to use the old workflow – thank you for this hint !!! So I created a new CSR and it worked like a charme: ----------------- openssl req -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example100.com" \ -nodes -newkey rsa:2048 -sha256 -outform PEM -out certreq.pem curl -s -F method=RequestCertificate -F comment=test -F pkcs10="$(cat certreq.pem)" \ -F "profile=tls-server" http://localhost:8080/rpc/enroll | python -m json.tool { "result": { "data": { "cert_identifier": "IEhFdcfJIxHqxsu9hFC_KMIHewg", "certificate": "-----BEGIN CERTIFICATE-----\n ..... ==\n-----END CERTIFICATE-----", # deleted a lot of characters from this line at ….. "chain": "-----BEGIN CERTIFICATE-----\n ….. =\n-----END CERTIFICATE-----", # deleted a lot of characters from this line at ….. "transaction_id": "3ab1ea270e34fe3bb4de45343276a7c9e36a4f22" }, "id": 3839, "pid": 94, "proc_state": "finished", "state": "SUCCESS" } } ----------------- Finally I fiddeled around in the policy-setting in enroll.yaml and managed to switch off manual approvement. So I am able now, to send CSR’s and get the corresponding signed (?) certificate stored in openxpki server, where it can be retrieved via REST-Call. For the moment, this seems to fulfill my requirements (at least, I hope it does, as I am far away from really understanding all this PKI – sorcery) So, thanks a lot for your help, Oliver! You are definitely a PKI-Wizard! Kind regards Andreas Von: Oliver Welter <[email protected]><mailto:[email protected]> Antworten an: "[email protected]"<mailto:[email protected]> <[email protected]><mailto:[email protected]> Datum: Montag, 27. September 2021 um 13:04 An: "[email protected]"<mailto:[email protected]> <[email protected]><mailto:[email protected]> Betreff: Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call to http://localhost:8080/rpc/enroll/SearchCertificate Hi Andreas, you must use a new CSR - the RPC wrapper uses the PKCS10 container from the input to search for existing workflows for this container to allow asynchronous operations without the need to deal with explicit transaction ids. Therefore you are redirected to the old workflow (see the content of the id field) which is already failed. Oliver Am 25.09.21 um 17:49 schrieb [email protected]<mailto:[email protected]>: Hi all, I changed the RPC-Call according to Olivers hints, but it still doesn’t work: --------------------------------------------- curl -s -F method=RequestCertificate -F comment=test -F pkcs10="$(cat certreq.pem)" -F "profile=tls-server" http://localhost:8080/rpc/enroll | python -m json.tool { "result": { "data": { "error_code": "Invalid Profile", "transaction_id": "a8cf0ec19b79c3ed0d434c66b3d54880c67f47be" }, "id": 2815, "pid": 94, "proc_state": "finished", "state": "FAILURE" } } --------------------------------------------- Any further ideas/hints? Kind regards Andreas Von: Oliver Welter <[email protected]><mailto:[email protected]> Antworten an: "[email protected]"<mailto:[email protected]> <[email protected]><mailto:[email protected]> Datum: Freitag, 24. September 2021 um 18:56 An: "[email protected]"<mailto:[email protected]> <[email protected]><mailto:[email protected]> Betreff: Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call to http://localhost:8080/rpc/enroll/SearchCertificate Hi Andreas, looks like there is a bug in the docs, the value set for "profile" is mapped to the internal profile names in the file "rpc/enroll.yaml" in the key "profile_map" and there the profile is written with a dash. Regarding REST: Have a look at the EST protocol, this will give you a very clean interface that requests a plain PKCS10 container as payload and returns a "raw" PKCS7 structure with the certificate without any encoding around. Oliver Am 24.09.21 um 16:26 schrieb [email protected]<mailto:[email protected]>: Hi all, @Oliver: thanks for this hint, but writing such a “RPC <-> REST” converter is kind of “overkill” for my purposes. Meanwhile I found out, that sending REST-Requests with the right header works fine for me: curl -s -X POST http://localhost:8080/rpc/enroll/SearchCertificate -H 'Content-Type: application/json' -d '{"common_name":"Rob Roberts"}' | python -m json.tool One problem solved, another problem arises: I try to “automatically” process a CSR, which I want to send via RPC/REST to the openXPKI Server. Tried this (and several other things), but failed: ------ # Generate a PKCS#10 CSR file “certreq.pem” openssl req -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com" -nodes -newkey rsa:2048 -sha256 -outform PEM -out certreq.pem # Try to upload the CSR file – without success curl -s -F "method=RequestCertificate" -F "profile=tls_server" -F "comment=test" -F pkcs10="$(cat certreq.pem)" http://localhost:8080/rpc/enroll | python -m json.tool { "result": { "data": { "error_code": "Invalid Profile", "transaction_id": "a8cf0ec19b79c3ed0d434c66b3d54880c67f47be" }, "id": 2815, "pid": 94, "proc_state": "finished", "state": "FAILURE" } } ------ Any idea, what to do? Kind regards Andreas PS: To be honest: I am struggeling hard with openXPKI server’s documentation – the software itself seems to be quite promising, but documentation is hard to understand and quite limited (at least from my point of view). Von: Oliver Welter <[email protected]><mailto:[email protected]> Antworten an: "[email protected]"<mailto:[email protected]> <[email protected]><mailto:[email protected]> Datum: Freitag, 24. September 2021 um 15:17 An: "[email protected]"<mailto:[email protected]> <[email protected]><mailto:[email protected]> Betreff: Re: [OpenXPKI-users] How do I retrieve a Certificates key via RPC-call to http://localhost:8080/rpc/enroll/SearchCertificate Hi Andreas, to have "real" REST API you need to write a wrapper yourself that translates a REST path to a call to the RPC system and rewrites the result to the expected return structure. There is no ready-to-go component in OpenXPKI CE for this as such an interface is always very customer specific. Oliver Am 23.09.21 um 18:23 schrieb [email protected]<mailto:[email protected]>: Hi Oliver, thanks a lot! Your reference to "_map_certificate: [% Certificate.pem(...) %]“ … was close and guided me to the right direction, but – big surprise – it didn’t work. Finally I found out that the following line works: “_map_pem: "[% USE Certificate %][% Certificate.pem(context.cert_identifier) %]" Of cause, I had to adjust the file enroll.yaml appropriately too: [SearchCertificate] workflow = certificate_search param = common_name output = cert_identifier, pem, notbefore, notafter, status The result was pretty much what I had been searching for: curl -s -F "method=SearchCertificate" -F "common_name=Rob Roberts" http://localhost:8080/rpc/enroll | python -m json.tool { "result": { "data": { "cert_identifier": "jLy7gIbwwvnvOCMRpTPgdw6uVpg", "notafter": "2022-03-16T16:54:56", "notbefore": "2021-09-16T16:54:56", "pem": "-----BEGIN CERTIFICATE-----\nm …….. v9MRebfA=\n-----END CERTIFICATE-----", "status": "ISSUED" }, "id": 0, "pid": 70, "proc_state": "finished", "state": "SUCCESS" } } So far, so good (and once again: thank you for your help!) What remains open, is my question, how to switch from RPC to REST. Could you give me a hint, how to achieve that? Kind regards Andreas _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
