Re: [OpenXPKI-users] Renewal via RPC

Sat, 06 Nov 2021 08:30:12 -0700 

Hello Paul,

The option is not enabled by default - you must set the
"allow_surrogate_certificate" parameter in the configuration of the
action class inside the workflow - see
https://openxpki.readthedocs.io/en/stable/reference/configuration/workflow.html

Oliver

Am 04.11.21 um 17:58 schrieb Paul Schaefer:
> Hello,
>
> I am trying to automate the certificate renewal as described in [1].
> The goal is to renew a usual "TLS Server" certificate without
> client_auth key usage.
>
> First, I set up a "surrogate certificate" by copying the exact web
> server certificate subject identically into a self signed certificate
> which uses the same private key like the original web server
> certificate. (I hope this is the correct mechanism?)
>
> After that, I'm using the default enroll RPC endpoint, with TLS Client
> authentication using the newly generated surrogate certificate. I'm
> posting the parameters "method=RequestCertificate", "pkcs10=<PEMBLOCK>"
> and "profile=tls-server" (which is mapped in enroll.yaml profile_map to
> tls_server, which in turn is the profile originally used to issue this
> certificate). The following is the server's response:
>
> {"result":{"id":6399,"data":{"transaction_id":"c84f3e51a3f7fd62d863ac45
> a086b06ed6b125bf","error_code":"Renewal request is for certificate from
> foreign realm!"},"state":"FAILURE","pid":71,"proc_state":"finished"}}
>
> I'm a bit lost now. From what I understood is that the workflow
> `certificate_enroll.yaml` executes the EvaluateSignerTrust activity. I
> already debugged this class by logging extensively, but neither `$self-
>> param('allow_surrogate_certificate')` nor `$cert_hash` seem to have a
> value when running the above procedure.
>
> Can you help me?
>
> Thank you for your help and the amazing tool!
>
> Best,
> Paul
>
> [1]
> https://openxpki.readthedocs.io/en/stable/reference/configuration/workflows/enroll.html#renewal
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users


-- 
Protect your environment -  close windows and adopt a penguin! 


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to