Thanks a lot Martin,
I shall try to stay within openxpki config from now forward :)
The enroll and adding extra (future) CAs etc is all working, so is the
enrollment and the retrieval of the cacert bundle.
Seems i am getting the hang of it.
However I run into a different error than i would expect (or misleading)
For one of the openxpki instances we need, there shouldnt be an option
to re-enroll.
So I have disabled this inside the <realm>/est/default.yaml
setting eligible:renewal to 0
Now when i do a (test) request to re-enroll,
(new key has been generated with the same csr information as the original)
Signed
curl -v --cacert root_tls_ca.crt --cert gateway_factory.crt --key
gateway_factory.pem -H "Content-Type: application/pkcs10" --data
@new_gateway_factory.csr https://factory:8443/.well-known/est/simplereenroll
Self-Signed
curl -v --cacert root_tls_ca.crt -H "Content-Type: application/pkcs10"
--data @new_gateway_factory.csr
https://factory:8443/.well-known/est/simplereenroll
Both cURLs give the same error:
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED
In the workflow logs, it lists:
2021/12/14 16:21:48 11263 Rendering subject:
CN=GatewayFactory,DC=Factory,DC=OpenXPKI,DC=org
2021/12/14 16:21:48 11263 Trusted Signer chain validated - trusted root
is UlBiQodVxLjnGXNguNjYUAFfUM0
2021/12/14 16:21:48 11263 Trusted Signer not found in trust list
(CN=GatewayFactory,DC=Factory,DC=OpenXPKI,DC=org).
It looks like in both cases it seems to end up in a "enroll on behalf".
Now reenroll will return a HTTP 400. Which in itself could be fine,
namely reenroll didnt work. But I try to understand what is going on.
(I need to build a working re-enroll at a later state)
With kind regards,
Hans de Jong
On 12/14/21 10:09 AM, Martin Bartosch via OpenXPKI-users wrote:
Hi,
I do have a question about the maximum validity.
As I understand, the CA validity has to be longer or the same as the configured
validity in the used profile (which currently is +01, which is 1 year as i
understand)
Now my CAs are valid for 1 year, and have a bit of overlap.
Issuing certificates of this Realm
Subject not before not after
CN=Factory CA,OU=Hyva,O=Sioux,ST=Noord Brabant,C=NL 2022-11-14 00:00:00 UTC
2023-11-14 00:00:00 UTC
CN=Factory CA,OU=Hyva,O=Sioux,ST=Noord Brabant,C=NL 2021-12-09 09:23:55 UTC
2022-12-09 09:23:55 UTC
But I am still getting the same error.
Does this mean that the overlap of certificate validity has to be at least the
duration of the issued certificate?
(so that there is always 1 CA that is valid for the full duration of the
requested certificate)
Sorry if this more a generic CA related question instead of an openxpki one.
We are leaving OpenXPKI grounds here...
As mentioned in the previous mail you need to design your PKI properly, in this
particular case with regard to the CA validities. This means that you need to
align the CA validity with the maximum required end entity validity.
Make sure to provide CA certificates which have a sensible/usable usage period
in which they are fully capable of issuing the maximum required subordinate
certificate validity. Also make sure to design (and test) the CA rollover
process properly.
When I design a PKI I typically recommend
CA Validity := 2 * (maximum required subordinate validity) + some slack value
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
