Hi Oliver, > OpenXPKI speaks SCEP and EST and there are a lot of clients outside - a > native API implementation is CertNanny which is a commercial product.
OK, got it. Well, we need to spend more time to get into the topic. For a realm there's a: - vault token - ca-signer - scep token So in case I want to have several signing CA's for segmentation (e.g. VPN, WEB, etc.) I create separate realms ? But how to address access via SCEP / RPC / ... to the different realms ? There's a global scep/rpc/est directory with a conf-files pointing to one realm. Thanks and best regards, Stefan ________________________________________ Von: Oliver Welter <[email protected]> Gesendet: Mittwoch, 26. Januar 2022 21:27 An: [email protected] Betreff: Re: [OpenXPKI-users] questions about API / auto certficiate approval / etc. Hi Stefan, Am 26.01.22 um 17:54 schrieb Stefan Weigel: > Hi, > I have several questions, it would be nice to get answers or some hints where > to get more information, thanks! > I will try to give some answers ;) > API: > - are there some examples how to enable different authentication handlers (by > certificate, by access token, username + password) I guess you mean the RPC API - you can pass a certificate which is quite straight forward by referencing the Cert handler from the sample config in the RPC config. Most of the other things are not really mature yet. > - is there some client implementation similar to ACME certbot ? > Our idea is to have machines interact automatically with OpenXPKI and > request a new cert (auth via old certificate?) in case the current cert is > only valid for X days. Is there any known implementation ? OpenXPKI speaks SCEP and EST and there are a lot of clients outside - a native API implementation is CertNanny which is a commercial product. > CA > - is it possible to define an auto apply/accept for certain/all types of > requests for a special CA (without manual approval) ? yes ;) > - is there a list of supported smart cards (keeping the CA) supported by > OpenXPKI (I've read the example from documentation, section "HSM via > PKCS#11") ? While some people here on the list do that, we do not recommend this - we had a PoC with YubiHSM which works but I would recommend a "real" HSM if you need this security level. OpenXPKI also comes with support for Shamir Secret Splitting in combination with software keys which provides a good level of security even without hardware. > Support > - support is done by White Rabbit Security, for questions regarding our needs > should I directly contact them by phone/mail ? Feel free to call or mail us ;) best regards Oliver -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
