[OpenXPKI-users] Using Auth Info in certificate request

[Cramoisan, Florian (Aruba PoC)]

Hi folks,

I’m looking to build a certificate request profile where users can only 
generate a certificate for themselves.
In order to do that I was thinking of adapting the existing user_cert and make 
it so that the cn is equal to the username used during authentication (basic 
auth).

Therefore the idea would be to
1 – if using CSR, use only the key in csr and ignore everything else
2 – if using the form, then do not ask for anything, use the “username” for the 
subject

#1 - These various user information are accessible from apache HTTP env as well 
as from openxpki environment as well – however I cannot find a way to access 
them
Stack.yaml
BasicAuth:
    handler: ExternalAuth
    type: client
    param:
        envkeys:
            username: OIDC_CLAIM_unique_name
            email: OIDC_CLAIM_unique_name
            role: OPENXPKI_SSO_ROLE
            firstname: OIDC_CLAIM_given_name
            lastname: OIDC_CLAIM_family_name
            nickname: OIDC_CLAIM_name

user_cert.yaml
label: Lab User Certificate

validity:
    #-15min --> 1year - format +YYMMDDhhmmss
    notafter: +01
    notbefore: -000000001500

style:
    00_user_basic_style:
        label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
        description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
        ui:
            info:
                - comment

        subject:
            dn: "[% userinfo.email %], OU=Test"
            san:
               otherName: "1.3.6.1.4.1.311.20.2.3;UTF8:[% userinfo.email.lower 
%]"

Unfortunately this gives me an empty CN.
I couldn’t find anything documented for this, any idea how I can proceed ?

Thanks,
Florian Cramoisan
PoC Engineer - WW | HPE Aruba Global Solutions | PoC
ACEX #102 – ACMX#831 | ACCX#1261 | ACDX#1282 | ACSX#1475
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France
[Image result for aruba logo]
This e-mail may contain confidential and/or legally privileged material for the 
sole use of the intended recipient.  If you are not the intended recipient (or 
authorized to receive for the recipient) please contact the sender by reply 
e-mail and delete all copies of this message.  If you are receiving this 
message internally within the Hewlett Packard Enterprise company, you should 
consider the contents “CONFIDENTIAL”.






_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users