Hi Florian,
yes I mean writing some YAML workflow specs - there is some
documentation on readthedocs.
Anything else is part of our professional trainings/consulting and as
well covered by the OpenXPKI Handbook which is part of the enterprise
license - so if you want to save your time, I am sure we find a way to
help you :)
Oliver
On 04.12.23 09:19, Cramoisan, Florian (Aruba PoC) wrote:
HI Oliver,
Thanks for taking the time to answer this !
My goal is to enable a self-service certificate generation that would
allow users to generate certificates for their own username only,
without requiring approval. It all goes away if they can generate it
for arbitrary CN 😃
Just two questions really,
1 - you say “write your own workflow logic” would that mean creating a
workflow as in “workflow/def/certificate_signing_request_v2.yaml” ? Or
something deeper in the code ? If so, would you have access to any
form of documentation that would go a bit further that the one online
? (This would save me a LOT of time…..)
2 – what would be the way to “call” session information ? And how
would I be able to debug this if I need to ?
Thanks again for the effort and managing all this !
Cheers,
*Florian Cramoisan*
*PoC Engineer - WW**| **HPE Aruba Global Solutions | PoC*
*ACEX #102 – ACMX#831**|**ACCX#1261**|**ACDX#1282**| ACSX#1475*
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France
Image result for aruba logo
/This e-mail may contain confidential and/or legally privileged
material for the sole use of the intended recipient.//// If you are
not the intended recipient (or authorized to receive for the
recipient) please contact the sender by reply e-mail and delete all
copies of this message.//// If you are receiving this message
internally within the Hewlett Packard Enterprise company, you should
consider the contents “CONFIDENTIAL”./
*From:*Oliver Welter <[email protected]>
*Sent:* Friday, November 24, 2023 07:56
*To:* [email protected]
*Subject:* Re: [OpenXPKI-users] Using Auth Info in certificate request
Hi Florian,
the subject templates receive only the content of the
cert_subject_parts hash from the workflow, which is created from the
input fields in the profile.
The likely easiest way is to create a profile field, use the "preset"
property to fill it with the session information and set "type:
static" which makes it non-editable on the UI. CAVEAT: This is an UI
feature and I am not a 100% sure that there is no way to trick the UI
to accept other values as this was not designed to be "secure"!
The bulletproof solution is writing your own workflow logic to force
the session data to be in this hash instead of using the
"edit_subject" forms magic.
HTH
Oliver
On 22.11.23 16:57, Cramoisan, Florian (Aruba PoC) wrote:
Hi folks,
I’m looking to build a certificate request profile where users can
only generate a certificate for themselves.
In order to do that I was thinking of adapting the existing
user_cert and make it so that the cn is equal to the username used
during authentication (basic auth).
Therefore the idea would be to
1 – if using CSR, use only the key in csr and ignore everything else
2 – if using the form, then do not ask for anything, use the
“username” for the subject
#1 - These various user information are accessible from apache
HTTP env as well as from openxpki environment as well – however I
cannot find a way to access them
/Stack.yaml/
BasicAuth:
handler: ExternalAuth
type: client
param:
envkeys:
username: OIDC_CLAIM_unique_name
email: OIDC_CLAIM_unique_name
role: OPENXPKI_SSO_ROLE
firstname: OIDC_CLAIM_given_name
lastname: OIDC_CLAIM_family_name
nickname: OIDC_CLAIM_name
/user_cert.yaml/
label: Lab User Certificate
validity:
#-15min --> 1year - format +YYMMDDhhmmss
notafter: +01
notbefore: -000000001500
style:
00_user_basic_style:
label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
ui:
info:
- comment
subject:
dn: "[% userinfo.email %], OU=Test"
san:
otherName: "1.3.6.1.4.1.311.20.2.3;UTF8:[% userinfo.email.lower %]"
Unfortunately this gives me an empty CN.
I couldn’t find anything documented for this, any idea how I can
proceed ?
Thanks,
*Florian Cramoisan*
*PoC Engineer - WW | HPE Aruba Global Solutions | PoC*
*ACEX #102 – ACMX#831 | ACCX#1261 | ACDX#1282 | ACSX#1475*
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble
| France
Image result for aruba logo
/This e-mail may contain confidential and/or legally privileged
material for the sole use of the intended recipient.//// If you
are not the intended recipient (or authorized to receive for the
recipient) please contact the sender by reply e-mail and delete
all copies of this message.//// If you are receiving this message
internally within the Hewlett Packard Enterprise company, you
should consider the contents “CONFIDENTIAL”./
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
