So is there a way to get the serialNumber actually working? This is a total
showstopper for our project.
//HS
-----Original Message-----
From: henri.sunde...@iki.fi <henri.sunde...@iki.fi>
Sent: Thursday, February 22, 2024 10:40 AM
To: openxpki-users@lists.sourceforge.net
Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom
extensions
Yes I did, that was not the issue.
-----Original Message-----
From: Jens Berthold <j...@jebecs.de>
Sent: Thursday, February 22, 2024 10:28 AM
To: openxpki-users@lists.sourceforge.net
Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom
extensions
Hi Henri,
did you notice the typo, i.e. the missing "b" in number?
Jens
Am 22.02.24 um 09:01 schrieb henri.sunde...@iki.fi:
> Hi,
>
> Tried this but no luck, its not reading the serial from the CSR.
>
>
> -----Original Message-----
> From: Oliver Welter <m...@oliwel.de>
> Sent: Wednesday, February 21, 2024 1:26 PM
> To: openxpki-users@lists.sourceforge.net
> Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom
> extensions
>
> Hi Henri,
>
> my fault - serialNumber is not in the "registered RDN" list for the
> template parser shortcuts, it should work with
>
> preset: '[% serialNumer.0 %]'
>
> best regards
>
> Oliver
>
> On 20.02.24 15:33, henri.sunde...@iki.fi wrote:
>> I tried that, but it does not work.
>> Using the template with preset as set below, it fills serialNumber
>> field with value "serialNumber". Certificate profile is same as I
>> presented before. This sounds like a bug - maybe it tries to take key
>> instead its value?
>>
>>
>> serial.yaml:
>> id: serialNumber
>> label: serialNumber
>> description: Serial Number
>> preset: serialNumber
>> type: text
>> width: 40
>> placeholder: 0000
>>
>>
>>
>>
>> -----Original Message-----
>> From: Oliver Welter <m...@oliwel.de>
>> Sent: Monday, February 19, 2024 10:21 AM
>> To: openxpki-users@lists.sourceforge.net
>> Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom
>> extensions
>>
>> Hello Henri,
>>
>> you have to use "serialNumber" as preset also, SN is the "Surname"
>> OID
>> :)
>>
>> For the second part - you can turn on the "copy extension" flag but
>> as outlined in the comment this copies ANYTHING from the request so
>> this requires a certain portion of control on CSR generation and a
>> very good validation as you otherwise might sign things you do not
>> expect
too.
>>
>> The other option requires a modification of the workflow and the use
>> of OpenXPKI::Server::Workflow::Activity::Tools::AddCertExtension,
>> likely with some magic around to build the right content - or an
>> upgrade to the enterprise edition which comes with a templating
>> mechanism and some other nice features around profile based extensions.
>>
>> best regards
>>
>> Oliver
>>
>> On 15.02.24 20:14, henri.sunde...@iki.fi wrote:
>>> I'm trying to make a new certificate profile, with this kind of
>>> requirements:
>>> - Subject shall have serialNumber field, which is copied from CSR
>>> - Extensions shall have a custom OID field with custom bit stream
>>> data, which is copied from CSR
>>>
>>> I haven't been able to get any of that working. I added to templates
>>> serial.yaml:
>>> --
>>> id: serialNumber
>>> label: serialNumber
>>> description: Serial Number
>>> preset: SN.0
>>> type: text
>>> width: 40
>>> placeholder: 0000
>>> --
>>> And I made new profile like this:
>>> --
>>> # The name of the file equals the name of the profile
>>> label: License
>>>
>>> # digest to use
>>> digest: sha256
>>>
>>> style:
>>> 00_basic_style:
>>> label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
>>> description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
>>> # Define which input fields you want on the UI
>>> # Just put their names here and define them at the end
>>> # in the "template" section.
>>> # You can also use the template names found in the
>>> # template.yaml file, if you duplicate a name, the
>>> # local definition gets precedence.
>>> ui:
>>> subject:
>>> - hostname
>>> - serial
>>> - o
>>> - c
>>> info:
>>> - requestor_realname
>>> - requestor_email
>>> - owner_contact
>>> - comment
>>>
>>> # Subject is evaluated by template toolkit with the input
>>> data from the ui.subject fields
>>> # Note: Fields which have max > 1 are always passed as array
>>> subject:
>>> dn: CN=[% hostname %],serialNumber=[% serial %]
>>> # You can use the fields from ui.subject here
>>>
>>> # this is attached to the certificate, all fields from ui
>>> can be used
>>> metadata:
>>> requestor: "[% requestor_realname %]"
>>> email: "[% requestor_email %]"
>>> owner_contact: "[% owner_contact || requestor_email %]"
>>> entity: "[% hostname FILTER lower %]"
>>>
>>>
>>> # A standard template used from the automated enrollment
workflows
>>> enroll:
>>> subject:
>>> # All RDNs from the PKCS10 containers DN are avaiable
here
>>> # Items from the SAN section are also available here
>>> # Note that all items are always arrays, for the SAN
>>> the pipe
>> is
>>> # used as separator character to split individual
>>> items
> later
>>> dn: CN=[% CN.0 %],serialNumber=[% SN.0 %]
>>>
>>>
>>> # metadata source items added via the "params" section of the
>>> # PersistMetadata action in the workflow are available in
data
>>> # DN/SAN parts are available as defined above
>>> metadata:
>>> system_id: "[% data.cust_id %]"
>>> server_id: "[% data.server_id %]"
>>> entity: "[% CN.0.replace(':.*','') FILTER lower %]"
>>>
>>> # Consumed by RenderExtensions to add extra extensions
>>> extension:
>>> securityIdentifier: '[% ext.sid %]'
>>> certificateTemplateName: '[% ext.template_name %]'
>>> certificateTemplate:
>>> - '[% ext.template.oid %]'
>>> - '[% ext.template.major %]'
>>> - '[% ext.template.minor %]'
>>>
>>> # Profile extensions - set 0/1 as needed
>>> extensions:
>>> # Enable this to copy extensions from the CSR to the Certificate
>>> # THIS MIGHT BE DANGEROUS, see copy_extensions of openssl ca
> command
>>> # For security reasons hhis can NOT be set in default.yaml
>>> copy: copy
>>>
>>> basic_constraints:
>>> critical: 1
>>> ca: 0
>>> # only relevant with ca = 1
>>> path_length: 0
>>>
>>> key_usage:
>>> critical: 0
>>> digital_signature: 0
>>> non_repudiation: 1
>>> key_encipherment: 0
>>> data_encipherment: 0
>>> key_agreement: 0
>>> key_cert_sign: 0
>>> crl_sign: 0
>>> encipher_only: 0
>>> decipher_only: 0
>>>
>>> extended_key_usage:
>>> critical: 0
>>> # these are OIDs, some OIDs are known and have names
>>> client_auth: 0
>>> server_auth: 0
>>> email_protection: 0
>>> code_signing: 0
>>> time_stamping: 0
>>> ocsp_signing: 0
>>> # Any other oid can be given by number
>>> 1.3.6.1.4.1.311.20.2.2: 0
>>>
>>>
>>> subject_key_identifier:
>>> critical: 0
>>> hash: 1
>>>
>>> authority_key_identifier:
>>> critical: 0
>>> keyid: 1
>>> issuer: 1
>>>
>>> issuer_alt_name:
>>> critical: 0
>>> copy: 0
>>>
>>> crl_distribution_points:
>>> critical: 0
>>> # uri can be scalar or list
>>> uri:
>>> - http://localhost/cacrl.crt
>>> - ldap://localhost/cn=[% ISSUER.CN.0
>>> %],dc=OpenXPKI,dc=org
>>>
>>> authority_info_access:
>>> critical: 0
>>> # ca_issuers and ocsp can be scalar or list
>>> ca_issuers: http://localhost/cacert.cer
>>> ocsp: http://ocsp.openxpki.org/
>>>
>>> oid:
>>> 1.2.3.4.5.6:
>>> critical: 1
>>> copy: 1
>>> # end of extensions
>>>
>>> # Define the input fields you used below here
>>> #template:
>>> --
>>>
>>> The CSR looks like this:
>>> --
>>>
>>> Certificate Request:
>>> Data:
>>> Version: 1 (0x0)
>>> Subject: CN=Device01, O=xxxx inc/serialNumber=1234567
>>> Subject Public Key Info:
>>> Public Key Algorithm: id-ecPublicKey
>>> Public-Key: (384 bit)
>>> pub:
>>> xxxx
>>> ASN1 OID: secp384r1
>>> NIST CURVE: P-384
>>> Attributes:
>>> Requested Extensions:
>>> 1.2.3.4.5.6: critical
>>> xxxxxx
>>> Signature Algorithm: ecdsa-with-SHA256
>>> Signature Value:
>>> xxxx
>>>
>>> --
>>>
>>>
>>> So far I've only tried the manual workflow. I can see it loads the
>>> serial.yaml since it puts the placeholder data and labels in there,
>>> but the serialnumber data from CSR is not filled.
>>> For the custom OID I'm not that far yet since it fails to the serial.
>>>
>>> Any idea what should be changed? Is the serial number even properly
>>> supported?
>>>
>>>
>>> //HS
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OpenXPKI-users mailing list
>>> OpenXPKI-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>>
>> --
>> Protect your environment - close windows and adopt a penguin!
>>
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
> --
> Protect your environment - close windows and adopt a penguin!
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
