So is there a way to get the serialNumber actually working? This is a total showstopper for our project.
//HS -----Original Message----- From: henri.sunde...@iki.fi <henri.sunde...@iki.fi> Sent: Thursday, February 22, 2024 10:40 AM To: openxpki-users@lists.sourceforge.net Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom extensions Yes I did, that was not the issue. -----Original Message----- From: Jens Berthold <j...@jebecs.de> Sent: Thursday, February 22, 2024 10:28 AM To: openxpki-users@lists.sourceforge.net Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom extensions Hi Henri, did you notice the typo, i.e. the missing "b" in number? Jens Am 22.02.24 um 09:01 schrieb henri.sunde...@iki.fi: > Hi, > > Tried this but no luck, its not reading the serial from the CSR. > > > -----Original Message----- > From: Oliver Welter <m...@oliwel.de> > Sent: Wednesday, February 21, 2024 1:26 PM > To: openxpki-users@lists.sourceforge.net > Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom > extensions > > Hi Henri, > > my fault - serialNumber is not in the "registered RDN" list for the > template parser shortcuts, it should work with > > preset: '[% serialNumer.0 %]' > > best regards > > Oliver > > On 20.02.24 15:33, henri.sunde...@iki.fi wrote: >> I tried that, but it does not work. >> Using the template with preset as set below, it fills serialNumber >> field with value "serialNumber". Certificate profile is same as I >> presented before. This sounds like a bug - maybe it tries to take key >> instead its value? >> >> >> serial.yaml: >> id: serialNumber >> label: serialNumber >> description: Serial Number >> preset: serialNumber >> type: text >> width: 40 >> placeholder: 0000 >> >> >> >> >> -----Original Message----- >> From: Oliver Welter <m...@oliwel.de> >> Sent: Monday, February 19, 2024 10:21 AM >> To: openxpki-users@lists.sourceforge.net >> Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom >> extensions >> >> Hello Henri, >> >> you have to use "serialNumber" as preset also, SN is the "Surname" >> OID >> :) >> >> For the second part - you can turn on the "copy extension" flag but >> as outlined in the comment this copies ANYTHING from the request so >> this requires a certain portion of control on CSR generation and a >> very good validation as you otherwise might sign things you do not >> expect too. >> >> The other option requires a modification of the workflow and the use >> of OpenXPKI::Server::Workflow::Activity::Tools::AddCertExtension, >> likely with some magic around to build the right content - or an >> upgrade to the enterprise edition which comes with a templating >> mechanism and some other nice features around profile based extensions. >> >> best regards >> >> Oliver >> >> On 15.02.24 20:14, henri.sunde...@iki.fi wrote: >>> I'm trying to make a new certificate profile, with this kind of >>> requirements: >>> - Subject shall have serialNumber field, which is copied from CSR >>> - Extensions shall have a custom OID field with custom bit stream >>> data, which is copied from CSR >>> >>> I haven't been able to get any of that working. I added to templates >>> serial.yaml: >>> -- >>> id: serialNumber >>> label: serialNumber >>> description: Serial Number >>> preset: SN.0 >>> type: text >>> width: 40 >>> placeholder: 0000 >>> -- >>> And I made new profile like this: >>> -- >>> # The name of the file equals the name of the profile >>> label: License >>> >>> # digest to use >>> digest: sha256 >>> >>> style: >>> 00_basic_style: >>> label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL >>> description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC >>> # Define which input fields you want on the UI >>> # Just put their names here and define them at the end >>> # in the "template" section. >>> # You can also use the template names found in the >>> # template.yaml file, if you duplicate a name, the >>> # local definition gets precedence. >>> ui: >>> subject: >>> - hostname >>> - serial >>> - o >>> - c >>> info: >>> - requestor_realname >>> - requestor_email >>> - owner_contact >>> - comment >>> >>> # Subject is evaluated by template toolkit with the input >>> data from the ui.subject fields >>> # Note: Fields which have max > 1 are always passed as array >>> subject: >>> dn: CN=[% hostname %],serialNumber=[% serial %] >>> # You can use the fields from ui.subject here >>> >>> # this is attached to the certificate, all fields from ui >>> can be used >>> metadata: >>> requestor: "[% requestor_realname %]" >>> email: "[% requestor_email %]" >>> owner_contact: "[% owner_contact || requestor_email %]" >>> entity: "[% hostname FILTER lower %]" >>> >>> >>> # A standard template used from the automated enrollment workflows >>> enroll: >>> subject: >>> # All RDNs from the PKCS10 containers DN are avaiable here >>> # Items from the SAN section are also available here >>> # Note that all items are always arrays, for the SAN >>> the pipe >> is >>> # used as separator character to split individual >>> items > later >>> dn: CN=[% CN.0 %],serialNumber=[% SN.0 %] >>> >>> >>> # metadata source items added via the "params" section of the >>> # PersistMetadata action in the workflow are available in data >>> # DN/SAN parts are available as defined above >>> metadata: >>> system_id: "[% data.cust_id %]" >>> server_id: "[% data.server_id %]" >>> entity: "[% CN.0.replace(':.*','') FILTER lower %]" >>> >>> # Consumed by RenderExtensions to add extra extensions >>> extension: >>> securityIdentifier: '[% ext.sid %]' >>> certificateTemplateName: '[% ext.template_name %]' >>> certificateTemplate: >>> - '[% ext.template.oid %]' >>> - '[% ext.template.major %]' >>> - '[% ext.template.minor %]' >>> >>> # Profile extensions - set 0/1 as needed >>> extensions: >>> # Enable this to copy extensions from the CSR to the Certificate >>> # THIS MIGHT BE DANGEROUS, see copy_extensions of openssl ca > command >>> # For security reasons hhis can NOT be set in default.yaml >>> copy: copy >>> >>> basic_constraints: >>> critical: 1 >>> ca: 0 >>> # only relevant with ca = 1 >>> path_length: 0 >>> >>> key_usage: >>> critical: 0 >>> digital_signature: 0 >>> non_repudiation: 1 >>> key_encipherment: 0 >>> data_encipherment: 0 >>> key_agreement: 0 >>> key_cert_sign: 0 >>> crl_sign: 0 >>> encipher_only: 0 >>> decipher_only: 0 >>> >>> extended_key_usage: >>> critical: 0 >>> # these are OIDs, some OIDs are known and have names >>> client_auth: 0 >>> server_auth: 0 >>> email_protection: 0 >>> code_signing: 0 >>> time_stamping: 0 >>> ocsp_signing: 0 >>> # Any other oid can be given by number >>> 1.3.6.1.4.1.311.20.2.2: 0 >>> >>> >>> subject_key_identifier: >>> critical: 0 >>> hash: 1 >>> >>> authority_key_identifier: >>> critical: 0 >>> keyid: 1 >>> issuer: 1 >>> >>> issuer_alt_name: >>> critical: 0 >>> copy: 0 >>> >>> crl_distribution_points: >>> critical: 0 >>> # uri can be scalar or list >>> uri: >>> - http://localhost/cacrl.crt >>> - ldap://localhost/cn=[% ISSUER.CN.0 >>> %],dc=OpenXPKI,dc=org >>> >>> authority_info_access: >>> critical: 0 >>> # ca_issuers and ocsp can be scalar or list >>> ca_issuers: http://localhost/cacert.cer >>> ocsp: http://ocsp.openxpki.org/ >>> >>> oid: >>> 1.2.3.4.5.6: >>> critical: 1 >>> copy: 1 >>> # end of extensions >>> >>> # Define the input fields you used below here >>> #template: >>> -- >>> >>> The CSR looks like this: >>> -- >>> >>> Certificate Request: >>> Data: >>> Version: 1 (0x0) >>> Subject: CN=Device01, O=xxxx inc/serialNumber=1234567 >>> Subject Public Key Info: >>> Public Key Algorithm: id-ecPublicKey >>> Public-Key: (384 bit) >>> pub: >>> xxxx >>> ASN1 OID: secp384r1 >>> NIST CURVE: P-384 >>> Attributes: >>> Requested Extensions: >>> 1.2.3.4.5.6: critical >>> xxxxxx >>> Signature Algorithm: ecdsa-with-SHA256 >>> Signature Value: >>> xxxx >>> >>> -- >>> >>> >>> So far I've only tried the manual workflow. I can see it loads the >>> serial.yaml since it puts the placeholder data and labels in there, >>> but the serialnumber data from CSR is not filled. >>> For the custom OID I'm not that far yet since it fails to the serial. >>> >>> Any idea what should be changed? Is the serial number even properly >>> supported? >>> >>> >>> //HS >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> OpenXPKI-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>> >> -- >> Protect your environment - close windows and adopt a penguin! >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> OpenXPKI-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> OpenXPKI-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > -- > Protect your environment - close windows and adopt a penguin! > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users