Hello, I'd like to experiment with EST reenroll web service and I don't seem to succeed yet.
1- I have enrolled a 1st CSR and got my certificate. 2- In this forum, I also found out that it's comparing the full subject (and not just the CN part) So I just ran the same command to have the same CSR with same data in it. >>>> To generate the CSR like the following sudo openssl req -subj "/DC=org/DC=OpenXPKI/DC=Test Deployment/CN =same cn" -addext "subjectAltName = DNS:localhost" -nodes -new -ke y openxpki.pem -outform der -out - | base64 > localhost-req.pem 3- I did compare the two subjects and they look similar cat localhost-req.pem | base64 --decode | openssl req -inform der -noout -text | grep Subject: >>>> Subject: DC = org, DC = OpenXPKI, DC = Test Deployment, CN= same cn openssl x509 -in cert.pem -noout -text |grep Subject: >>>> Subject: DC = org, DC = OpenXPKI, DC = Test Deployment, CN= same cn 4- sudo curl -k --key openxpki.pem --cert cert.pem -u test:test -v - H "Connection: close" -H "Content-Type: application/pkcs10" --data @localhost-req.pem https://localhost:8443/.well-known/est/simplereenroll The use of http basic auth (-u test:test) was just something i was testing before. It's irrelevant in this post. 5- I do get authenticated through basic auth AND through the certificates i'm passing to cURL. But I keep getting back the same certificate. No workflow is triggered. And in EST.log >>>> INF authenticated client DN: CN=same cn,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=91|ep=[undef]] 6- I thought it was my authentication stack causing the issue (using http basic), so I reversed it back to the default (anonymous), and I still don't get the renawal mode, just fetching the same certificate. (sudo curl and csr involve sudo because that private key requires some privileges) Has anyone spotted the missing piece ? Thank you for your time and efforts, Mohamed
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
