Hi Mo,
trust rules are additive, so all rules must be true - and one of your
trust rule says
root_alias: gosigner
so it expects the root certificate to have an alias group of gosigner.
Placing your external certificate into the ca-signer group will break
your issuing ca.
Oliver
On 26.03.25 19:29, Mo Be wrote:
Still struggling, but i think it's related to the alias.
Like i said earlier, i'm importing the certificate and it had no alias
with it (it did not create the alias i thought it was creating...)
I've been digging a bit in the samplescript and noticed the alias
value is always generated by openXPKI.
So i gave it a shot and run the following (certsign token was
mentionned somewhere in the docs, i tried it out)
-> openxpkiadm alias --file goca.crt --realm democa --token certsign
And magiacally, it did two things
Successfully wrote alias:
Alias : ca-signer-2
Identifier: 8SUUyO2hC4SCeehX2VjsTSMGQj8
NotBefore : 2025-03-25 18:41:44
NotAfter : 2035-03-25 17:41:44
Token is certsign, looking for root...
Creating alias for root ca:
Alias : root-2
Identifier: 8SUUyO2hC4SCeehX2VjsTSMGQj8
NotBefore : 2025-03-25 18:41:44
NotAfter : 2035-03-25 17:41:44
Now i can say - at least I have an alias :)
I don't know if it's normal that my external root certificate is both
: ca-signer-2 & root-2
In the UI, it's marked as offline (i don't care, i just need it for
trusting my external certificate chain - leaf + root)
But, i still have the same error with the same logs : Trusted Signer
not found in trust list
I'm using the authentication system stack, i tried it out with
Certificate in case it'd change anything (it didn't).
I feel I'm getting closer, but there's still something missing out there.
Le mar. 25 mars 2025 à 22:43, Mo Be <mopra...@gmail.com> a écrit :
Hello OpenX community,
I've been struggling for a while to leverage the external allowed
signer feature.
I found many useful resources and answers in here, but i always
end up with the same error and I can't see what rules it's trying
to validate against.
[http error response]
Request was rejected:
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED
[technical logs]
*** 2025/03/25 21:30:34 255 Rendering subject: CN=test me
*** 2025/03/25 21:30:34 255 Trusted Signer chain validated -
trusted root is 8SUUyO2hC4SCeehX2VjsTSMGQj8
*** 2025/03/25 21:30:34 255 Trusted Signer not found in trust list
(CN=gocert).
[webui - workflow context]
error_code: request is not in authorized signer list
p_allow_external_signer: 1
request_mode: onbehalf
server: default
signer_authorized: 0
signer_subject: CN=gocert
signer_trusted: 1
signer_validity: 1
[webui - workflow history]
state - signed_request -> enroll_set_mode_onbehalf
state - start_onbehalf -> global_set_error_signer_not_authorized
[what i did]
1. I signed a certificate with an "external root CA"
2. I placed my external CA root certificate inside openx config
3. I changed est.default.yml to take it into account
3a. Authorized signer rules
-> rule1:
# Full DN
subject: CN=gocert
root_alias: gosigner
realm: _any
where CN=gocert corresponds to the CN of the leaf certificate (not
root)
3b. Set allow external flag
allow_anon_enroll: 0
allow_external_signer: 1
4. I imported the external CA to openxpki db with the following
command
-> openxpkiadm certificate import alias gosigner --file goca.crt
--realm democa
5. I include the certificate chain (the signer) in curl and send
the CSR
6. And I get my error :)
The certificate chain = leaf + root
I tried again with chain = leaf + intermediate + root (i also
added external_issuer alias and imported the certificate with its
corresponding alias)
Also, when I run
-> openxpkiadm alias list
I don't see the alias i created for my external CA, but ... i
guess it's not an issue since the signer was trusted (it's just
not in the authorized signer list, the missing part)
By the way, when I enrolled on-behalf a signer issued by the same
OpenXPKI (aka, internal signer), it worked fine.
Working environment
*** I'm using the docker approach.
*** OpenXPKI system version 3.30.9
*** OpenXPKI config version 3.28
If you were able to sport the missing piece to my success, i'd
appreciate the hint :)
And if you need any more details, please let me know.
Cheers,
Mohamed
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
