Hi there,
I try to get*issuerca*,/and/*rootca*in|chain|when I call the
certificate_enrollworkflow viaRPC server.
My config:
|/etc/openxpki/rpc/default.conf|
|... [RequestCertificate] workflow = certificate_enroll param = pkcs10,
profile, comment, signature output = cert_identifier, certificate,
chain, error_code, transaction_id env = signer_cert servername = default
pickup = pkcs10, transaction_id pickup_workflow = check_enrollment |
|/etc/openxpki/config.d/realm/<my-realm>/rpc/default.yaml|
|... policy: ... export_certificate: fullchain ... |
|/etc/openxpki/config.d/realm/<my-realm>/workflow/def/certificate_enroll.yaml|
|... export_chain: class:
OpenXPKI::Server::Workflow::Activity::Tools::CertificateExport param:
_map_cert_identifier: $cert_identifier target_key: chain #template: '[%
chain.join("\n") %]' export_format: BUNDLE include_root_cert: 1
export_fullchain: class:
OpenXPKI::Server::Workflow::Activity::Tools::CertificateExport param:
_map_cert_identifier: $cert_identifier target_key: chain #template: '[%
chain.join("\n"); "\n"; ca %]' export_format: BUNDLE #export_format: PEM
include_root_cert: 1 #bundle: 1 ... |
|/etc/openxpki/config.d/realm/<my-realm>/workflow/global/action/export_fullchain.yaml|
|class: OpenXPKI::Server::Workflow::Activity::Tools::CertificateExport
param: _map_cert_identifier: $cert_identifier target_key: chain
#template: '[% chain.join("\n"); "\n"; ca %]' export_format: BUNDLE
#export_format: PEM include_root_cert: 1 #bundle: 1 |
|/etc/openxpki/config.d/realm/<my-realm>/workflow/global/action/export_chain.yaml|
|class: OpenXPKI::Server::Workflow::Activity::Tools::CertificateExport
param: _map_cert_identifier: $cert_identifier target_key: chain
#template: '[% chain.join("\n") %]' export_format: BUNDLE
#export_format: PEM include_root_cert: 1 #bundle: 1 |
The|/var/log/openxpki/rpc.log|shows that the chain field contains only
one certificate: the issuerca. The rootca cert is missing.
|... 2025/07/08 14:58:17 DEB HTTP status: [200 OK] [pid=72|endpoint=]
2025/07/08 14:58:17 TRA bless( { 'http_status_code' => '200',
'http_status_line' => '200 OK', 'http_status_message' => 'OK',
'proc_state' => 'finished', 'result' => { 'data' => { 'cert_identifier'
=> 'hajclENHARzszexXX5-cj_mAHxE', 'certificate' => '-----BEGIN
CERTIFICATE----- ... -----END CERTIFICATE-----', 'chain' => '-----BEGIN
CERTIFICATE----- ... -----END CERTIFICATE-----', 'transaction_id' =>
'42eaaf48d915fa9ed82e6032278d7be8174c2a64' }, 'id' => 9215, 'pid' => 72,
'proc_state' => 'finished', 'state' => 'SUCCESS' }, 'state' =>
'SUCCESS', 'transaction_id' =>
'42eaaf48d915fa9ed82e6032278d7be8174c2a64', 'workflow' => { 'archive_at'
=> undef, 'context' => { 'approval_points' => '1', 'approvals' =>
'OXJSF1:[{"mode":"generated","comment":"Auto-Approval based on
eligibility result:"}]', 'cert_identifier' =>
'hajclENHARzszexXX5-cj_mAHxE', 'cert_info' => '', 'cert_profile' =>
'tls_server', 'cert_san_parts' => '', 'cert_subject' =>
'CN=website-dev.aic-group.local', 'cert_subject_alt_name' =>
'OXJSF1:[["DNS","website-dev.aic-group.local"]]', 'cert_subject_parts'
=>
'OXJSF1:{"CN":["website-dev.aic-group.local"],"SAN_DNS":["website-dev.aic-group.local"]}',
'cert_subject_style' => 'enroll', 'certificate' => '-----BEGIN
CERTIFICATE----- ... -----END CERTIFICATE-----', 'chain' => '-----BEGIN
CERTIFICATE----- ... -----END CERTIFICATE-----', 'comment' =>
'acme2certifier', 'creator' => 'Anonymous', 'csr_digest_alg' =>
'sha256', 'csr_key_alg' => 'rsa', 'csr_key_params' =>
'OXJSF1:{"key_length":4096}', 'csr_serial' => '2303', 'csr_subject' =>
'CN=website-dev.aic-group.local', 'csr_subject_key_identifier' =>
'BE:C6:65:00:69:DA:B1:46:62:BD:A0:C5:06:59:EE:E7:82:2F:C8:D5',
'error_code' => '', 'interface' => 'rpc', 'is_eligible' => '1',
'p_allow_anon_enroll' => '0', 'p_allow_eligibility_recheck' => '0',
'p_allow_man_approv' => '1', 'p_allow_man_authen' => '1',
'p_allow_replace' => '1', 'p_approval_points' => '1',
'p_auto_revoke_existing_certs' => '1', 'p_export_certificate' =>
'chain', 'p_max_active_certs' => '1', 'pkcs10' => '-----BEGIN
CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST-----',
'req_attributes' => 'OXJSF1:{}', 'req_extensions' => 'OXJSF1:{}',
'request_mode' => 'onbehalf', 'revoke_cert_identifier' => '',
'revoke_delay_revocation_time' => '', 'revoke_reason_code' => '',
'revoke_workflow_id' => '', 'server' => 'default', 'signer_authorized'
=> '1', 'signer_cert' => '-----BEGIN CERTIFICATE----- ... -----END
CERTIFICATE----- ', 'signer_cert_identifier' =>
'LGq5Db3oMKkfn1HuS-lfnzOCqYo', 'signer_in_current_realm' => '1',
'signer_revoked' => '0', 'signer_subject' =>
'CN=acme2certifier-dev.aic-group.local:acme2ca,DC=aic-group-local,DC=dev,DC=aic-group,DC=local',
'signer_subject_key_identifier' =>
'CA:FB:6E:7A:86:E7:01:76:44:5F:26:7D:7F:2F:FE:CC:C8:4C:3C:14',
'signer_trusted' => '1', 'signer_validity_ok' => '1', 'sources' =>
'OXJSF1:{"server":"api","signer_cert":"api","pkcs10":"api","req_attributes":"PKCS10","req_extensions":"PKCS10","cert_subject_parts":"PKCS10","cert_subject_alt_name":"PKCS10","interface":"api","comment":"api"}',
'transaction_id' => '42eaaf48d915fa9ed82e6032278d7be8174c2a64',
'wfl_notify' =>
'OXJSF1:{"smtp":{"requestor":{"to":null,"prefix":"OpenXPKI-Dev
9215","cc":[]}}}', 'workflow_id' => '9215' }, 'count_try' => 0,
'description' => 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_DESC', 'id'
=> 9215, 'label' => 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL',
'last_update' => '2025-07-01T14:38:43', 'proc_state' => 'finished',
'reap_at' => 1751381022, 'state' => 'SUCCESS', 'title' =>
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL', 'type' =>
'certificate_enroll', 'wake_up_at' => undef } },
'OpenXPKI::Client::Service::Response' ) [pid=72|endpoint=] 2025/07/08
14:58:17 DEB Disconnect client [pid=72|endpoint=] |
Is there someone who has a hint for me?
Thanks in advance!!
--
with kind regards
Frank
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
