Hi, > I have built OpenXPKI Community Edition v3.32.8 on Debian 12.11 using the > demo configuration (sampleconfig.sh). It is running and successfully working > with a firewall that supports both manual (CSR) and SCEP enrollment. > > I have successfully tested EST using the openssl and curl commands listed on > your website under the 'EST Endpoint/RFC 7030 - Default Configuration' > section, although I had to add '-k --insecure' to the curl commands to get > them to work (I know that's not recommended, but my initial aim is to get the > integration working). > > I'm testing EST with the same firewall client that works with SCEP. I'm > getting an 'allowuntrusted=false, cert=null' debug message on the client and > the enrollment is failing, with no certs retrieved. Is there a way I can set > allowuntrusted=true or, alternatively, how can I trust the client. I've > looked in the .../est/default.yaml file but can't see anything obvious to > tweak there.
The whole point of running a secure PKI is proper trust management. In order for your use case to work properly you need to - trust the Root Certificates of your PKI on all relying parties - issue a web server certificate by your Issuing CA and deploy it on the OpenXPKI web server - make sure that your web server is correctly configured and sends the certificate chain along with its end entity certificate Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
