Hi Frederico,
From your previous mails it looks like you’ve ventured deep into extensive
workflow customizations with your OpenXPKI setup.
OpenXPKI is amazingly customizable, but proper and most importantly successful
workflow modeling requires a deeper understanding of the underlying principle
Hi,
> Hello Anyone can help here?
> Thank you
> From: Frederico Aranha Pimentel | CarMedialab
> Sent: Tuesday, September 17, 2024 9:36 PM
> To: openxpki-users@lists.sourceforge.net
> Subject: Notification stopped for enroll_approval_pending
> Hello everyone,
> I need your assistance with an
Hi Ralf,
> Hi, i´m using OpenXPKI Community Edition v3.28.2 and I am currently testing
> the issuing certificate rollover.
> For this purpose, ca-signer-1 and ca-signer-2 exist in the OpenXPKI. The
> queries via SCEP and EST lead to different results.
> The query via EST for CA certificates retu
Hi Stefan,
> OK. I found this section "authorized_signer" in the default.yaml file. When I
> disable that section I do not have a problem anymore.
>
> But, I don't like that solution. I would prefer to have a line there that
> works.
> I have a lot of device that will use their initial certifi
Scott,
> Am 12.09.2024 um 11:49 schrieb Scott Thomas via OpenXPKI-users
> :
>
> I am using this config:
>
> ca-signer:
> backend: OpenXPKI::Crypto::Backend::OpenSSL
> key: "label_SubCA"
> engine: PKCS11
> engine_section: |
> engine_id = pkcs11
> dynami
Hi,
> I've trouble removing certificates using openxpkiadm, see
> https://github.com/openxpki/openxpki/issues/920
>
> Are there alternatives or workarounds using openxpkicmd or openxpkicli? a
> last resort would be deleting the entries in the database (tables certifcate,
> certificate_attribut
Hi,
> I think i know what's causing the observed behaviour.
>
> The cert 013C522BCC6F5A2B.crt was first imported in realm xca. If i try to
> import the same cert into realm prodxca it fails with "Cert already exists",
> despite the fact, i specified different realms. import With update=1 change
Hi,
> I have an issue with cert import.
>
> I have several realms defined, the 2 involved here are "xca" and "prodxca".
>
> If I import a cert into "prodxca" it gets imported into "xca" and I cannot
> figure out why:
>
> $ openxpkicli --realm prodxca --arg data="$(cat
> prodxca/import/013C522
Scott,
> We want to integrate Network HSM with OpenXPKI.
>
> We have tested the HSM with OpenSSL and PKCS11.
>
> Please guide me how we can integrate this in OpenXPKI ?
Refer to the HSM documentation for its setup.
There have been plenty of posts regarding PKCS#11 setup with OpenXPKI:
https:
Hi,
> I imported a cert with openxpkicli and tried to change metadata afterwards.
> the workflow failed because the validator global_system_id is missing:
>
> 2024/08/22 14:15:55 ERROR workflow_error exception thrown from
> [Workflow::Factory: 806; before: Workflow::Action: 51]: No validator wi
Hi,
> Is it possible to sign a CSR using the command lines?
> openxpkicli or openxpkicmd (not through REST API)?
Not unless you craft a workflow to provide you with the required functionality.
We don't consider this a useful feature, so it is not implemented. Use clca,
OpenSSL or Microsoft ADCS
Hi,
> Can someone help me or tell me which OCSP I can take. I read that one of
> EJBCA took it.
You can use any OCSP responder that either reads a standard CRL or accesses the
OpenXPKI database.
Personally I tried the EJBCA OCSP responder some time ago and I am not too fond
of it. It's a huge
Hi,
> I have found the same and as Oliver already mentioned, this has been broken
> for a long time. What I did to solve this issue was to use the information in
> the certificate itself. You can get the URL of the CRL from the certificate
> with a very simple script. The URL from the certifica
Andreas,
> I'm trying to test expiry notification test but I must do it wrong.
Yep.
> My idea was to the the cutoff_notafter form +60 days to +1 year;
>
> diff --git a/config.d/realm.tpl/report/expiry.yaml
> b/config.d/realm.tpl/report/expiry.yaml
> index 1ab0a1b..9a2de6e 100644
> --- a/config
Hi,
> When I create a web server certificate via WebGui and download it, a space is
> always created after the name. Example: test .local
Unable to reproduce. Works fine for me.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.so
> Am 08.08.2024 um 13:18 schrieb Ali Danakiran :
>
>
>
> Ali Danakiran schrieb am Di. 16. Juli 2024 um
> 15:34:
> Hey,
> When I create an SSL certificate, it always creates the file names with
> spaces. Example: sslkey .key always before period is a space. How do I get
> rid of it?
>
>
Hi,
>> I tried scep getcrl against the demosite but it didn't work:
>> abc.crt and abc.key have been generated on demo.openxpki.org beforehand.
>> root@pki:~/sscep-0.10.0# openssl x509 -noout -subject -in CA.pem-0
>> subject=CN = oxi-ce-demo.rackport.net:scep-ra
>> root@pki:~/sscep-0.10.0# ./sscep
Hi,
> One follow-up question: I saw the message only in debug=10, the WebUI simply
> says "wf_pause_msg: Backend Communication Error", instead of "No usable
> ca-signer found" or something like that.
> The message is a little bit misleading, at least for non-experts like me.
> Should I open an
Hi,
> I setup openxpki with HSM and the WebUI reports active encryption token
> vault-1, all tokens are shown as ONLINE.
>
> # openxpkiadm alias list
> === functional token ===
> vault (datasafe):
> Alias : vault-1
> Identifier: 87-reU8L8VIStmq-oj7IWlX6-ls
> NotBefore : 2024-08-05 14:54:3
Hi,
> I have also tried with this url and I get an invalid subject error:
>
> Error from scep.log:
> 2024/07/26 10:22:27 ERR Request was rejected:
> I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SUBJECT_INVALID [pid=11670|ep=generic]
> 2024/07/26 10:22:27 WAR Client error / malformed request: badRequest
>
Hi,
> ./sscep getca -c tmp/cacert -u http://localhost/scep/scep
If you are using the default configuration from our community configuration
repository the SCEP URI should be
http://.../scep/generic
Best regards,
Martin
___
OpenXPKI-users mailing
Hi,
> Just to confirm, is it possible to configure environment variable based
> password for LDAP? I couldn’t find see mention of that in man-pages (or maybe
> I was looking in the wrong place).
The OpenXPKI configuration allows to replace any literal configuration entry
with the value returne
Hi Ralf,
> In my opinion, the delivery of all online certificates would be a good
> solution to make a rollover successful.
That is debatable. In our opinion Issuing CA certificates - in contrast to Root
CA certificates - should not be distributed to relying parties. Instead, end
entities shou
Hi Romina,
> I have recently started using openxpki and firstly I would like to thank you
> for the descriptive documentation. Since I am relatively new to the whole
> thing I would like to ask a few questions that I have not been able to find
> the answer to so far on the forum.
>
> I have fo
Hi,
> I am trying to install 2 instances of openxpki. For the first instance I
> followed the quicksetup in the docs and every thing is working fine:
> Root CA --> Signing CA (server 1) --> certificate
>
> For the second instance I would like to set it up in a way that it is under
> server 1 in
Hi,
> I would like to test the exchange of an issuing certificate.
> To do this, I have imported three valid issuing certificates into OpenXPKI
> (with token certsign).
> The call “sscep getca -u http://pki.dbmas/scep/generic -v -c dbmas-ca” only
> returns the first issuing certificate
> while
Hi,
> I agree with you, I am just a newbie in this whole world of PKI and I went
> for the easiest way to make it work at the beginning and then start from
> there to "make it right". Thanks for the heads up,
>
> You were right, just that all know what happened, the problems that I faced
> wa
James,
> I would like to add an I18N message to a custom profile.
>
> msgid "I18N_OPENXPKI_UI_PROFILE_HLL_MULTI_LABEL"
> msgstr "HLL Multi Purpose Profile"
>
> I have created a new openxpki.mo file using msgcat and msgfmt. I have moved
> the custom mo file into the en_US subdirectory of locale.
Hi,
> Does OpenXPKI support IP addresses as a SubjectAlternativename?
>
>
> On Fri, May 10, 2024 12:00, James B. Byrne wrote:
>
> How does one add an IP dotted quad as an alternate subject name when a signing
> certificates? When added through the webui they appear as
> DNS:xxx.xxx.xxx.xxx.
>
Hi,
> I have created a csr using the elliptic curve secp256k1. When I copy this csr
> in the web interface and try to request a certificate, I get this error:
> "Used key parameter is not allowed by policy (curve_name: 1.3.132.0.10)"
>
> When I do the exact same thing but using the curve secp512
Hi,
> For authenticated EST the OpenXPKI documentation says: Use the UI to obtain a
> TLS Client certificate with the application name *pkiclient*
>
> I don't understand in which field of the X.509 certficate should the
> "application name" go.
Our default configuration ships with the followin
James,
> I generated a new csr from the private key:
>
> openssl req -new -key 2016002C.key -out 2016002C_20240507.csr
No, you regenerated the same CSR from the same private key.
> When I paste the entire .csr into openxpki webui I get this error:
>
>
> The uploaded key was found to be used a
Hi,
> How can the registration officer set the validity?
Well, click on "Edit Validity" on a PENDING request.
> How could I create a second profile most effectively? I know I need to
> expand the profile, but how should I configure it best?
Create a copy of the profile's YAML file for which
Ali,
> Thank you, but I have found my mistake
Would you mind sharing your experience so others can benefit from your
resolution in case they are facing a similar problem?
> Another question
> Is there a possibility under "realm/democa/profile/default" to select the
> validity between 1 year a
James,
> My question was imprecise. I had in mind a batch/cli type solution. After
> further research this is what I am attempting to use.
> openxpkicli --realm=hll_ca2016 get_private_key_for_cert \
> --param identifier='Lik1K_AGi-RDqOiNxjmptAh-4-w' \
> --param password='F990NCtO' \
>
James,
> I created csr where the option to create a private key was selected. How is
> the private key created for this csr exported from openxpki?
Click on the Certificate. Choose Action -> "Download private key/keystore
(PKCS12/PKCS8/Java)"
Martin
_
James,
> I have successfully imported an existing certificate into the hll_ca2016
> realm,
> finally.
>
> openxpkiadm certificate list -v -v --realm hll_ca2016 --all
>
> Certificates in hll_ca2016:
>
> Identifier: 76QCIA3aO9WOjkW6g2SAGQXoATI
>Subject:
> DC=ca,DC=harte-lyne,DC=hamilto
James,
> For the 'openxpkicli import_certificate' command there is a additional
> parameter named 'profile' which takes a string argument. Is this string a path
> to a file; or just the name of a file; or something else?
Well, it's the profile name...
In terms of the OpenXPKI configuration tree,
James,
> I have been struggling with the yaml profile mapping of certificate extensions
> to openxpki profiles. I need some examples or a profile node key legend to
> assist me in understanding how this works.
I think the example configuration in the configuration repository is pretty
self expla
James,
> There is no /var/www/ directory on FreeBSD as shipped. Instead the html root
> is /usr/local/www/. I created /usr/local/www/download/
>
> # ll -d /usr/local/www/download
> drwxr-xr-x 2 root wheel 2 Apr 4 12:39 /usr/local/www/download
>
...
>
> But still get the same result.
>
James,
> openxpkicli --realm hll_ca2016 --filearg data=hllcerts/20160001.pem
> import_certificate
> Error: Error while executing API command
>Attribute (data) does not pass the type constraint because: ''Certificate:
>Data:
>Version: 3 (0x2)
>Serial Number: 538312705 (0x201
Hi,
> 5- I do get authenticated through basic auth AND through the certificates i'm
> passing to cURL.
> But I keep getting back the same certificate.
> No workflow is triggered.
> And in EST.log
> INF authenticated client DN: CN=same cn,DC=Test
> Deployment,DC=OpenXPKI,DC=org [pid=9
James,
> openxpkiadm alias \
> --realm "hll_ca2016" \
> --token certsign \
> --file /CA_HLL_ROOT_2016/certs/02.pem \
> --key /CA_HLL_ROOT_2016/private/keys/02.key.aes256
This command
- imported 02.pem as the first (a "--generation 1" is implicit when you import
the very first token) signer tok
Hi James,
> This is the diff between the current config.d and the original before any
> changes were made.
>
> # git diff -G. hllv1.00 -- --follow config.d
> diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml
> index 95614f5..bda48a1 100644
> --- a/config.d/realm.tpl/cr
Hi James,
> This is the diff between the current config.d and the original before any
> changes were made.
>
> # git diff -G. hllv1.00 -- --follow config.d
> diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml
> index 95614f5..bda48a1 100644
> --- a/config.d/realm.tpl/cr
Hi James,
> 2024/03/13 08:16:31 ERROR OpenSSL error: Using configuration from
> /var/tmp/openxpki28821VniVdpfp/openssl.cnf
> unable to load CA private key
> . . .
>
> I guess that this is the problem: unable to load CA private key
Yep.
> The realm was created using:
>
> openxpkiadm alias \
Hi James,
> __EXIT_STATUS__ => 256 == Searching for Openssl error codes the number 256
> comes up as related to an unsupported cipher. Where is the cypher being
> specified?
The exit status is shifted left by 8 bit by the execution wrapper in OpenXPKI,
so the actual return code is 256 >> 8 == 1
Hi,
> Is there also a possibility when I create certificates that the certificates
> are stored directly on the server on which openxpki is running?
Your question is not specific enough to let us understand what you actually
want to achieve, and for this reason the answer is a qualified "yes".
Hi,
> Could you tell me in which workflow I cloud define the fixed password?
Well, that's the workflow you are using for requesting the certificate, most
likely certificate_signing_request_v2
In this workflow you will find an activity which is conveniently called
generate_key...
Cheers
Marti
James,
On a Unix system, a user needs execute permission in order to enter a directory
(not read).
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
Hi,
> I have discovered that my literal reading of README.md and the Quickstart
> guide
> led me to copy the /usr/local/share/examples/openxpki/htdocs/ directory to
> /var/local/www/openxpki/ whereas it appears that I instead should have copied
> the contents thereof. This I have now done and I
Hi,
Some background information may be useful here:
When importing a certificate into the OpenXPKI database, the system tries to
build a certificate chain up to a know Root CA certificate. If no chain can be
built, import is refused (there are ways to override this, though).
For chain building
Hi Mark,
> I found the display names in "/etc/openxpki/contrib/i18n/en_US/openxpki.po"
> file and added a new entry for msgid
> "I18N_OPENXPKI_UI_PROFILE_TLS_SERVER_LABEL_5Y" with a msgstr of "TLS/Web
> Server (5 years)".
The translations in OpenXPKI are handled by Gnu Gettext.
The following
Hi Mark,
> root@certca:/var/www/openxpki# openxpkicmd --realm certca crl_issuance
> Workflow created (ID: 255), State: SUCCESS
>
> But When I get to the portion of Adding the Webclient, once again following
> the instructions, I do not see Apache start listening on port 443.
>
> root@certca:~#
Hi,
> I'm a bit further along now, I installed sscep via Github Link but now I get
> the error message:
> /sscep# ./sscep getca -c tmp/cacert -u http://domainorip/scep/scep
> ./sscep: cannot open cert file for writing
mkdir tmp
and retry.
Cheers
Martin
Hi,
> Thanks it mostly did the trick – but still some issues. It seems token
> rollover didn’t work. The crl issuance is trying to use casigner-1, but alias
> with current cert is for casigner-2.
> I also verified with openssl that crl issuance does work manually.
> Maybe this is a novice err
Hi,
> I noticed that the community edition has dependency to OpenSSL version 3. I
> was wondering if OpenSSL 1 works as well, or is OpenSSL 3 a hard
> requirement?
OpenXPKI supports both versions. The reason that the debian package depends on
OpenSSL 3 is that Debian ships this version by defaul
Hi,
> When I check with "openxpkiadm alias --realm ..." my CA signer, Valut and
> Root CA are displayed. Is that correct or not? Am I completely wrong or have
> I overlooked something?
Maybe it is correct, maybe it is not.
It is not possible to help you if you do not provide useful informatio
Hi
> I get the message when I want to check "LOAD_NEXT_CA_CRL_GET_NEXT_CA_0" CRL.
> On the Openxpki WebGui it shows me "No CRL found!" and my CA signer is
> apparently offline.
local CRL issuance within a PKI Realm only works if the CA signer tokens of
this Realm are online, so make sure that
Happy New Year everyone!
> We are running a setup with OpenXPKI with a single Root CA (RSA private key)
> and a couple of intermediate/subordinate CA (all with EC private keys).
>
> Now we have hit a problem where a 3rd party product should act as a separate
> CA but still we want to maintain t
Hi Elias,
> After updating our Debian server from version 9 to 11 and also updating the
> OpenXPKI installation and configuration, I am encountering the following
> problem:
> openxpkictl[1592]: Please set database schema version! at
> /usr/share/perl5/OpenXPKI/Server/Init.pm line 291.
> Here i
Hi Maximillian,
> Having some trouble with a new openxpki install using the docker image. I've
> gotten most everything configured, but when I try to generate a CSR via the
> webui, I get the following error:
>
> Unexpected error
> This workflow was interrupted by an unexpected event, it will n
Hi Scott,
> Does OpenXPKI support Certificate Management over Cryptographic Message
> Syntax (CMC) ?
>
Yes, it does.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/op
Hi Jeremy,
> There is a draft RFC which proposes to add the capability to convey private
> key attestation to an enrollment server:
>
> https://www.ietf.org/archive/id/draft-ietf-lamps-key-attestation-ext-00.html
>
> This covers all protocols and all attestation sources. I have been working
>
Hi,
> Hi Does openxpki has or plans to have a support for the ACME protocol ?
We are currently working on a native ACME interface implementation and we plan
to support ACME in the future.
Best regards,
Martin
___
OpenXPKI-users mailing list
O
Hi,
> Has anyone successfully configured OpenXPKI to run as a non-root user? I'm
> preparing an install for a hardened linux server. One of the requirements is
> additional packages need to run as non-root.
>
> I've made some changes in the openxpkid.service file as well as the
> system/serv
Hi Mike,
> Will OpenPKI meet all of our needs?
> Sempris needs a certificate management system, specifically for:
> 1. AWS Lambdas
> 2. Internal web sites
> 3. Various internal services
> The first (AWS) is the biggest challenge. We anticipate managing between
> 100-200 different certificates.
Hi,
> Am 29.09.2023 um 04:08 schrieb Lixin Liu :
>
> I am using RHEL system which is not officially supported. But from what I
> see, there are
> only very minor difference. I have these:
Just to clarify: The Community Edition is available as source code and packaged
for Debian. However, OpenX
Hi,
> we are planning to setup up an active/active system over two geo locations.
> Does anyone have experience with such a scenario and can share some best
> practices?
> We would otherwise testing db replication or setting up different signing
> ca’s within the datacenters, but I would rather
Hi Chris,
> 2023/09/01 16:28:21 ERR Error creating backend client Error while writing to
> socket; __EVAL_ERROR__ => I18N_OPENXPKI_CLIENT_INIT_CONNECTION_FAILED;
> __ERROR__ => Permission denied, __SOCKETFILE__ =>
> /var/openxpki/openxpki.socket [pid=2305|sid=[undef]]
The OpenXPKI Web UI execu
Hi Chris,
> Hi, I'm reaching out to the community seeking assistance with an issue I've
> encountered during an integration process. Having recently upgraded my Apache
> web server to the latest version from source, I referred to the documentation
> and adjusted the openxpki.conf settings in al
Hi Thomas,
>> Hi Thomas,
>> invalid profile means that the NAME of the profile that the workflow tries
>> to issue does not exist or is not in the list of the allowed endpoint
>> profiles.
> Where to find the ‘list of the allowed endpoint profiles’?
In the profile_map section Enrollment Endpo
Hi,
> But I have an other question: is it possible to have an EST endpoint per
> realm?
OpenXPKI supports an arbitrary number of enrollment endpoints (EST, SCEP, RPC)
per PKI Realm. Each of those can have different enrollment policies.
Cheers
Martin
Hi Gabriel,
> I need to issue new realm certificates, both from ca-signer-1 and vault-1.
> Could you tell me what commands I should execute to issue the certificates.
If I understand you correctly you intend to perform a CA Rollover within your
PKI Realm, and you also wish to update the datasafe
Hi,
> I'm trying to issue a certificate using the default RPC configuration
> (RequestCertificate method) but a get :
> {
> "result": {
> "id": 3583,
> "proc_state": "finished",
> "state": "FAILURE",
> "data": {
> "transaction_id": "723c94cd1fba71e9
Hi,
> Thank you very much for the reply, I was wondering because the config did not
> change and everything worked smooth before the upgrade.
The semantics I posted have been in place and unchanged for a very long time,
and we did not change the relevant code portions recently, so the cause mig
Hi,
> We are using docker containers. At webui.log:
>
> 2023/05/19 08:34:20 ERR Error creating backend client Error while writing to
> socket; __EVAL_ERROR__ => I18N_OPENXPKI_CLIENT_INIT_CONNECTION_FAILED;
> __ERROR__ => Permission denied, __SOCKETFILE__ =>
> /var/openxpki/openxpki.socket [pid
Hi,
> We deployed the OpenXPKI DB on a separate remote MariaDB server and changed
> the details in /etc/openxpki/config.d/system/database.yaml
>
> The server daemon restarts successfully but the UI doesn't work. It is bound
> to the local DB. How can we change it?
The Web UI has its own separa
Dear OpenXPKI Users,
We are back! After having to cancel our last workshop due to the Covid 19
pandemic, we are thrilled to announce that the OpenXPKI user workshop is
finally happening again, and this time, it's going to be even better. We hope
this email finds you well, and you are just as ex
Hi,
> I am hitting another error when publishing a cert (to a local file). I see
> the cert file is written
> to local directory, but with a 777 permission which I think is wrong.
I observed a similar same problem recently, if the file does not exist, it is
created with the system umask. If it
Hi,
> My further test shows that CDP works correctly if the director is owned by
> openxpki user.
> Previous it was owned by apache user/group with group writeable permission.
> openxpki
> user is a member of apache group. This did not work. I am not sure why,
> likely because
> the perl module
Hi,
> Does software
> https://github.com/openxpki/clca
> depend from software
> https://github.com/openxpki/openxpki
> or does it conflict with the latter, if installed on the same host?
This is not a problem, both projects will work properly on the same system.
Cheers,
Martin
_
Hi,
> I am generating a cert from OpenXPKI UI with CSR but i get "Duplicate Key
> Error (Request)". Kindly guide me.
You uploaded a CSR which uses a key which has already been seen by your
OpenXPKI instance, hence "Duplicate Key Error". You need to generate a new
private key and a new certific
Hi,
> Is it possible to configure OpenXPKI SCEP enrollment for 2 different profiles
> e.g. TLS server and TLS client?
Sure it is. See the recent posts related to EST.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.n
Hi,
> I have only one CA, but is it possible to configure EST with 2 different
> profiles?
> I would like to setup one for User certs. and one for TLS server certs.
Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST,
SCEP and RPC endpoints.
Each endpoint has its own d
Hi,
> I have very little experience, and my scant use of english and documentation,
> I can't figure out how to renew an expired certificate, could you tell me how
> to renew the certificate, please.
The most straightforward way is to generate a new private key, a certificate
request from the
Hi,
> ***SNIP***
> I was adding a new certificate profile last week and had to add the new field
> template.
> For that new use case, the value for the field would always be the same. So
> I'd like to have this pre-filled when reaching the workflow step but still
> editable, if it needs to be c
Hi,
> As I know, openxpki supports PKCS#11 interface via OpenSC
> I'm making a Lab to implement a CA with signer key protected inside HSMs such
> as SmartCard-HSM or Nitrokey, in documentation there is an example for
> YubicoHSM but I don't get the full idea and the required steps,
> I tried to
Hi Mukilan,
> Does it mean that we can't ignore signature verification for CSR? I will
> explain the use case. We would like to modify the SubjectDN/SAN as part of
> our own policy while internal clients (devices, computers and etc) are
> raising certificate requests. The internal clients will
> I've an Active Directory for my domain users. Can I fetch users list from AD
> and request certificates on behalf of Active Directory users from OpenXPKI
> web interface?
You can do a lot of things with OpenXPKI, and the answer is probably yes.
Cheers
Martin
__
> Does OpenXPKI support certificate generation from Microsoft Active Directory?
This question does not make any sense.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/o
Hi,
> Does OpenXPKI have any feature to distribute public keys over all servers or
> not?
It eludes me why this might be necessary. In addition, OpenXPKI has no way of
knowing what "all servers" are.
However, OpenXPKI provides a configurable publishing operation which is
executed on every ce
Hi,
> I want to configure CRL (certificate revocation list) for EST protocol in
> openxpki 3.x server. I did it for SCEP protocol in openxpki 2.x. Can you
> please help me with the required steps for EST (e.g. Generating CRL
> information, Configuring CRL accessibility etc.)
>
> For your refe
Hi,
> The CLCA documentation https://github.com/openxpki/clca specifies to use the
> nCipher & Gemalto HSM as follows.
>
> # Define crypto engine to use. Supported values are
> # openssl - OpenSSL software only (private keys stored on disk)
> # chil - nCipher hardware
> # gem - Gema
> That sounds great. How we can setup BridgeCA in OpenXPKI?
You analyze your requirements, define a resulting PKI architecture and
implement it properly.
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.
> Is it possible to store the CA key in OpenXPKI on AWS CloudHSM?
>
Yes.
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
> Is it possible to create a Bridge CA in OpenXPKI?
Yes.
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
Hi,
> You're right, certmonger seems to keep the same private key for renewal.
> So certmonger may not be usefull as I read in the getcert man :
>
> -r automatically renews the certificate when its expiration date is close if
> the key pair already exists. This option is used by default.
>
> Ce
Hi,
> I am stuck in testing autorenew of scep requested certificates.
>
> This is my initial enrollment with certmonger :
> ```
> getcert request -c openxpki -f $certfolder/nginx2.crt -k
> $keyfolder/nginx2.key -g 4096 -r -N cn=nginx2.domain.lan -v -w -L
> SecretChallenge
> ```
>
> On client s
Hi,
> Does OpenXPKI support CMP and 3GPP standards?
No, it does not.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
1 - 100 of 168 matches
Mail list logo