I'm trying to figure out how to configure OpenXPKI to use the EST protocol. Their homepage simply states "Native support for EST is provided." but some additional information or guidance would be appreciated if anyone has some good pointers or likewise. I have found, for an example, http://testrfc7030.com/ and I would like to configure OpenXPKI to provide the services provided by their test server.
Asked
Active
Viewed 618 times
1 Answers
0
We are still new to OpenXPKI but we could successfully enroll certificates using EST using the following commands:
# Create a new Certificate Signing Request using a fixed configuration from file ~/ca/openssl.cnf
openssl req --config ~/ca/openssl.cnf -extensions srv_ext -nodes -newkey rsa:4096 -keyout newcert.key -out newcert.csr -outform DER
# base 64 encode CSR
base64 newcert.csr > newcert.b64
# Here goes the EST Request to request Certificate signing
curl https://localhost/.well-known/est/simpleenroll -k -s -o newcert.p7.enc --data @newcert.b64 -H "Content-Type: application/pkcs10" -H" Content-Transfer-Encoding: base64"
# Check Certificate manually (For me there were still some headers before the BEGIN CERTIFICATE part that I had to cut away)
base64 -d newcert.p7.enc | openssl pkcs7 -text -noout -print_certs -inform DER
# Convert to x509
base64 -d newcert.p7.enc | openssl pkcs7 -inform DER -print_certs -out newcert.pem
Sadly, I think the OpenXPKI documentation is very incomplete especially if it comes to automation which should be one of the core use cases nowadays.
We currently try to automate client certificate enrollment for vpn clients using ansible.
sebisnow
- 1,671
- 17
- 26