-
Notifications
You must be signed in to change notification settings - Fork 39
CA handler for OpenXPKI
grindsa edited this page Jul 23, 2023
·
4 revisions
This handler can be use to enroll certificates from OpenxPKI as ACME support seems to be available in a commercial version only.
Although a connection was already possible via the generic EST CA handler this handler should preferred as it supports revocation operations and provides the ability to specify a certifiate-profiles
- OpenXPKI with activated RPC server
- you'll also need:
- an RPC endpoint supporting
RequestCertificate
,RevokeCertificate
andSearchCertificate
as decribed in the example configuration - a client certificate and key in pem format to authenticate towards the OpenXPKI
- a certificate profile
- an RPC endpoint supporting
The OpenXPKI configuration needs to be adjusted to interoperate with acme2certifier
- acme2certifier expects a full key chain (including the root certififcate) to be delivered as part of the response of a
RequestCertificate
call. That means that you need to adjust theexport_certificate
parameter in the endpoint configuration file stored inconfig.d/realm.tpl/rpc/
policy:
export_certificate: fullchain
- Even though certificate polling is supported by configuring the
polling_timeout
parameter inacne_srv.cfg
it is recommended to skip manual or dual approval to ensure smooth enrollment operations. Thus, we recommend to set theapproval_points
parameter in the OpenXPKI endpoint configuration file stored inconfig.d/realm.tpl/rpc/
to "1"
policy:
approval_points: 1
- CSRs generated by some acme clients like certbot do not contain any subject name and get refused by OpenXPKI. We overcame this issue by modifying the OpenXPKI certificate profile stored in
config.d/realm.tpl/profile/
in a way that the first subject alternate name from the CSR will be used as common name. If you know a smarter way please let us know (we do not claim to be OpenXPKI experts)
style:
# rpc endpoint name, in our example "enroll"
enroll:
subject:
dn: CN=[% SAN_DNS.0 %]
- modify the acme2certifier configuration (
acme_srv.cfg
) and add the following parameters
[CAhandler]
handler_file: examples/ca_handler/openxpki_ca_handler.py
host: <URL>
client_key: <filename>
client_cert: <filename>
ca_bundle: <filename>
cert_profile_name: <name>
endpoint_name: <name>
polling_timeout: <seconds>
- host - URL of the OpenXPKI-server
- cert_file - certicate in PEM format used authenticate towards OpenXPKI - can be in either pem or pkcs12 format
- either: key_file - key file in PEM format used to authenticate towards OpenXPKI
- or: cert_passphrase - phassphrase to access the pkcs#12 container
-
or: cert_passphrase_variable - optional - name of the environment variable containing the cert_passphrase (a configured
cert_passphrase
parameter in acme_srv.cfg takes precedence) - ca_bundle - optional - ca certificate chain in pem format needed to validate the OpenXPKI-server certificate - can be True/False or a filename (default: True)
- cert_profile_name - name of the certificate profile
- polling_timeout - timeout in seconds for enrollment operations (default 0 - polling disabled)
- request_timeout - optional - requests timeout in seconds for requests (default: 5s)
Use your favorite acme client for certificate enrollment. A list of clients used in our regression can be found in the disclaimer section of our README file