Skip to content

CA handler for OpenXPKI

grindsa edited this page Feb 11, 2023 · 4 revisions

Connecting to OpenXPKI

This handler can be use to enroll certificates from OpenxPKI as ACME support seems to be available in a commercial version only.

Although a connection was already possible via the generic EST CA handler this handler should preferred as it supports revocation operations and provides the ability to specify a certifiate-profiles

Prerequisites

OpenXPKI configuration

The OpenXPKI configuration needs to be adjusted to interoperate with acme2certifier

  • acme2certifier expects a full key chain (including the root certififcate) to be delivered as part of the response of a RequestCertificate call. Tjat means that you need to adjust the export_certificate parameter in the endpoint configuration file stored in config.d/realm.tpl/rpc/
policy:
      export_certificate: fullchain
  • Even though certificate polling is supported by configuring the polling_timeout parameter in acne_srv.cfgit is recommended to skip manual or dual approval to ensure smooth enrollment operations. Thus, we recommend to set the approval_points parameter in the OpenXPKI endpoint configuration file stored in config.d/realm.tpl/rpc/ to "1"
policy:
      approval_points: 1
  • CSRs generated by some acme clients like certbot do not contain any subject name and get refused by OpenXPKI. We overcame this issue by modifying the OpenXPKI certificate profile stored in config.d/realm.tpl/profile/ in a way that the first subject alternate name from the CSR will be used as common name. If you know a smarter way please let us know (we do not claim to be OpenXPKI experts)
style:
    # rpc endpoint name, in our example "enroll"
    enroll:
        subject:
            dn: CN=[% SAN_DNS.0 %]

Configuration

  • modify the acme2certifier configuration (acme_srv.cfg) and add the following parameters
[CAhandler]
handler_file: examples/ca_handler/openxpki_ca_handler.py
host: <URL>
client_key: <filename>
client_cert: <filename>
ca_bundle: <filename>
cert_profile_name: <name>
endpoint_name: <name>
polling_timeout: <seconds>
  • host - URL of the OpenXPKI-server
  • cert_file - certicate in PEM format used authenticate towards OpenXPKI
  • key_file - key file in PEM format used to authenticate towards OpenXPKI
  • ca_bundle - optional - ca certificate chain in pem format needed to validate the OpenXPKI-server certificate - can be True/False or a filename (default: True)
  • cert_profile_name - name of the certificate profile
  • polling_timeout - timeout in seconds for enrollment operations (default 0 - polling disabled)
  • request_timeout - optional - requests timeout in seconds for requests (default: 5s)

Use your favorite acme client for certificate enrollment. A list of clients used in our regression can be found in the disclaimer section of our README file

Clone this wiki locally