Replies: 11 comments 17 replies
-
Hi, can you tell me the name of the CA? Is it a commercial product or rather something homegrown? Is there any chance to get access to a test-system? Technically you have to create a new ca-handler and extend the |
Beta Was this translation helpful? Give feedback.
-
Do you see any chance to capture the message flow in clear-text and send me the SOAP-calls going back and forth? |
Beta Was this translation helpful? Give feedback.
-
Thank you that helps. Let me try to mock this over the weekend. Will try my best... Is there any authentication layer to be used? |
Beta Was this translation helpful? Give feedback.
-
I started to prototype a handler but I have a question: I read from the Spec that we need to send the CSR as "pkcs7 signed pkcs10 request". Who is expected to sign the request? I understand the purpose of signatures in case of cert renewals which is btw. not possible as acme-clients do send CSRs in pkcs10 format without attaching the existing cert (prove of possession is done via different mechanism). But for new enrollments this signing operation a bid unclear. Can you please clarify? Thx |
Beta Was this translation helpful? Give feedback.
-
ok. This makes sense... So implementation will be in a way that the pkcs10 CSR will be wrapped into an pkcs7 construct, the client certificate from acme2certifier will be attached and the corresponding private key will be use to sign the message. Two other questions: Are you running acme2certifier in a docker-container? if so which version? I am asking as I am looking for best way to provide you development versions for testing... |
Beta Was this translation helpful? Give feedback.
-
Another question. I need some examples of failed enrollments to implement proper error-handling. Any chance to get some traces or extracts from the documentation how error messages send back to client do look like? |
Beta Was this translation helpful? Give feedback.
-
Ok. First version got uploaded and is ready for your testing. I uploaded a image for testing to docker. you can install it with You need to configure the handler as shown below:
Some more but basic documentation Feel free try it. I am interested in the outcome :-) If you have questions let me know... |
Beta Was this translation helpful? Give feedback.
-
I need to check in detail but in principle it should be possible to use the OpenDNSSec SoftHSM and authenticate the access via Pin. However I am wondering about the advantage of this over a solution storing the private key in an encrypted form in either pkcs#8 or pkcs#12 format and use a passphrase for authentication which is much easier to implement. Other options would be to use a a docker secret or use a vault. Any thoughts on this? |
Beta Was this translation helpful? Give feedback.
-
That's a weird comment as a software HSM does not provide any benefit over an encrypted PKCS#8 file. I need to look into it but below some links with further information. https://www.howtoforge.com/tutorial/how-to-install-and-use-softhsm-on-ubuntu-1604-lts Can you feed the pin via environment variable to the docker container just to avoid messing around with the kubernetes API? Sorry I am not a k8s expert and this would ease things a lot... |
Beta Was this translation helpful? Give feedback.
-
No problem at all as i am on holidays as well. Let me give it a try next few days... Current plan is to add few additional variables: signing_script: /opt/signer/signer_TEST.sh
csr_path: /tmp/csr - filename will be a random value
signer_alias: no_default
config_variant: no_default
sleep_timer: 5
|
Beta Was this translation helpful? Give feedback.
-
ok I modified the handler according to what we discussed before. The changes made it alread into the devel branch; there is also a docker image available which can be installed via [CAhandler]
handler_file: examples/ca_handler/pkcs7_soap_ca_handler.py
soap_srv: http://192.168.14.131:8888
ca_bundle: acme_srv/cmp2/ca_bundle.pem
profilename: Profile
email: grindsa@foo.bar
signing_script: /var/www/acme2certifier/volume/mock_signer.py
signing_user: signer
signing_interpreter: py # optional
signing_alias: alias
signing_csr_path: acme_srv/soap
signing_config_variant: cfg_variant Give it a try and let me know who it goes... |
Beta Was this translation helpful? Give feedback.
-
Hi, I am new to python and PKI and would like some advice please. I would like to deploy this ACME proxy against a CA I have already deployed and unfortunately it is without ACME. But unfortunately the only call it has is SOAP, see attached documentation below. Would it be possible to add an example of how to integrate this soap ? Thank you very much in advance for your help, it will save me.
SOAP Interface:
Name: RequestCertificate () - It verifies the signed request in the PKCS7 format and, in case of successful verification, issues a certificate to the CA. - Input: RequestCertificateInput - Output: RequestCertificateResult
Input RequestCertificateInput
Attribute:
Output RequestCertificateResult
Attribute:
Thank you very much for any help
Beta Was this translation helpful? Give feedback.
All reactions