From f.leprich at finestwebs.net Mon May 24 13:12:16 2021
From: f.leprich at finestwebs.net (Frank Leprich)
Date: Mon, 24 May 2021 13:12:16 +0200
Subject: [rs-users] mo_csr - how to send a csr over website
Message-ID: <5b978af820bb8a6d3806ef59cad6fa80@finestwebs.net>
Hi all,
I am trying to send a csr against the mod_csr over a website.
I can not figure out the right textarea name like "subject-*" (nid).
my form:
my request:
-----BEGIN CERTIFICATE REQUEST-----
MIICYDCCAUgCAQAwGzELMAkGA1UEBhMCREUxDDAKBgNVBAMMA2ZkYjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKGdu5R6nvNFjyHpSknQnolKfRH0a4oe
uSlk3tnUM1klymbhyL3zKZ4/4us8S4xeE0HhQBpIm/NsFamIJLjZtt87cM/dAZff
HYfjLC97j/aWgTT3DJNyiSakZv8f35QcQPRO6KDH5kKP13+CI+4NIeOQ9GgAcaMz
LTHfWxBQ0uJwsk5Qr18yt+TWwuqewQid0LEPUrtKbbpwvrMHeBtBD8G7kB1GVvXB
iULODfU5QT1Aj0qnrDYEOWCICqLl3/1W4mzOME1bXfoNKpbp3mwp77u5Wguu5fBj
r7UIG5RmngdWcFfuVEWmZEP9Ekk983i/FU+iGrGYPSHpbw+q+b53PWkCAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQCS62J8vrJaqaMDbsZSbrrSnU9gc3jYgaYcVRRH
oAu3hSA7jwSR3sTeGi3LZy53Uo1+sd0YgfBTf3+waobg0JyCI7lBaRyKSEbTBXV2
UreLFE13ZRfr98lvswWj3wMEOerduhe/ugd98NCL+2jf0QcC3n1K8agsLhb2sDp0
hKF+WNs4EqPhDxJgzfhDFzh4cYW20l9jMLA1Bhr4IVuInqYBc4OwNFMSSXAv29rb
YDqAYlQVxZ8slWda7eazaWdYEu+uclaBGOOsaZgToQS+T+CVaUYx/b25hlA+7PLb
qdVjQ3DzPwnChpdPV3WSgoDHEF2v1GudjnEadvxUsnq1NIow
-----END CERTIFICATE REQUEST-----
my apache conf:
CASimpleCertificate /etc/pki/ca/ca-root.pem
CASimpleKey /etc/pki/ca/ca-root.key.pub
CASimpleTime on
CASimpleSerialRandom on
CADiskCertificateSignRequestPath /etc/pki/ca/certs/
CADiskCertificateByTransactionPath /etc/pki/ca/certs/
CACRLCertificateRevocationList /etc/pki/ca/crl-root.pem
SetHandler crl
CrlEncoding der
SetHandler csr
# use subject from the certificate sign request unmodified
CsrSubjectRequest *
SetHandler ocsp
OcspSigningCertificate /etc/pki/ca/ocsp.pem
OcspSigningKey /etc/pki/ca/ocsp.key
SetHandler timestamp
TimestampSigningCertificate /etc/pki/ca/tsa.pem
TimestampSigningKey /etc/pki/ca/tsa.key
TimestampDigest SHA256
TimestampDefaultPolicy 0.4.0.2023.1.1
TimestampTsaName on
TimestampClockPrecisionDigits 0
CASimpleSerialRandom on
CASimpleTime on
ocsp and timestamp just work fine.
thanks for your help in advance.
Frank
--
Frank Leprich
Carl-Blechen-Str. 1
03226 Vetschau
From minfrin at redwax.eu Mon May 24 16:59:04 2021
From: minfrin at redwax.eu (Graham Leggett)
Date: Mon, 24 May 2021 16:59:04 +0200
Subject: [rs-users] mo_csr - how to send a csr over website
In-Reply-To: <5b978af820bb8a6d3806ef59cad6fa80@finestwebs.net>
References: <5b978af820bb8a6d3806ef59cad6fa80@finestwebs.net>
Message-ID: <0F892EF1-7C6A-440A-AA9E-22CADAB048D0@redwax.eu>
On 24 May 2021, at 13:12, Frank Leprich via rs-users wrote:
> I am trying to send a csr against the mod_csr over a website.
> I can not figure out the right textarea name like "subject-*" (nid).
>
> my form:
>
>
>
> SetHandler csr
> # use subject from the certificate sign request unmodified
> CsrSubjectRequest *
>
>
Can you confirm what happens if you specify an exact value rather than a wildcard, like this:
CsrSubjectRequest CN
In other words, after sending "subject-CN? in your form, does it get picked up?
I suspect the wildcard is not doing what it is supposed to.
Regards,
Graham
?
From f.leprich at finestwebs.net Mon May 24 21:04:52 2021
From: f.leprich at finestwebs.net (Frank Leprich)
Date: Mon, 24 May 2021 21:04:52 +0200
Subject: [rs-users] mo_csr - how to send a csr over website
In-Reply-To: <0F892EF1-7C6A-440A-AA9E-22CADAB048D0@redwax.eu>
References: <5b978af820bb8a6d3806ef59cad6fa80@finestwebs.net>
<0F892EF1-7C6A-440A-AA9E-22CADAB048D0@redwax.eu>
Message-ID: <2059a8d88414f18d94dd76c3f856098e@finestwebs.net>
Hey Graham,
I think the wildcard works, because the response includes the whole csr.
But I think getting further due to studying the mod_csr source.
I am a linux admin with pki experience, not a c developer :)
Anyway, I hope to run the redwax projekt properly.
I configured this now:
SetHandler csr
# use subject from the certificate sign request unmodified
#CsrSubjectRequest *
CsrSubjectRequest CN
CsrParamPkcs10 csr
So the send gives:
Bad Request
Your browser sent a request that this server could not understand.
Disk: mod_ca frontend did not supply a transaction ID, it is required
How do I have to activate transaction ID ?
Regards,
Frank
Am 2021-05-24 16:59, schrieb Graham Leggett:
> On 24 May 2021, at 13:12, Frank Leprich via rs-users
> wrote:
>
>> I am trying to send a csr against the mod_csr over a website.
>> I can not figure out the right textarea name like "subject-*" (nid).
>>
>> my form:
>>
>
>>
>>
>> SetHandler csr
>> # use subject from the certificate sign request unmodified
>> CsrSubjectRequest *
>>
>>
>
> Can you confirm what happens if you specify an exact value rather than
> a wildcard, like this:
>
> CsrSubjectRequest CN
>
> In other words, after sending "subject-CN? in your form, does it get
> picked up?
>
> I suspect the wildcard is not doing what it is supposed to.
>
> Regards,
> Graham
> ?