Connecting to OpenXPKI

This handler can be use to enroll certificates from OpenxPKI as ACME support seems to be available in a commercial version only.

Although a connection was already possible via the generic EST CA handler this handler should preferred as it supports revocation operations and provides the ability to specify a certifiate-profiles

Prerequisites

• OpenXPKI with activated RPC server
• you'll also need:
  • an RPC endpoint supporting RequestCertificate, RevokeCertificate and SearchCertificate as decribed in the example configuration
  • a client certificate and key in pem format to authenticate towards the OpenXPKI
  • a certificate profile

OpenXPKI configuration

The OpenXPKI configuration needs to be adjusted to interoperate with acme2certifier

• acme2certifier expects a full key chain (including the root certififcate) to be delivered as part of the response of a RequestCertificate call. That means that you need to adjust the export_certificate parameter in the endpoint configuration file stored in config.d/realm.tpl/rpc/

policy:
      export_certificate: fullchain

• Even though certificate polling is supported by configuring the polling_timeout parameter in acne_srv.cfgit is recommended to skip manual or dual approval to ensure smooth enrollment operations. Thus, we recommend to set the approval_points parameter in the OpenXPKI endpoint configuration file stored in config.d/realm.tpl/rpc/ to "1"

policy:
      approval_points: 1

• CSRs generated by some acme clients like certbot do not contain any subject name and get refused by OpenXPKI. We overcame this issue by modifying the OpenXPKI certificate profile stored in config.d/realm.tpl/profile/ in a way that the first subject alternate name from the CSR will be used as common name. If you know a smarter way please let us know (we do not claim to be OpenXPKI experts)

style:
    # rpc endpoint name, in our example "enroll"
    enroll:
        subject:
            dn: CN=[% SAN_DNS.0 %]

• acme2certifier will issue certificates on behalf of the end nodes. This needs to be allowed in OpenXPKI. Please see more info on enroll modes (especially Signer on Behalf section) here: Enrollment Workflow. For this, you will need to set the client certificate as an authorized_signer for your RPC endpoint. You can set this in config.d/realm.tpl/rpc/enroll.yaml:

authorized_signer:
    rule1:
        # Full DN
        subject: CN=cn-of-your-client-cert-here(?:,.+|$)

Configuration

• modify the acme2certifier configuration (acme_srv.cfg) and add the following parameters

[CAhandler]
handler_file: examples/ca_handler/openxpki_ca_handler.py
host: <URL>
client_key: <filename>
client_cert: <filename>
ca_bundle: <filename>
cert_profile_name: <name>
endpoint_name: <name>
polling_timeout: <seconds>

• host - URL of the OpenXPKI-server
• cert_file - certicate in PEM format used authenticate towards OpenXPKI - can be in either pem or pkcs12 format
• either: key_file - key file in PEM format used to authenticate towards OpenXPKI
• or: cert_passphrase - phassphrase to access the pkcs#12 container
• or: cert_passphrase_variable - optional - name of the environment variable containing the cert_passphrase (a configured cert_passphrase parameter in acme_srv.cfg takes precedence)
• ca_bundle - optional - ca certificate chain in pem format needed to validate the OpenXPKI-server certificate - can be True/False or a filename (default: True)
• cert_profile_name - name of the certificate profile
• polling_timeout - timeout in seconds for enrollment operations (default 0 - polling disabled)
• request_timeout - optional - requests timeout in seconds for requests (default: 5s)

Use your favorite acme client for certificate enrollment. A list of clients used in our regression can be found in the disclaimer section of our README file