This section provides instructions on how to configure OpenXPKI CA version 2.5.x using Simple Certificate Enrollment Protocol (SCEP).
Notes:
Connect the machine using PuTTY or another client.
From the client, run the command to go to the root user.
Enter the root password.
In nano /etc/apt/sources.list, change the source for installing the updates.
Update the file. For example:
# # deb cdrom:[Debian GNU/Linux 8.11.1 _Jessie_ - Official amd64 CD Binary-1 20190211-02:10]/ jessie local main # deb cdrom:[Debian GNU/Linux 8.11.1 _Jessie_ - Official amd64 CD Binary-1 20190211-02:10]/ jessie local main deb http://security.debian.org/ jessie/updates main deb-src http://security.debian.org/ jessie/updates main # jessie-updates, previously known as 'volatile' # A network mirror was not selected during install. The following entries # are provided as examples, but you should amend them as appropriate # for your mirror of choice. # deb http://ftp.debian.org/debian/jessie-updates main deb-src http://ftp.debian.org/debian/jessie-updates main deb http://ftp.us.debian.org/debian/jessie main
Save the file.
Run the following commands:
Update the CA certificate lists in the server using .
Install en_US.utf8 locale using .
Select the en_US.UTF-8 UTF-8 locale, and then make it the default locale for the system.
Check the locales that you have generated using .
C C.UTF-8 en_IN en_IN.utf8 en_US.utf8 POSIX
Copy the fingerprint of the OpenXPKI package using . For this instance, copy the key in /home.
Type as the value.
Run the following command:
Add the package using the command.
Add the repository to your source list (jessie) using , and then .
Install MySQL and Perl MySQL binding using .
Install apache2.2-common using .
In nano /etc/apt/sources.list, install the fastcgi module to speed up the user interface.
Add the line in the file, and then save it.
Run the following commands:
Enable the fastcgi module using .
Install the OpenXPKI core package using .
Restart the Apache server using .
Check whether the installation is successful using .
Create the empty database, and then assign the database user using .
Notes:
CREATE DATABASE openxpki CHARSET utf8; CREATE USER 'openxpki'@'localhost' IDENTIFIED BY 'openxpki'; GRANT ALL ON openxpki.* TO 'openxpki'@'localhost'; flush privileges;
If the MySQL service is not running, then run to start the service.
Type to exit from MySQL.
Store the used credentials in /etc/openxpki/config.d/system/database.yaml.
debug: 0 type: MySQL name: openxpki host: localhost port: 3306 user: openxpki passwd: openxpki
Save the file.
For empty database schema, run from the provided schema file.
Enter the password for the database.
Unzip the sample script for installing the certificate using .
Run the script using .
Confirm the setup using .
=== functional token === scep (scep): Alias : scep-1 Identifier: YsBNZ7JYTbx89F_-Z4jn_RPFFWo NotBefore : 2015-01-30 20:44:40 NotAfter : 2016-01-30 20:44:40 vault (datasafe): Alias : vault-1 Identifier: lZILS1l6Km5aIGS6pA7P7azAJic NotBefore : 2015-01-30 20:44:40 NotAfter : 2016-01-30 20:44:40 ca-signer (certsign): Alias : ca-signer-1 Identifier: Sw_IY7AdoGUp28F_cFEdhbtI9pE NotBefore : 2015-01-30 20:44:40 NotAfter : 2018-01-29 20:44:40 === root ca === current root ca: Alias : root-1 Identifier: fVrqJAlpotPaisOAsnxa9cglXCc NotBefore : 2015-01-30 20:44:39 NotAfter : 2020-01-30 20:44:39 upcoming root ca: not set
Check whether the installation is successful using .
Starting OpenXPKI... OpenXPKI Server is running and accepting requests. DONE.
Do the following to access the OpenXPKI server:
From a web browser, type .
Log in as Operator. The default password is .
Create one certificate request, and then test it.
To configure OpenXPKI CA manually, create the following:
Root CA certificate. For more information, see Creating a root CA certificate.
CA signer certificate, signed by the root CA. For more information, see Creating a signer certificate.
Data vault certificate, self-signed. For more information, see Creating a vault certificate.
SCEP certificate, signed by the signer certificate.
Notes:
For this instance, we are using the /etc/certs/openxpki_ca-one/ directory for certificate generation. However, you can use any directory.
Run the following command:
# x509_extensions = v3_ca_extensions # x509_extensions = v3_issuing_extensions # x509_extensions = v3_datavault_extensions # x509_extensions = v3_scep_extensions # x509_extensions = v3_web_extensions # x509_extensions = v3_ca_reqexts # not for root self-signed, only for issuing ## x509_extensions = v3_datavault_reqexts # not required self-signed # x509_extensions = v3_scep_reqexts # x509_extensions = v3_web_reqexts [ req ] default_bits = 4096 distinguished_name = req_distinguished_name [ req_distinguished_name ] domainComponent = Domain Component commonName = Common Name [ v3_ca_reqexts ] subjectKeyIdentifier = hash keyUsage = digitalSignature, keyCertSign, cRLSign [ v3_datavault_reqexts ] subjectKeyIdentifier = hash keyUsage = keyEncipherment extendedKeyUsage = emailProtection [ v3_scep_reqexts ] subjectKeyIdentifier = hash [ v3_web_reqexts ] subjectKeyIdentifier = hash keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth [ v3_ca_extensions ] subjectKeyIdentifier = hash keyUsage = digitalSignature, keyCertSign, cRLSign basicConstraints = critical,CA:TRUE authorityKeyIdentifier = keyid:always,issuer [ v3_issuing_extensions ] subjectKeyIdentifier = hash keyUsage = digitalSignature, keyCertSign, cRLSign basicConstraints = critical,CA:TRUE authorityKeyIdentifier = keyid:always,issuer:always crlDistributionPoints = URI:http://FQDN of the server/CertEnroll/MYOPENXPKI.crl authorityInfoAccess = caIssuers;URI:http://FQDN of the server/CertEnroll/MYOPENXPKI.crt [ v3_datavault_extensions ] subjectKeyIdentifier = hash keyUsage = keyEncipherment extendedKeyUsage = emailProtection basicConstraints = CA:FALSE authorityKeyIdentifier = keyid:always,issuer [ v3_scep_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE authorityKeyIdentifier = keyid,issuer [ v3_web_extensions ] subjectKeyIdentifier = hash keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth basicConstraints = critical,CA:FALSE subjectAltName = DNS:stlopenxpki.dhcp.indiadev.lexmark.com crlDistributionPoints = URI:http://FQDN of the server/CertEnroll/MYOPENXPKI_ISSUINGCA.crl authorityInfoAccess = caIssuers;URI:http://FQDN of the server/CertEnroll/MYOPENXPKI_ISSUINGCA.crt
Change the IP address and CA certificate name with your setup information.
Save the file.
Run the following command:
Type your password.
Save the file.
Run the following commands:
Run the following command:
Change the subject in the request with your CA information using .
Get the certificate signed by the root CA using .
Notes:
Run the following command:
Change the subject in the request with your CA information using .
Run the following command:
Run the following commands:
Copy the key files to /etc/openxpki/ca/ca-one/.
cp /etc/certs/openxpki_ca-one/ca-signer-1.key /etc/openxpki/ca/ca-one/ cp /etc/certs/openxpki_ca-one/vault-1.key /etc/openxpki/ca/ca-one/ cp /etc/certs/openxpki_ca-one/scep-1.key /etc/openxpki/ca/ca-one/
Create the symlink.
ln -s /etc/openxpki/ca/ca-one/ca-signer-1.key /etc/openxpki/ca/ca-one/ca-signer-1.pem ln -s /etc/openxpki/ca/ca-one/scep-1.key /etc/openxpki/ca/ca-one/scep-1.pem ln -s /etc/openxpki/ca/ca-one/vault-1.key /etc/openxpki/ca/ca-one/vault-1.pem
Import the root certificate, signer certificate, vault certificate, and SCEP certificate into the database with the appropriate tokens.
Run the following commands:
Check whether the import is successful using .
=== functional token === scep (scep): Alias : scep-1 Identifier: YsBNZ7JYTbx89F_-Z4jn_RPFFWo NotBefore : 2015-01-30 20:44:40 NotAfter : 2016-01-30 20:44:40 vault (datasafe): Alias : vault-1 Identifier: lZILS1l6Km5aIGS6pA7P7azAJic NotBefore : 2015-01-30 20:44:40 NotAfter : 2016-01-30 20:44:40 ca-signer (certsign): Alias : ca-signer-1 Identifier: Sw_IY7AdoGUp28F_cFEdhbtI9pE NotBefore : 2015-01-30 20:44:40 NotAfter : 2018-01-29 20:44:40 === root ca === current root ca: Alias : root-1 Identifier: fVrqJAlpotPaisOAsnxa9cglXCc NotBefore : 2015-01-30 20:44:39 NotAfter : 2020-01-30 20:44:39 upcoming root ca: not set
Run the command.
Starting OpenXPKI... OpenXPKI Server is running and accepting requests. DONE.
Do the following to access the OpenXPKI server:
From a web browser, type .
Log in as Operator. The default password is .
Create one certificate request, and then test it.
Stop the OpenXPKI service using .
In nano /etc/openxpki/config.d/realm/ca-one/publishing.yaml, update the section to the following:
class: Connector::Builtin::File::Path LOCATION: /var/www/openxpki/CertEnroll/ file: "[% ARGS.0 %].crl" content: "[% pem %]"
In nano /etc/openxpki/config.d/realm/ca-one/profile/default.yaml, update the following:
section
critical: 0
uri:
- http://FQDN of the server/CertEnroll/[% ISSUER.CN.0 %].crl
- ldap://localhost/[% ISSUER.DN %]section
critical: 0 ca_issuers: http://FQDN of the server/CertEnroll/MYOPENXPKI.crt ocsp: http://ocsp.openxpki.org/
Change the IP address and CA certificate name according to your CA server.
In nano /etc/openxpki/config.d/realm/ca-one/crl/default.yaml, do the following:
If necessary, update and .
Add to the following section:
extensions:
authority_info_access:
critical: 0
# ca_issuers and ocsp can be scalar or list
ca_issuers: http://FQDN of the server/CertEnroll/MYOPENXPKI.crt
#ocsp: http://ocsp.openxpki.org/
Change the IP address and CA certificate name according to your CA server.
Start the OpenXPKI service using .
Stop the Apache service using .
Create a CertEnroll directory for crl in the /var/www/openxpki/ directory.
Set openxpki as the owner of this directory, and then configure the permissions to let Apache read and execute, and other services to read only.
chown openxpki /var/www/openxpki/CertEnroll
chmod 755 /var/www/openxpki/CertEnroll
Add a reference to the Apache alias.conf file using .
After the section, add the following:
Alias /CertEnroll/ "/var/www/openxpki/CertEnroll/"
<Directory "/var/www/openxpki/CertEnroll">
Options FollowSymlinks
AllowOverride None
Require all granted
</Directory>Add a reference in the apache2.conf file using nano /etc/apache2/apache2.conf.
Add the following in the section:
<Directory /var/www/openxpki/CertEnroll>
Options FollowSymlinks
AllowOverride None
Allow from all
</Directory>Start the Apache service using .
Stop the OpenXPKI service using .
Install the openca-tools package using .
Start the OpenXPKI service using .
Test the service using any client, such as certnanny with SSCEP.
For automatic certificate requests, we are using the Signer on Behalf certificate feature of OpenXPKI.
Stop the OpenXPKI service using .
In nano /etc/openxpki/config.d/realm/ca-one/scep/generic.yaml, from the section, add a rule for the subject name of the signer certificate.
rule1:
# Full DN
subject: CN=Markvision_.*
Notes:
Save the file.
Start the OpenXPKI service using .
Stop the OpenXPKI service using .
In nano /etc/openxpki/config.d/realm/ca-one/scep/generic.yaml, update the section:
eligible:
initial:
value@: connector:scep.generic.connector.initial
args: '[% context.cert_subject_parts.CN.0 %]'
expect:
- Build
- Neweligible: initial: value: 1 # value@: connector:scep.generic.connector.initial # args: '[% context.cert_subject_parts.CN.0 %]' # expect: # - Build # - New
Notes:
Save the file.
Start the OpenXPKI service using .
In OpenXPKI, you can configure multiple PKI structures in the same system. The following topics show how to create another realm for MVE named ca-two.
Copy the /etc/openxpki/config.d/realm/ca-one sample directory tree to a new directory (cp -avr /etc/openxpki/config.d/realm/ca-one /etc/openxpki/config.d/realm/ca-two) within the realm directory.
In /etc/openxpki/config.d/system/realms.yaml, update the following section:
# This is the list of realms in this PKI
# You only need to enable the realms which are visible on the server
ca-one:
label: Verbose name of this realm
baseurl: https://pki.example.com/openxpki/
#ca-two:
# label: Verbose name of this realm
# baseurl: https://pki.acme.org/openxpki/# This is the list of realms in this PKI
# You only need to enable the realms which are visible on the server
ca-one:
label: CA-ONE
baseurl: https://pki.example.com/openxpki/
ca-two:
label: CA-TWO
baseurl: https://pki.example.com/openxpki/Save the file.
The following instructions show how to generate the signer certificate, vault certificate, and SCEP certificate. The root CA signs the signer certificate, and then the signer certificate signs the SCEP certificate. The vault certificate is self-signed.
Generate, and then sign the certificates. For more information, see Configuring OpenXPKI CA manually.
Copy the key files to /etc/openxpki/ca/ca-two/.
cp /etc/certs/openxpki_ca-two/ca-signer-1.key /etc/openxpki/ca/ca-two/ cp /etc/certs/openxpki_ca-two/vault-1.key /etc/openxpki/ca/ca-two/ cp /etc/certs/openxpki_ca-two/scep-1.key /etc/openxpki/ca/ca-two/
Create the symlink. Also, create a symlink for the root CA certificate.
ln -s /etc/openxpki/ca/ca-one/ca-root-1.crt /etc/openxpki/ca/ca-two/ca-root-1.crt ln -s /etc/openxpki/ca/ca-two/ca-signer-1.key /etc/openxpki/ca/ca-two/ca-signer-1.pem ln -s /etc/openxpki/ca/ca-two/scep-1.key /etc/openxpki/ca/ca-two/scep-1.pem ln -s /etc/openxpki/ca/ca-two/vault-1.key /etc/openxpki/ca/ca-two/vault-1.pem
Import the signer certificate, vault certificate, and SCEP certificate into the database with the appropriate tokens for .
openxpkiadm certificate import --file /etc/certs/openxpki_ca-two/ca-signer-1.crt --realm ca-two –issuer /etc/openxpki/ca/ca-two/ca-one-1.crt --token certsign openxpkiadm certificate import --file /etc/certs/openxpki_ca-two/scep-1.crt --realm ca-two --token scep openxpkiadm certificate import --file /etc/certs/openxpki_ca-two/vault-1.crt --realm ca-two --token datasafe
Check whether the import is successful using .
=== functional token === scep (scep): Alias : scep-1 Identifier: YsBNZ7JYTbx89F_-Z4jn_RPFFWo NotBefore : 2015-01-30 20:44:40 NotAfter : 2016-01-30 20:44:40 vault (datasafe): Alias : vault-1 Identifier: lZILS1l6Km5aIGS6pA7P7azAJic NotBefore : 2015-01-30 20:44:40 NotAfter : 2016-01-30 20:44:40 ca-signer (certsign): Alias : ca-signer-1 Identifier: Sw_IY7AdoGUp28F_cFEdhbtI9pE NotBefore : 2015-01-30 20:44:40 NotAfter : 2018-01-29 20:44:40 === root ca === current root ca: Alias : root-1 Identifier: fVrqJAlpotPaisOAsnxa9cglXCc NotBefore : 2015-01-30 20:44:39 NotAfter : 2020-01-30 20:44:39 upcoming root ca: not set
In this instance, the root CA information is the same for and .
If you changed the certificate key password during certificate creation, then update nano /etc/openxpki/config.d/realm/ca-two/crypto.yaml.
Generate the CRLs for this realm. For more information, see Generating CRL information.
Publish the CRLs for this realm. For more information, see Configuring CRL accessibility.
Restart the OpenXPKI service using .
Stopping OpenXPKI Stopping gracefully, 3 (sub)processes remaining... DONE. Starting OpenXPKI... OpenXPKI Server is running and accepting requests. DONE.
Do the following to access the OpenXPKI server:
From a web browser, type .
Log in as Operator. The default password is .
The default realm SCEP endpoint is http://<ipaddress>/scep/scep. If you have multiple realms, then configure a unique SCEP endpoint (different configuration file) for each realm. In the following instructions, we use two PKI realms, and .
Copy the default configuration file in cp /etc/openxpki/scep/default.conf /etc/openxpki/scep/ca-one.conf.
In nano /etc/openxpki/scep/ca-one.conf, change the realm value to .
Create another configuration file in cp /etc/openxpki/scep/default.conf /etc/openxpki/scep/ca-two.conf.
In nano /etc/openxpki/scep/ca-two.conf, change the realm value to .
Restart the OpenXPKI service using .
The SCEP endpoints are the following:
—http://ipaddress/scep/ca-one
—http://ipaddress/scep/ca-two
If you want to differentiate between login credentials and default certificate templates for different PKI realms, then you may need advanced configuration.
By default, in OpenXPKI only one certificate with the same subject name can be active at a time. But when you are enforcing multiple Named Certificates, multiple active certificates with the same subject name must be present at a time.
In /etc/openxpki/config.d/realm/REALM NAME/scep/generic.yaml, from the section, change the value of from to .
Notes:
Restart the OpenXPKI service using .
By default, Apache listens in port number 80. Set the default port number for OpenXPKI CA to avoid conflicts.
In /etc/apache2/ports.conf, add or modify a port. For example, .
In /etc/apache2/sites-enabled/000-default.conf, add or modify the section to map new port. For example, .
Restart the Apache server using .
To check the status, run . The OpenXPKI SCEP URL is now http://ipaddress:8080/scep/ca-one, and the web URL is http://ip address:8080/openxpki.
By default, OpenXPKI accepts requests without checking the challenge password. The certificate request is not rejected, and the CA and CA administrator determine whether to approve or reject the request. To avoid potential security concerns, disable this feature so that any certificate requests that contain invalid passwords are rejected immediately. In MVE, Challenge Password is required only when generating the enrollment agent certificate.
In etc/openxpki/config.d/realm/REALM NAME/scep/generic.yaml, from the section, change the value of from to .
Notes:
Restart the OpenXPKI service using .
In /etc/openxpki/config.d/realm/REALM NAME/profile/I18N_OPENXPKI_PROFILE_TLS_SERVER.yaml, from the section, change the value of to .
Notes:
Restart the OpenXPKI service using .
By default, OpenXPKI reads only the CN of the subject of the requesting certificate. The rest of the information, such as country, locality, and DC, are hard-coded. For example, if a certificate subject is , , , , , , then after signing the certificate through SCEP, the subject is changed to , , .
In /etc/openxpki/config.d/realm/REALM NAME/profile/I18N_OPENXPKI_PROFILE_TLS_SERVER.yaml, from the section, change the value of to the following:
CN=[% CN.0 %][% IF OU %][% FOREACH entry = OU %],OU=[% entry %][% END %][% END %][% IF O %][% FOREACH entry = O %],O=[% entry %][% END %][% END %][% IF L %],L=[% L.0 %][% END %][% IF ST %],ST=[% ST.0 %][% END %][% IF C %],C=[% C.0 %][% END %][% IF DC %][% FOREACH entry = DC %],DC=[% entry %][% END %][% END %][% IF EMAIL %][% FOREACH entry = EMAIL %],EMAIL=[% entry %][% END %][% END %]
Save the file.
Create a file titled l.yaml in the /etc/openxpki/config.d/realm/REALM NAME/profile/template directory.
Add the following:
id: L label: L description: I18N_OPENXPKI_UI_PROFILE_L_DESC preset: L type: freetext width: 60 placeholder: Kolkata
Save the file.
Create a file titled st.yaml in the /etc/openxpki/config.d/realm/REALM NAME/profile/template directory.
Add the following:
id: ST label: ST description: I18N_OPENXPKI_UI_PROFILE_ST_DESC preset: ST type: freetext width: 60 placeholder: WB
Save the file.
Restart the OpenXPKI service using .
Access the OpenXPKI server.
From a web browser, type .
Log in as Operator. The default password is .
Click Workflow Search > Search now.
Click a certificate to revoke, and then click the certificate link.
From the Action section, click revocation request.
Type the appropriate values, and then click Continue > Submit request.
On the next page, approve the request. The certificate revocation is waiting for the next CRL publish.
From the PKI Operation section, click Issue a certificate revocation list (CRL).
Click Enforce creation of revocation lists > Continue.
From the PKI Operation section, click Publish CA/CRL.
Click Workflow Search > Search now.
Click the revoked certificate with a certificate_revocation_request_v2 type.
Click Force wake up.
In the new CRL, you can find the serial number and the revocation reason of the revoked certificate.