Managing certificates using OpenXPKI Certificate Authority through EST

This section helps user to configure OpenXPKI CA version 3.x.x using EST protocol..

Configuring OpenXPKI CA

Installing OpenXPKI CA

Connect the machine using PuTTY or another client.
From the client, run the sudo su - command to go to the root user.
Enter the root password.
In nano /etc/apt/sources.list , change the source for installing the updates.

Update the file. For example:

#

# deb cdrom:[Debian GNU/Linux testing _Buster_ - Official Snapshot amd64 DVD Binary-1 20190527-04:04]/ buster contrib main
# deb cdrom:[Debian GNU/Linux testing _Buster_ - Official Snapshot amd64 DVD Binary-1 20190527-04:04]/ buster contrib main

deb http://security.debian.org/debian-security buster/updates main contrib
deb-src http://security.debian.org/debian-security buster/updates main contrib

# buster-updates, previously known as 'volatile'
# A network mirror was not selected during install. The following entries
# are provided as examples, but you should amend them as appropriate
# for your mirror of choice.
#
deb http://ftp.debian.org/debian/ buster-updates main
deb-src http://ftp.debian.org/debian/ buster-updates main
deb http://ftp.us.debian.org/debian/ buster main

Save the file.
Run the following commands:
- apt-get update
- apt-get upgrade
Update the CA certificate lists in the server using apt-get install ca-certificates .
Install en_US.utf8 locale using dpkg-reconfigure locales .
Select the en_US.UTF-8 UTF-8 locale, and then make it the default locale for the system.

Note: Use the Tab and spacebar keys for selecting and navigating the menu.
Check the locales that you have generated using locale –a .

Sample output
```
C
C.UTF-8
en_IN
en_IN.utf8
en_US.utf8
POSIX
```
Copy the fingerprint of the OpenXPKI package using nano /home/Release.key . For this instance, copy the key in /home .
Type 55D89776 006F632B E0196E3E D2495509 BAFDDC74 22FEAAD2 F055074E 0FE3A724 as the value.
Run the following command:

gpg --print-md sha256 /home/Release.key
Add the package using the wget https://packages.openxpki.org/v3/debian/Release.key -O - | apt-key add - command.
Add the repository to your source list (buster) using echo " deb http://packages.openxpki.org/v3/debian/ buster release" > /etc/apt/sources.list.d/openxpki.list , and then apt update .
Install MySQL and Perl MySQL binding using apt install mariadb-server libdbd-mariadb-perl .
Install apache2.2-common using apt install apache2 .
In nano /etc/apt/sources.list , install the fastcgi module to speed up the user interface.

Note: We recommend using mod_fcgid .
Add the deb http://http.us.debian.org/debian/ buster main line in the file, and then save it.
Run the following commands:

apt-get update

apt install libapache2-mod-fcgid
Enable the fastcgi module using a2enmod fcgid .
Install the OpenXPKI core package using apt install libopenxpki-perl openxpki-cgi-session-driver openxpki-i18n .
Restart the Apache server using service apache2 restart .
Check whether the installation is successful using openxpkiadm version .

Note: If the installation is successful, then the system shows the version of the installed OpenXPKI. For example, Version (core): 3.18.2 .
Create the empty database, and then assign the database user using mariadb -u root -p .

Notes:
- This command must be typed in the client. Otherwise, you cannot enter the password.
- Type the password for the MySQL. For this instance, root is the MySQL user.
- openxpki is the user on which OpenXPKI is installed.
```
CREATE DATABASE openxpki CHARSET utf8; 
CREATE USER 'openxpki'@'localhost' IDENTIFIED BY 'openxpki';
GRANT ALL ON openxpki.* TO 'openxpki'@'localhost';
flush privileges;
```
If the MySQL service is not running, then run /etc/init.d/mysql start to start the service.
Type quit to exit from MySQL.
Store the used credentials in /etc/openxpki/config.d/system/database.yaml .

Sample file content
```
main:
debug: 0
type: MariaDB
name: openxpki
host: localhost
port: 3306
user: openxpki 
passwd: openxpki
```
Note: Change user and passwd to match the MariaDB user name and password.
Save the file.
For empty database schema, run zcat /usr/share/doc/libopenxpki-perl/examples/schema-mariadb.sql.gz | \ mysql -u root --password --database openxpki from the provided schema file.
Type the password for the database.

Configuring OpenXPKI CA using the default script

Note: The default script configures only the default realm, ca-one . The CDP and CRLs are not configured.

Run the script using bash /usr/share/doc/libopenxpki-perl/examples/sampleconfig.sh .

Confirm the setup using openxpkiadm alias --realm democa .

Sample output

=== functional token ===
scep (scep):
Alias    : scep-1
Identifier: YsBNZ7JYTbx89F_-Z4jn_RPFFWo
NotBefore : 2015-01-30 20:44:40
NotAfter  : 2016-01-30 20:44:40

vault (datasafe):
Alias    : vault-1
Identifier: lZILS1l6Km5aIGS6pA7P7azAJic
NotBefore : 2015-01-30 20:44:40
NotAfter  : 2016-01-30 20:44:40

ca-signer (certsign):
Alias    : ca-signer-1
Identifier: Sw_IY7AdoGUp28F_cFEdhbtI9pE
NotBefore : 2015-01-30 20:44:40
NotAfter  : 2018-01-29 20:44:40

=== root ca ===
current root ca:
Alias     : root-1
Identifier: fVrqJAlpotPaisOAsnxa9cglXCc
NotBefore : 2015-01-30 20:44:39
NotAfter  : 2020-01-30 20:44:39

upcoming root ca:
  not set

Check whether the installation is successful using openxpkictl start .

Sample output
```
Starting OpenXPKI...
OpenXPKI Server is running and accepting requests.
DONE.
```
Do the following to access the OpenXPKI server:
1. From a web browser, type http://ipaddress/openxpki/ .
2. Add the user name and their corresponding passwords in a userdb.yaml file. To add the user name and the password, do the following:
  - Check out to /home/pkiadm , and then nano userdb.yaml .
  - Paste the following:
```
estRA:  
       digest:"{ssha256}somePassword”
       role: RA Operator
```
    Note: In this instance, estRA refers to the user name. To generate the password, type openxpkiadm hashpwd . When a message asking for the password and a ssha256 encrypted password appears, copy and paste it to the digest of any user.
  Note: The available roles in the Operator login are RA Operator, CA Operator, and user.
Enter the user name and password.
Create one certificate request, and then test it.

Configuring OpenXPKI CA manually

Overview

Note: Before you begin, make sure that you have a basic knowledge on creating OpenSSL certificates.

To configure OpenXPKI CA manually, create the following:

Root CA certificate. For more information, see Creating a root CA certificate .
CA signer certificate, signed by the root CA. For more information, see Creating a signer certificate .
Data vault certificate, self-signed. For more information, see Creating a vault certificate .
Web certificate, signed by the signer certificate. For more information, see Setting up the webserver .

Notes:

When selecting the signature hash, use either SHA256 or SHA512.
Changing the public key size is optional.

For version 3.10 or later, you can manage the keys directly using the openxpkiadm alias command:

Run mkdir -p /etc/openxpki/local/keys to create the directory. The default location of the directory is /etc/openxpki/local/keys .
Run openxpkictl start to start the server.

For this instance, we are using the /etc/certs/openxpki_democa/ directory for certificate generation. However, you can use any directory.

Creating an OpenSSL configuration file

The OpenSSL configuration file contains X.509 extensions for generating and signing certificate requests.

Run the following command:

nano /etc/certs/openxpki_democa/openssl.conf

Note: If your server is reachable using the fully qualified domain name (FQDN), then use the DNS of the server instead of its IP address.

Sample file

# x509_extensions               = v3_ca_extensions
# x509_extensions               = v3_issuing_extensions
# x509_extensions               = v3_datavault_extensions
# x509_extensions               = v3_scep_extensions
# x509_extensions               = v3_web_extensions
# x509_extensions               = v3_ca_reqexts # not for root self-signed, only for issuing
## x509_extensions              = v3_datavault_reqexts # not required self-signed
# x509_extensions               = v3_scep_reqexts
# x509_extensions               = v3_web_reqexts

[ req ]
default_bits            = 4096
distinguished_name      = req_distinguished_name

[ req_distinguished_name ]
domainComponent         = Domain Component
commonName              = Common Name

[ v3_ca_reqexts ]
subjectKeyIdentifier    = hash
keyUsage                = digitalSignature, keyCertSign, cRLSign

[ v3_datavault_reqexts ]
subjectKeyIdentifier    = hash
keyUsage                = keyEncipherment
extendedKeyUsage        = emailProtection

[ v3_scep_reqexts ]
subjectKeyIdentifier    = hash

[ v3_web_reqexts ]
subjectKeyIdentifier    = hash
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth

[ v3_ca_extensions ]
subjectKeyIdentifier    = hash
keyUsage                = digitalSignature, keyCertSign, cRLSign
basicConstraints        = critical,CA:TRUE
authorityKeyIdentifier  = keyid:always,issuer

[ v3_issuing_extensions ]
subjectKeyIdentifier    = hash
keyUsage                = digitalSignature, keyCertSign, cRLSign
basicConstraints        = critical,CA:TRUE
authorityKeyIdentifier  = keyid:always,issuer:always
crlDistributionPoints   = URI:https://FQDN of your system/openxpki/CertEnroll/MYOPENXPKI.crl
authorityInfoAccess     = caIssuers;URI:https://FQDN of your system/download/MYOPENXPKI.crt

[ v3_datavault_extensions ]
subjectKeyIdentifier    = hash
keyUsage                = keyEncipherment
extendedKeyUsage        = emailProtection
basicConstraints        = CA:FALSE
authorityKeyIdentifier  = keyid:always,issuer

[ v3_scep_extensions ]
subjectKeyIdentifier    = hash
basicConstraints        = CA:FALSE
authorityKeyIdentifier  = keyid,issuer

[ v3_web_extensions ]
subjectKeyIdentifier    = hash
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth
basicConstraints        = critical,CA:FALSE
subjectAltName          = DNS:FQDN of est server
crlDistributionPoints   = URI:https://FQDN of your system/openxpki/CertEnroll/MYOPENXPKI_ISSUINGCA.cr
authorityInfoAccess     = caIssuers;URI:https://FQDN of your system/download/MYOPENXPKI_ISSUINGCA.crt

Replace the IP address and CA certificate name with your setup information.
Save the file.

Creating a root CA certificate

You can create a self-signed root CA certificate, or generate a certificate request and then get it signed by the root CA.

Note: Replace the key length, signature algorithm, and certificate name with the appropriate values.

Run the following command:

openssl genrsa -out /etc/certs/openxpki_democa/ca-root-1.key -passout file:/etc/certs/openxpki_democa/pd.pass 4096
Replace the subject in the request with your CA information using openssl req -new -key /etc/certs/openxpki_democa/ca-root-1.key -out /etc/certs/openxpki_democa/ca-root-1.csr .
Get the certificate signed by the root CA using openssl req -config /etc/certs/openxpki_democa/openssl.conf -extensions v3_ca_extensions - x509 -days 3560 -in /etc/certs/openxpki_democa/ca-root-1.csr -key /etc/certs/openxpki_democa/ca-root-1.key -out /etc/certs/openxpki_democa/ca-root-1.crt - sha256 .
Go to /etc/certs/openxpki_democa/ where ca-root-1.crt is saved.
Run the following command:

openxpkiadm certificate import --file ca-root-1.crt

Creating a signer certificate

Note: Replace the key length, signature algorithm, and certificate name with the appropriate values.

Run the following command:

openssl genrsa -out /etc/certs/openxpki_democa/ca-signer-1.key -passout file:/etc/certs/openxpki_democa/pd.pass 4096
Replace the subject in the request with your CA information using openssl req -config /etc/certs/openxpki_democa/openssl.conf -reqexts v3_ca_reqexts -new -key /etc/certs/openxpki_democa/ca-signer-1.key -subj /DC=COM/DC=LEXMARK/DC=DEV/DC=CA-ONE/CN=MYOPENXPKI_ISSUINGCA -out / etc/certs/openxpki_democa/ca-signer-1.csr .
Get the certificate signed by the root CA using openssl x509 -req -extfile /etc/certs/openxpki_democa/openssl.conf -extensions v3_issuing_extensions -days 3650 -in /etc/certs/openxpki_democa/ca-signer-1.csr -CA /etc/certs/openxpki_democa/ca-root-1.crt -CAkey /etc/certs/openxpki_democa/ca-root-1.key -CAcreateserial -out /etc/certs/openxpki_democa/ca-signer-1.crt -sha256 .
Run the following command:

openxpkiadm alias --realm democa --token certsign --file ca-signer-1.crt --key ca-signer-1.key

Setting up the webserver

Run the following commands:

a2enmod ssl rewrite headers

a2ensite openxpki

a2dissite 000-default default-ssl

mkdir -m755 -p /etc/openxpki/tls/chain

cp /etc/certs/openxpki_democa/ca-root-1.crt /etc/openxpki/tls/chain/

cp /etc/certs/openxpki_democa/ca-signer-1.crt /etc/openxpki/tls/chain/

c_rehash /etc/openxpki/tls/chain/

mkdir -m755 -p /etc/openxpki/tls/endentity

mkdir -m700 -p /etc/openxpki/tls/private

cp /etc/certs/openxpki_democa/web-1.crt /etc/openxpki/tls/endentity/openxpki.crt

cat /etc/certs/openxpki_democa/ca-signer-1.crt >> /etc/openxpki/tls/endentity/openxpki.crt

openssl rsa -in /etc/certs/openxpki_democa/web-1.key -passin file:/etc/certs/openxpki_democa/pd.pass -out /etc/openxpki/tls/private/openxpki.pem

chmod 400 /etc/openxpki/tls/private/openxpki.pem
Restart the Apache service using apache2 restart .

Run the following command to check the successful import of the files:

openxpkiadm alias --realm democa

Sample output

=== functional token ===
ca-signer (certsign):
  		Alias     : ca-signer-2
  		Identifier: XjC6MPbsnyfLZkI9Poi9vm4Z5rk
 		 NotBefore : 2022-04-06 10:03:01
  		NotAfter  : 2032-04-03 10:03:01

vault (datasafe):
  		Alias     : vault-2
  		Identifier: G8ekluAsskGVC0N-jZhB2n9kvdM
  		NotBefore : 2022-04-06 09:53:57
  		NotAfter  : 2025-04-10 09:53:57

scep (scep):
  		not set

ratoken (cmcra):
  		not set

=== root ca ===
current root ca:
  		Alias     : root-2
  		Identifier: prTHU5vCfcJuCnQWyb5wUknvXQM
  		NotBefore : 2022-04-06 09:40:27
  		NotAfter  : 2032-01-04 09:40:27

Starting OpenXPKI

Run the openxpkictl start command.

Sample output

Starting OpenXPKI...
OpenXPKI Server is running and accepting requests.
DONE.

Access the OpenXPKI server:
1. From a web browser, type http://ipaddress/openxpki/ .
2. Add the user names and corresponding passwords in a userdb.yaml file:
  - Check out to /home/pkiadm and then to nano userdb.yaml .
  - Paste the following:
```
estRA:  
       digest:"{ssha256}somePassword”
       role: RA Operator
```
    Note: Here estRA refers to the user name.
  - To generate the password, type openxpkiadm hashpwd . A message showing the password and an ssha256 encrypted password appears.
  - Copy the password, and then paste it in the digest of any user.
  Note: The Operator login has two preconfigured available roles: RA Operator, CA Operator, and user.
Type the user name and password.
Create one certificate request, and then test it.

Generating CRL information

Note: If your server is reachable using the FQDN, then use the DNS of the server instead of its IP address.

Stop the OpenXPKI service using openxpkictl stop .
In nano /etc/openxpki/config.d/realm/democa/publishing.yaml , update the connectors: cdp section to the following:
```
class: Connector::Builtin::File::Path
LOCATION: /var/www/openxpki/CertEnroll/
file: "[% ARGS.0 %].crl"
content: "[% pem %]"
```
1. In nano /etc/openxpki/config.d/realm/democa/profile/default.yaml , update the following:
  - crl_distribution_points: section
```
critical: 0
uri:
    - https://FQDN of the est/openxkpi/CenrtEnroll/[% ISSUER.CN.0 %].crl
    - ldap://localhost/[% ISSUER.DN %]
```
  - authority_info_access: section
```
critical: 0
ca_issuers: http://FQDN of the est/download/MYOPENXPKI.crt
ocsp: http://ocsp.openxpki.org/
```
  Change the IP address and CA certificate name according to your CA server.
  
  Note: The authority_info_access (AIA) path is saved in the Download folder, but you can set the location according to your preference.
2. In nano /etc/openxpki/config.d/realm/democa/crl/default.yaml , do the following:
  - If necessary, update nextupdate and renewal .
  - Add ca_issuers to the following section:
```
extensions:
    		authority_info_access:
        			critical: 0
        			# ca_issuers and ocsp can be scalar or list
        			ca_issuers: https://FQDN of the est/download/MYOPENXPKI.crt
       			#ocsp: http://ocsp.openxpki.org/
```
    Change the IP address and CA certificate name according to your CA server.
Start the OpenXPKI service using openxpkictl start .

Publishing CRL information

After creating the CRLs, you must publish them to be accessed by all.

Stop the Apache service using service apache2 stop .
Create a CertEnroll directory for the CRL in the /var/www/openxpki/ directory.
Set openxpki as the owner of this directory, and then configure the permissions to let Apache read and execute, and other services to read only.

chown openxpki /var/www/openxpki/CertEnroll

chmod 755 /var/www/openxpki/CertEnroll
Add a reference to the Apache alias.conf file using nano /etc/apache2/mods-enabled/alias.conf .

After the <Directory "/usr/share/apache2/icons"> section, add the following:

        	Alias /CertEnroll/ "/var/www/openxpki/CertEnroll/"
         	<Directory "/var/www/openxpki/CertEnroll">
               Options FollowSymlinks
               AllowOverride None
               Require all granted
         	</Directory>

Add a reference in the apache2.conf file using nano /etc/apache2/apache2.conf .

Add the following in the Apache2 HTTPD server section:

         	<Directory /var/www/openxpki/CertEnroll>
               Options FollowSymlinks
               AllowOverride None
               Allow from all
         	</Directory>

Start the Apache service using service apache2 start .

Creating a second realm

In OpenXPKI, you can configure multiple PKI structures in the same system. The following topics show how to create another realm for MVE named democa-two .

Copying and setting the directory

Create a directory, namely democa2 , for the second realm inside /etc/openxpki/config.d/realm .
Copy the /etc/openxpki/config.d/realm/ca-one sample directory tree to a new directory ( cp -r /etc/openxpki/config.d/realm.tpl/*/etc/openxpki/config.d/realm/democa2 ) within the realm directory.

In /etc/openxpki/config.d/system/realms.yaml , update the following section:

Old content

# This is the list of realms in this PKI
# You only need to enable the realms which are visible on the server

democa:
    label: Verbose name of this realm
    baseurl: https://pki.example.com/openxpki/

#democa2:
#    label: Verbose name of this realm
#    baseurl: https://pki.acme.org/openxpki/

New content

# This is the list of realms in this PKI
# You only need to enable the realms which are visible on the server

democa:
    label: Example.org Demo CA
    baseurl: https://pki.example.com/openxpki/

democa2:
    label: Example.org Demo CA2
    baseurl: https://pki.example.com/openxpki/

Save the file.

Configuring EST endpoint for multiple realms

You can configure the EST endpoint with a tuple composed of the authority portion of the URI and the optional label (for example, www.example.com:80 and arbitraryLabel1). In the following instructions, we use two PKI realms, democa and democa2 .

Copy the default configuration file in cp /etc/openxpki/est/default.conf /etc/openxpki/est/democa.conf .

Note: Name the file as democa.conf .
In nano /etc/openxpki/est/democa.conf , change the realm value to realm=democa .

Note: According to your needs, you may need to uncomment the corresponding lines for the simpleenroll , simplereenroll , csrattrs , and cacerts sections. Keep the environment sections commented. Do the same for default.conf .
Create another configuration file in cp /etc/openxpki/est/default.conf /etc/openxpki/est/democa2.conf .

Note: Name the file as democa2.conf .
In nano /etc/openxpki/est/democa2.conf , change the realm value to realm=democa2 .

Note: According to your needs, you may need to uncomment the corresponding lines for the simpleenroll , simplereenroll , csrattrs , and cacerts sections. Keep the environment sections commented.
Copy the default.yaml file in the following locations:
- cp /etc/openxpki/config.d/realm/democa/est/default.yaml
- /etc/openxpki/config.d/realm/democa/est/democa.yaml
Note: Name the file as democa.yaml .
Copy the default.yaml file in the following locations:
- cp /etc/openxpki/config.d/realm/democa2/est/default.yaml
- /etc/openxpki/config.d/realm/democa2/est/democa2.yaml
Note: Name the file as democa2.yaml .
Restart the OpenXPKI service using openxpkictl restart .

Select the following URLs to open the EST server corresponding to a realm via a web browser:

democa — http://ipaddress/est/democa
democa2 — http://ipaddress/est/democa2

If you want to differentiate between login credentials and default certificate templates for different PKI realms, then you may need advanced configuration.

Creating a password file for certificate keys

Run the following command:

nano /etc/certs/openxpki_democa2/pd.pass
Type your password.
Create a signer certificate. For more information, see Creating a signer certificate .
Check whether the import is successful using openxpkiadm alias --realm democa2 .

Note: If you changed the key password of the certificate during certificate creation, update nano /etc/openxpki/config.d/realm/democa2/crypto.yaml .
Generate the CRLs for the second realm. For more information, see Generating CRL information .

Note: Make sure that you use the correct CA certificate name according to the realm.
Publish the CRLs for this realm. For more information, see Publishing CRL information .

Restart the OpenXPKI service using openxpkictl restart .

Sample output

Stopping OpenXPKI
Stopping gracefully, 3 (sub)processes remaining...
DONE.
Starting OpenXPKI...
OpenXPKI Server is running and accepting requests.
DONE.

Setting the default port number for OpenXPKI CA

By default, Apache listens in port number 443 for https. Set the default port number for OpenXPKI CA to avoid conflicts.

In /etc/apache2/ports.conf , modify the 443 port to any other port. For example:

Old content

Listen 80

<IfModule ssl_module>
   Listen 443
</IfModule>

<IfModule mod_gnutls.c>
  Listen 443
</IfModule>

New content

Listen 80

<IfModule ssl_module>
   Listen 9443
</IfModule>

<IfModule mod_gnutls.c>
  Listen 9443
</IfModule>

In /etc/apache2/sites-available/openxpki.conf , add or modify the VirtualHost section to map a new port. For example, <VirtualHost *:443> to <VirtualHost *:9443> .
In /etc/apache2/sites-available/default-ssl.conf , add or modify the VirtualHost_default section to map a new port. For example, change <VirtualHost *:443> to <VirtualHost *:9443> .
Restart the Apache server using systemctl restart apache2 .

Note: If it asks for the SSL/TLS passphrase, then type the password while adding the TLS web server certificate in the EST server.
In tinddopenxpkiweb01.dhcp.dev.lexmark.com:9443 (RSA): , enter the passphrase for the SSL/TLS keys.

To check the status, run netstat -tlpn| grep apache . The OpenXPKI SCEP URL is now https://ipaddress , and the web URL is FQDN:9443/openxpki .

Enabling basic authentication

Run the following command:

apt -y install apache2-utils

Create a user account that has access to the server. Enter the following details:

htpasswd -c /etc/apache2/.htpasswd <username>
                New password:     
                Re-type new password:
                Adding password for user <username>

Go to directory cd /etc/apache2/sites-enabled/ .

In nano openxpki.conf , add the following lines in <VirtualHost *: 443 block> :

#HTTPS BASIC AUTH FOR LABELS
Location /.well-known/est/*/simpleenroll
    AuthType Basic
    AuthName "estrealm"
    AuthUserFile /etc/apache2/.htpasswd
    require valid-user
    </Location>
    #HTTPS BASIC AUTH FOR NO LABEL
    <Location /.well-known/est/simpleenroll>
    AuthType Basic
    AuthName "estrealm"
    AuthUserFile /etc/apache2/.htpasswd
    require valid-user
    </Location>

Add ErrorDocument 401 %{unescape:%00} before SSLEngine in the same virtual Host block.

Example
```
ServerAlias *
DocumentRoot /var/www/
ErrorDocument 401 %{unescape:%00}
SSLEngine On
```
Restart the apache2 service using service apache2 restart .

Note: Basic authentication works using the above user name and password.

Enabling Client Certificate Authentication

Go to the following directory: cd /etc/apache2/sites-enabled/ .
For the required host in nano openxpki.conf , add SSLVerifyClient require .

For example, if you are using port 443, modify the VirtualHost section to:
```
<VirtualHost *:443>
SSLVerifyClient require
</VirtualHost>
```
Remove the SSLVerifyClient optional_no_ca command.
Save the file, and then type quit to exit from MySQL.
Go to the following directory: cd /etc/openxpki/config.d/realm/democa/est .
Open default.yaml and democa.yaml .

Note: If the label is different, then change the YAML file.
Run the following command:

vi default.yaml
In the authorized_signer section, add the following:
```
authorized_signer:
rule2:
			subject: CN=,.
```
For example, if your client certificate subject name is test123 , then add the following in the authorized_signer section:
```
authorized_signer:
rule1:
		# Full DN	
		subject: CN=.+:pkiclient,.
rule2:	
		subject: CN=test123,.*
```
Save the file, and then type quit to exit MySQL.
Restart the OpenXPKI service using openxpkictl restart .
Restart the Apache service using service apache2 restart .