Menu
▾
▴
Re: [Ejbca-develop] 'Allow Subject DN override' and web service call
|
From: Tomas G. <to...@pr...> - 2017-02-08 09:52:07
|
I can only re-iterate here: --- Debug logging will show in detail all decisions egarding override or not that is takes during certificate issuance. --- For more information about logging, how to configure debug etc, see https://www.ejbca.org/docs/adminguide.html#Logging /Tomas On 2017-02-08 10:10, Nikita Bedmutha wrote: > Hi, > > I know this must be the very basic requirement to get the certificate > with subject DN overridden. But I have tried my best with all settings > but no clue whats going wrong. > I have a user 'user1' which is created with a 'Client endentity profile' > which uses default cert profile as 'Client Cert Profile'. This > certificate profile has 'Allow subject DN override by CSR' and 'Allow > subject DN override by End Entity Information' checked. In the case > where both are checked, documentation says that DN will be overriden by CSR. > > Now I make this SOAP call for pkcs10Request: > Body: > <soapenv:Envelope > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" > xmlns:ws="http://ws.protocol.core.ejbca.org/"> > <soapenv:Header/> > <soapenv:Body> > <ws:pkcs10Request> > <!--Optional:--> > <arg0>user1</arg0> > <!--Optional:--> > <arg1>password</arg1> > <!--Optional:--> > <arg2>-----BEGIN CERTIFICATE REQUEST----- > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0 > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu > -----END CERTIFICATE REQUEST-----</arg2> > <!--Optional:--> > <arg3></arg3> > <!--Optional:--> > <arg4>CERTIFICATE</arg4> > </ws:pkcs10Request> > </soapenv:Body> > </soapenv:Envelope> > > > I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and > '-----END CERTIFICATE REQUEST-----' but no success. > In both cases, the certificate generated still uses the subject DN which > was used while creating the user. I tried this webservice call using > SOAP-UI as well as eclipse code. Only when the call is made using public > web 'Create certificate from CSR' or cli command, the subject DN is > overriden. For some reason unable to achieve it through web service > call. Kindly guide me if I am doing anything wrong here. > > > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | G > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > <http://www.gslab.com/> > > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>> wrote: > > > This is very common to do this using WS so there is probably something > wrong with your call. Are you using the correct certificate profile in > your WS call? > > Debug logging will show in detail all decisions egarding override or not > that is takes during certificate issuance. > > Regards, > Tomas > --- > RSA Conference 2017 > ------------------------------------------------------------------ > San Francisco | February 13-17 | Moscone Center > Come visit us in booth #627 at RSA Conference 2017! > > Want a free expo pass? > Go to https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register> > and use the code: XE7PRMKEY > > On 2017-02-02 04:44, Nikita Bedmutha wrote: > > Sorry for spamming, but just correcting the query: > > > > I want to make a certificate request which uses the subject DN from CSR > > and not the registered end entity subject DN . I am using the > > certificate profile which has 'Allow subject DN override by CSR' > > checked. However the web service requests 'pkcs10Request' as well as > > 'certificateRequest' do not return certificates with subject DN > > overridden by the CSR but uses the registered DN only. > > > > On the other hand, using the same CSR, the public web call 'Create > > Certificate from CSR' as well as the 'createcert' CLI command generates > > a certificate which has the subject DN overridden by the CSR. > > > > Your inputs would really be very helpful. > > Thanks. > > > > Regards, > > Nikita Bedmutha > > > > > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > > <nik...@gs... <mailto:nik...@gs...> > <mailto:nik...@gs... > <mailto:nik...@gs...>>> wrote: > > > > Hi, > > > > I have a user(end-entity) created using a certificate profile which > > has 'Allow Subject DN override' checked. This end-entity is > > registered with Token as User Generated. > > When I use 'Create Certificate from CSR' option on public web, I get > > the certificate with the subject DN used while creating the CSR and > > not the registered DN. > > Now I want to achieve same using web service call. I tried the > > 'certificateRequest' and 'pkcs10' request with the same CSR that I > > used in previous Public web call. But in the web service call case, > > I get certificate with the registered DN and not overridden by the CSR. > > > > Kindly guide me how to achieve this. > > > > Thanks and Regards, > > Nikita > > > > > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
