Menu
▾
▴
Re: [Ejbca-develop] 'Allow Subject DN override' and web service call
|
From: Nikita B. <nik...@gs...> - 2017-02-08 13:35:40
|
Serious apologies for sending incomplete data. Well, I observed the Debug logs for both the calls, call from web service and call from public web. Here are my observations: 1. For the pkcs10Request webservice call through SOAP UI, the INFO log has an entry: CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=GS L,C=IN;requestX500name=null;certprofile=1681037015;keyusage= -1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBg kqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4d Cd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjr IkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTX lLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkM hDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE 29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJr nC/7TBVYijU0u6bwIDAQAB where, requestX500name=null 2. For public web 'Create Certificate from CSR' call: CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance: 123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL, C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certp rofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence= ;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6 J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlA zoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5 L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjind NARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6 JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2 zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK Both the calls use same CSR, also same certificate profile is being used in both cases and the public key extracted from CSR also looks same. However, in case of public web call we see a log statement, 'Using X509Name from request instead of user's registered.' which is missing in webservice call log and only 'Using subjectDN: CN=user1,OU=GSL,C=IN' can be seen. I suspect this could be because requestX500name is null in case of webservice call. However, we are using same CSR and so this behaviour is bit confusing. If this info can help. Thanks. Regards, Nikita Bedmutha Software Engineer | m: +91 94042 02790 | [image: G] G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory <http://www.gslab.com/> On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson <to...@pr...> wrote: > > I can only re-iterate here: > > --- > Debug logging will show in detail all decisions egarding override or not > that is takes during certificate issuance. > --- > > For more information about logging, how to configure debug etc, see > https://www.ejbca.org/docs/adminguide.html#Logging > > /Tomas > > On 2017-02-08 10:10, Nikita Bedmutha wrote: > > Hi, > > > > I know this must be the very basic requirement to get the certificate > > with subject DN overridden. But I have tried my best with all settings > > but no clue whats going wrong. > > I have a user 'user1' which is created with a 'Client endentity profile' > > which uses default cert profile as 'Client Cert Profile'. This > > certificate profile has 'Allow subject DN override by CSR' and 'Allow > > subject DN override by End Entity Information' checked. In the case > > where both are checked, documentation says that DN will be overriden by > CSR. > > > > Now I make this SOAP call for pkcs10Request: > > Body: > > <soapenv:Envelope > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" > > xmlns:ws="http://ws.protocol.core.ejbca.org/"> > > <soapenv:Header/> > > <soapenv:Body> > > <ws:pkcs10Request> > > <!--Optional:--> > > <arg0>user1</arg0> > > <!--Optional:--> > > <arg1>password</arg1> > > <!--Optional:--> > > <arg2>-----BEGIN CERTIFICATE REQUEST----- > > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH > > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw > > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ > > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF > > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0 > > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB > > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW > > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA > > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk > > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp > > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC > > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z > > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ > > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu > > -----END CERTIFICATE REQUEST-----</arg2> > > <!--Optional:--> > > <arg3></arg3> > > <!--Optional:--> > > <arg4>CERTIFICATE</arg4> > > </ws:pkcs10Request> > > </soapenv:Body> > > </soapenv:Envelope> > > > > > > I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and > > '-----END CERTIFICATE REQUEST-----' but no success. > > In both cases, the certificate generated still uses the subject DN which > > was used while creating the user. I tried this webservice call using > > SOAP-UI as well as eclipse code. Only when the call is made using public > > web 'Create certificate from CSR' or cli command, the subject DN is > > overriden. For some reason unable to achieve it through web service > > call. Kindly guide me if I am doing anything wrong here. > > > > > > > > Regards, > > Nikita Bedmutha > > Software Engineer | m: +91 94042 02790 | G > > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > > <http://www.gslab.com/> > > > > > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <to...@pr... > > <mailto:to...@pr...>> wrote: > > > > > > This is very common to do this using WS so there is probably > something > > wrong with your call. Are you using the correct certificate profile > in > > your WS call? > > > > Debug logging will show in detail all decisions egarding override or > not > > that is takes during certificate issuance. > > > > Regards, > > Tomas > > --- > > RSA Conference 2017 > > ------------------------------------------------------------------ > > San Francisco | February 13-17 | Moscone Center > > Come visit us in booth #627 at RSA Conference 2017! > > > > Want a free expo pass? > > Go to https://www.rsaconference.com/events/us17/register > > <https://www.rsaconference.com/events/us17/register> > > and use the code: XE7PRMKEY > > > > On 2017-02-02 04:44, Nikita Bedmutha wrote: > > > Sorry for spamming, but just correcting the query: > > > > > > I want to make a certificate request which uses the subject DN > from CSR > > > and not the registered end entity subject DN . I am using the > > > certificate profile which has 'Allow subject DN override by CSR' > > > checked. However the web service requests 'pkcs10Request' as well > as > > > 'certificateRequest' do not return certificates with subject DN > > > overridden by the CSR but uses the registered DN only. > > > > > > On the other hand, using the same CSR, the public web call 'Create > > > Certificate from CSR' as well as the 'createcert' CLI command > generates > > > a certificate which has the subject DN overridden by the CSR. > > > > > > Your inputs would really be very helpful. > > > Thanks. > > > > > > Regards, > > > Nikita Bedmutha > > > > > > > > > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > > > <nik...@gs... <mailto:nik...@gs...> > > <mailto:nik...@gs... > > <mailto:nik...@gs...>>> wrote: > > > > > > Hi, > > > > > > I have a user(end-entity) created using a certificate profile > which > > > has 'Allow Subject DN override' checked. This end-entity is > > > registered with Token as User Generated. > > > When I use 'Create Certificate from CSR' option on public web, > I get > > > the certificate with the subject DN used while creating the > CSR and > > > not the registered DN. > > > Now I want to achieve same using web service call. I tried the > > > 'certificateRequest' and 'pkcs10' request with the same CSR > that I > > > used in previous Public web call. But in the web service call > case, > > > I get certificate with the registered DN and not overridden by > the CSR. > > > > > > Kindly guide me how to achieve this. > > > > > > Thanks and Regards, > > > Nikita > > > > > > > > > > > > > > > > > ----------------------------------------------------------- > ------------------- > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > > > ----------------------------------------------------------- > ------------------- > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > |
