Menu
▾
▴
Re: [Ejbca-develop] 'Allow Subject DN override' and web service call
|
From: Tomas G. <to...@pr...> - 2017-02-09 09:16:59
|
What version of EJBCA are you using btw? I'm using this WS command: ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9 "CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der PKCS10 DER NONE . My CSR have subjectDN: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9 If I have enabled "Allow Subject DN Override by CSR" in the Certificate Profile "Client". My issued certificate gets the DN from the p10. If you try using clientToolBox first, than you will know if/how the feature works, and then you can try to translate it to SOAP-UI (you can even debug log the full soap messages). Regards, Tomas --- RSA Conference 2017 ------------------------------------------------------------------ San Francisco | February 13-17 | Moscone Center Come visit us in booth #627 at RSA Conference 2017! Want a free expo pass? Go to https://www.rsaconference.com/events/us17/register and use the code: XE7PRMKEY On 2017-02-08 14:35, Nikita Bedmutha wrote: > Serious apologies for sending incomplete data. Well, I observed the > Debug logs for both the calls, call from web service and call from > public web. Here are my observations: > > 1. For the pkcs10Request webservice call through SOAP UI, the INFO log > has an entry: > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My > Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=null;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB > > where, requestX500name=null > > 2. For public web 'Create Certificate from CSR' call: > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance: > 123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB > > where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK > > Both the calls use same CSR, also same certificate profile is being used > in both cases and the public key extracted from CSR also looks same. > > However, in case of public web call we see a log statement, 'Using > X509Name from request instead of user's registered.' which is missing in > webservice call log and only 'Using subjectDN: CN=user1,OU=GSL,C=IN' can > be seen. > I suspect this could be because requestX500name is null in case of > webservice call. > > However, we are using same CSR and so this behaviour is bit confusing. > If this info can help. Thanks. > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | G > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > <http://www.gslab.com/> > On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>> wrote: > > > I can only re-iterate here: > > --- > Debug logging will show in detail all decisions egarding override or not > that is takes during certificate issuance. > --- > > For more information about logging, how to configure debug etc, see > https://www.ejbca.org/docs/adminguide.html#Logging > <https://www.ejbca.org/docs/adminguide.html#Logging> > > /Tomas > > On 2017-02-08 10:10, Nikita Bedmutha wrote: > > Hi, > > > > I know this must be the very basic requirement to get the certificate > > with subject DN overridden. But I have tried my best with all settings > > but no clue whats going wrong. > > I have a user 'user1' which is created with a 'Client endentity > profile' > > which uses default cert profile as 'Client Cert Profile'. This > > certificate profile has 'Allow subject DN override by CSR' and 'Allow > > subject DN override by End Entity Information' checked. In the case > > where both are checked, documentation says that DN will be > overriden by CSR. > > > > Now I make this SOAP call for pkcs10Request: > > Body: > > <soapenv:Envelope > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > <http://schemas.xmlsoap.org/soap/envelope/>" > > xmlns:ws="http://ws.protocol.core.ejbca.org/ > <http://ws.protocol.core.ejbca.org/>"> > > <soapenv:Header/> > > <soapenv:Body> > > <ws:pkcs10Request> > > <!--Optional:--> > > <arg0>user1</arg0> > > <!--Optional:--> > > <arg1>password</arg1> > > <!--Optional:--> > > <arg2>-----BEGIN CERTIFICATE REQUEST----- > > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH > > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw > > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ > > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF > > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0 > > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB > > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW > > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA > > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk > > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp > > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC > > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z > > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ > > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu > > -----END CERTIFICATE REQUEST-----</arg2> > > <!--Optional:--> > > <arg3></arg3> > > <!--Optional:--> > > <arg4>CERTIFICATE</arg4> > > </ws:pkcs10Request> > > </soapenv:Body> > > </soapenv:Envelope> > > > > > > I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and > > '-----END CERTIFICATE REQUEST-----' but no success. > > In both cases, the certificate generated still uses the subject DN > which > > was used while creating the user. I tried this webservice call using > > SOAP-UI as well as eclipse code. Only when the call is made using > public > > web 'Create certificate from CSR' or cli command, the subject DN is > > overriden. For some reason unable to achieve it through web service > > call. Kindly guide me if I am doing anything wrong here. > > > > > > > > Regards, > > Nikita Bedmutha > > Software Engineer | m: +91 94042 02790 | G > > G <http://www.linkedin.com/in/nikitabedmutha > <http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory > > <http://www.gslab.com/> > > > > > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <to...@pr... <mailto:to...@pr...> > > <mailto:to...@pr... <mailto:to...@pr...>>> wrote: > > > > > > This is very common to do this using WS so there is probably > something > > wrong with your call. Are you using the correct certificate > profile in > > your WS call? > > > > Debug logging will show in detail all decisions egarding > override or not > > that is takes during certificate issuance. > > > > Regards, > > Tomas > > --- > > RSA Conference 2017 > > ------------------------------------------------------------------ > > San Francisco | February 13-17 | Moscone Center > > Come visit us in booth #627 at RSA Conference 2017! > > > > Want a free expo pass? > > Go to https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register> > > <https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register>> > > and use the code: XE7PRMKEY > > > > On 2017-02-02 04:44, Nikita Bedmutha wrote: > > > Sorry for spamming, but just correcting the query: > > > > > > I want to make a certificate request which uses the subject > DN from CSR > > > and not the registered end entity subject DN . I am using the > > > certificate profile which has 'Allow subject DN override by CSR' > > > checked. However the web service requests 'pkcs10Request' as > well as > > > 'certificateRequest' do not return certificates with subject DN > > > overridden by the CSR but uses the registered DN only. > > > > > > On the other hand, using the same CSR, the public web call > 'Create > > > Certificate from CSR' as well as the 'createcert' CLI > command generates > > > a certificate which has the subject DN overridden by the CSR. > > > > > > Your inputs would really be very helpful. > > > Thanks. > > > > > > Regards, > > > Nikita Bedmutha > > > > > > > > > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > > > <nik...@gs... > <mailto:nik...@gs...> <mailto:nik...@gs... > <mailto:nik...@gs...>> > > <mailto:nik...@gs... > <mailto:nik...@gs...> > > <mailto:nik...@gs... <mailto:nik...@gs...>>>> wrote: > > > > > > Hi, > > > > > > I have a user(end-entity) created using a certificate profile which > > > has 'Allow Subject DN override' checked. This end-entity is > > > registered with Token as User Generated. > > > When I use 'Create Certificate from CSR' option on public web, I get > > > the certificate with the subject DN used while creating the CSR and > > > not the registered DN. > > > Now I want to achieve same using web service call. I tried the > > > 'certificateRequest' and 'pkcs10' request with the same CSR that I > > > used in previous Public web call. But in the web service call case, > > > I get certificate with the registered DN and not overridden by the CSR. > > > > > > Kindly guide me how to achieve this. > > > > > > Thanks and Regards, > > > Nikita > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
