Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6707

EST re-enrollment should not also require username and password authentication (backport)

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.11.1.2
    • Component/s: None
    • Labels:
    • Sprint:
      EJBCA Sprint 10

      Description

      Backport ECA-6653 to 6.11.x

       

       

      A typical EST work-flow can look like:


      EST Alias:

      • Management CA,
      • Authentication
      • ENDUSER
      • Not require client cert
      • Username and password
      • Allow Certificate Renewal with Same Keys

      Get CA certificate, by "RA:
      ./estclient -g -s 127.0.0.1 -p 8442 -o certs --pem-output

      openssl x509 -in certs/cacert-0-0.pem -text|less

      Get client certificate, by "RA", authenticated with username/password
      ./estclient -e -s 127.0.0.1 -p 8442 -o certs -u estadmin -h foo123 --pem-output --common-name myclient

      openssl x509 -in certs/cert-0-0.pem -text|less

      Re-enroll, directly by the client when certificate is about to expire, using the old client cert to authenticate with:
      ./estclient -r -s 127.0.0.1 -p 8443 -o certs -c certs/cert-0-0.pem -k certs/key-x-x.pem --pem-output

      openssl x509 -in certs/cert-0-0.pem -text|less

      Revoke the clients certificates.

      Try to re-enroll again, does not work to re-enroll with revoked certificates.
      ./estclient -r -s 127.0.0.1 -p 8443 -o certs -c certs/cert-0-0.pem -k certs/key-x-x.pem --pem-output


      In order to use the RA, we use username and password authentication. Re-enrollment always require client cert authentication, so we don't have to have that enabled for the RA to enroll. When the client want to re-enroll however, it should not have the username/password that the RA uses. The client should only authentication with it's old certificate.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mikek Mike Agrenius Kushner
              Reporter:
              tomas Tomas Gustavsson
              Verified by:
              Samuel Lidén Borell
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: