Endpoints & Protocols
OpenXPKI supports several protocols for certificate enrollment: SCEP, EST, JSON-RPC. All protocols share a similar configuration pattern and use the same certificate_enroll workflow for the enrollment but have protocol specific options and workflows for other actions.
The WebUI configuration is different and explained in a separate chapter.
Configuration Concept
Endpoint configuration is split into a frontend and a backend part, the most common approach is to have a one-on-one relation between the exposed frontend and the policy configuration in the backend by using the same name on both sides:
client.d/service/<protocol>/<endpoint>.yamlconfig.d/realm/<name>/<protocol>/<endpoint>.yaml
The filename (without .yaml) in client.d/service/<protocol>/ is the endpoint name and determines the URL:
Protocol |
URL pattern |
Example |
|---|---|---|
SCEP |
|
|
EST |
|
|
RPC |
|
|
ACME |
|
|
SimpleCMC |
|
|
ACME and SimpleCMC are only available in the enterprise version of OpenXPKI.
Frontend Configuration
Common settings
All protocols share a common subset of settings:
global:
# Defines to which realm the request is dispatched
realm: democa
locale:
# if set any I18N based error messages are translated
language: en_US
logger:
# Log level: overrides system.logger.level
# "DEBUG" MIGHT disclose sensitive user input data.
# "TRACE" WILL dump unfiltered communication.
level: INFO
auth:
# The auth stack to use
# _System is the unauthenticated / anonymous stack that works in all protocols
stack: _System
Environment mapping
All protocol wrappers support the mapping of values from the webserver environment into the workflow context.
The keyword is equal to the name of the parameter in the workflow and have to be specified as list under the key env in the protocols action section.
Key |
Mapped value |
|---|---|
client_ip |
remote IP address |
user_agent |
HTTP User-Agent header |
endpoint |
endpoint name (can be used in combination with a fixed |
server |
endpoint name (mutually exclusive with |
signer_cert |
authentication certificate PEM block (origin depends on protocol) |
signer_dn |
DN of the authentication certificate |
signer_chain |
list of PEM blocks of chain certificates |
tls_client_cert |
PEM of the certificate used in mTLS |
tls_client_dn |
DN of the certificate used in mTLS |
tls_client_chain |
list of PEM blocks of chain used in mTLS |
pkcs7 |
original PKCS7 content as PEM block |
The pkcs7 and tls_* parameters are only available in the RPC frontend.
Endpoint expansion
The above mentioned frontend/backend relation is based on the special workflow parameter server which is used to build the path to the backend configuration. The parameter can be set in two ways:
Explicit
global:
servername: my_policy_config_path
Sets the parameter server to the fixed value my_policy_config_path.
The policy config will then be expected at config.d/realm/<realm>/<protocol>/my_policy_config_path.yaml and not adhere to the name of the frontend path. As this makes debugging more complex you should use such setups only if there is a special need for it.
Implicit
The implicit variant copies the name of the endpoint as extracted from the original HTTP request route to the parameter server, e.g. an EST call to /.well-known/est/printers/simpleenroll will result in server = printers so the policy is expected at config.d/realm/<realm>/est/printers.yaml.
To enable this behavior, you must have the server parameter in your environment mapping.
Backend Configuration
The backend configuration file is read by the invoked workflow. The common settings for the enrollment process are explained in the end of the section for the default enrollment workflow.
Enrollment Protocols
SCEP (Simple Certificate Enrollment Protocol)
Handles SCEP requests including the GetNextCACert message for automated CA rollover.
Output configuration
The node output in the frontend configuration has two properties chain and header.
The chain parameter defines what certificates should be included into the certificate response for enrollment requests, the default is to include the end-entity and its chain certificates without the root chain: chain. To also get the root set chain: fullchain, to not send any chain set chain: none
The parameter headers has only a single supported value all - when set the endpoint exposes workflow id, transaction id and literal error messages via HTTP headers.
output:
chain: fullchain
headers: all
Enrollment workflow configuration
The node PKIOperation holds options for the enrollment request, the minimal required configuration if endpoint expansion is used is:
PKIOperation:
env:
- server
This starts the certificate_enroll workflow with the PKCS10 container and signer certificate extracted from the SCEP request.
Additional input parameters
You can use HTTP query parameters to transport additional information along with the request and map them into the workflow:
PKIOperation:
input:
- printer_mac
This will find a parameter printer_mac in the query parameters and make its value available as url_printer_mac in the workflow. Note the url_ prefix which is used to prevent unexpected injection. Only scalar values are allowed, any non-word character is removed from the value.
Property request configuration
The name of the nodes are equal to the name of operation as defined in the protocol: GetCACert, GetCACAPS, GetNextCACert, GetCRL .
All nodes support the parameter env for environment mapping.
The workflow to be executed defaults to scep_<lowercased operation name>, e.g. scep_getcacert for the GetCACert but can be customized setting workflow: my_scep_property_workflow.
GetCACert:
workflow: my_scep_property_workflow
env:
- server
- client_ip
This will start a workflow of type my_scep_property_workflow with the parameters server and client_ip.
EST (Enrollment over Secure Transport, RFC 7030)
EST endpoints are available at /.well-known/est/<endpoint>/, the default “unnamed” endpoint uses the configuration found in default.yaml.
Transport configuration
EST implies the usage of HTTPS as transport. For security reasons the frontend refuses to accept requests via plain HTTP.
To disable this check in special environments, e.g. when using a reverse proxy set:
global:
insecure: 1
Output configuration
The node output in the frontend configuration has a single property header.
The parameter headers has only a single supported value all - when set the endpoint exposes workflow id, transaction id and literal error messages via HTTP headers.
output:
headers: all
Enrollment workflow configuration
The default configuration already includes the server and signer_cert environment items for endpoint expansion and mTLS evaluation so it is possible to run an EST endpoint with no additional configuration.
If a custom configuration is required, you can use the node names equal to the EST actions simpleenroll and simplereenroll to set a different workflow or pass additional env variables.
Property request configuration
The name of the nodes are equal to the name of operation as defined in the protocol: csrattrs and cacerts.
All nodes support the parameter env for environment mapping.
The workflow to be executed defaults to est_<operation name>, e.g. est_cacerts for cacerts operation but can be customized setting workflow: my_est_certs_workflow.
Smoke test with curl
# Retrieve CA certificates
curl -k https://yourhost/.well-known/est/default/cacerts | \
openssl base64 -d | openssl pkcs7 -inform DER -print_certs
# Query CSR attributes
curl -k https://yourhost/.well-known/est/default/csrattrs
# Enrollment
openssl req -new -newkey rsa:2048 -nodes \
-subj "/CN=test.example.com" -keyout client.key \
-outform der | openssl base64 -out client.csr
curl -k -X POST \
-H "Content-Type: application/pkcs10" \
--data-binary @client.csr \
https://yourhost/.well-known/est/default/simpleenroll
RPC (JSON-RPC)
The JSON RPC wrapper can be used to interface with any workflow configured in the OpenXPKI backend. The default configuration includes an example to interact with the default enrollment workflow to achieve a similar behaviour as with SCEP or EST.
Input configuration
The recommended way to interact with the RPC layer is a HTTP POST request with a proper content type and raw JSON payload as body. To prevent performance issues or attacks with deeply nested payloads you must enable and limit the processing explicitly:
input:
allow_raw_post: 1
parse_depth: 5
If you want to use JSON Object Signing and Encryption to authenticate your requests, you need to create an empty node jose on the top level:
# Enable JOSE (JSON Object Signing and Encryption)
jose: ~
Output configuration
Use the output node to activate HTTP status code mapping. This will render input failures to the workflow into 400 and processing errors into 500 errors. If this is not set, the status code is always 200 (as long as the server is working at all).
output:
use_http_status_codes: 1
Method configuration
Each method in the endpoint YAML maps an API method name to an OpenXPKI workflow, names must start with an uppercase letter and must contain only letters and numbers.
RequestCertificate:
workflow: certificate_enroll
input:
- pkcs10
- profile
- comment
output:
- cert_identifier
- certificate
- chain
- error_code
env:
- signer_cert
- server
pickup:
workflow: check_enrollment
input:
- pkcs10
- transaction_id
RevokeCertificate:
workflow: certificate_revoke
input:
- cert_identifier
- reason_code
- comment
preset:
reason_code: unspecified
env:
- signer_cert
output:
- error_code
Parameter |
Description |
|---|---|
workflow |
Internal workflow name |
input |
Fields taken from the request body |
output |
Fields returned in the response |
env |
Fields filled automatically from the server environment |
pickup |
Workflow and parameters for polling deferred results |
preset |
Default values passed as input parameters, overridden by request values of the same name |
OpenAPI Support
Endpoints can be given an OpenAPI title used for the auto-generated API documentation:
openapi:
title: Public Certificate API
The OpenAPI documentation is then available at https://yourhost/rpc/<endpoint>?format=openapi.