Implicit trust relationship of client and server certificates

[martincorr]

Im trying to create a setup where:

• My signserver worker is certified under a private CA hierarchy.
• My signserver worker is configured for CLIENTCERT
• My signserver worker is configured with a list of user certs that are permitted to access the worker.
• My signserver instance is certified under ManagementCA a la quickstart install.
• The clients connecting to the signserver worker are certified under a publicly trusted CA hierarchy

Im using postman and loaded a client cert = one of the user certs certified under the public PKI
My client (postman) fail with authorisation failure:

Error: 649088:error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN:........\src\third_party\boringssl\src\ssl\tls_record.cc:592:SSL alert number 46

If I do not configure postman with any client certs I get this:
"error": "Authorization failed: Error, client authentication is required."

If I configure postman to use my superadmin account that I use to administer signserver (i.e. certified under ManagementCA) AND I add that cert to the authorization certs for the worker then it works,

If I remove superadmin cert from worker authorization cert list and rerun postman then I get

"error": "Authorization failed: Worker 7: Client is not authorized: "UID=c-00j5f7x7leyo8bfar,CN=SuperAdmin,O=EJBCA Container Quickstart", "5feff088e7386aa31813ebdb630ce71002a18fa8, UID=c-00j5f7x7leyo8bfar,CN=ManagementCA,O=EJBCA Container Quickstart""

Ideally I should just be able to specify a list of end user certificates for a signserver worker and signserver rest api verifies against those regardless of whether or not they are trust-related to my signserver instance web site certificate.

Or maybe this is all possible but my rig is not correctly configured.

Any ideas?

[martincorr]

OK Ive solved this. Posting here in case anyone gets stuck in the same way.

IF your signserver is using clientcert authentication to control access to workers
AND your client certs are issued by a third party PKI
THEN you need to add the root of trust for your third party PKI into signserver trust zone

You do this by copying in the pem file from the root to the location:

/mnt/external/secrets/tls/cas

Im using docker so:

/opt/keyfactor/PubICA.pem:/mnt/external/secrets/tls/cas/PubICA.crtt

Restart signserver.
Enable CLIENTCERT.
Add the user cert to the worker Authorization certs.

Bingo you can control access to the worker using mutual auth.

[martincorr]

fixed.