Thanks Oliver. I will try this and let you know. Couple of clarifications.
>>
To configure the certificate for getnextca, you must add a root-certificate
with a future notbefore date. First, import your new root
openxpkiadm certificate import --file rootca2.pem
[Roni] When you say import new rootca cert, who is the issuer of this new
rootca cert? The current rootca cert I have is the intermediate subca
cert generated (openssl)while running sampleconfig.sh.
Do we need to have the rollover RA cert, to get the future ID cert
GetNewCert) ?
For getcertintial to work over scep, the router cert should be created via
GUI, and in approved state?
Any design guide on what format openxpki (scep) expects/responds for
"GetNextCaCert" messages.
Thanks,
Roni
On Thu, Dec 7, 2017 at 10:42 PM, Oliver Welter <[email protected]> wrote:
> Hi Roni,
>
> if you can get the RA/CA cert then the SCEP subsystem is working. I assume
> you mean GetCertInitial - this will only fetch an EXISTING certificate, to
> enroll for a new certificate you need to create a CSR on your local machine
> and send it to the PKI. An example using the sscep tool is provided on the
> quickstart page
> http://openxpki.readthedocs.io/en/latest/quickstart.html#ena
> bling-the-scep-service
>
> To configure the certificate for getnextca, you must add a
> root-certificate with a future notbefore date. First, import your new root
>
> openxpkiadm certificate import --file rootca2.pem
>
> Then set a new alias in the root group with an adminstratively overriden
> notbefore date (you can omit this if the certificate has a notbefore date
> in the future itself)
>
> openxpki alias --realm ca-one --identifier XXXX --token root --notbefore
> "2020-01-01 00:00:00"
>
> You can check the result with
>
> openxpki alias --realm ca-one
>
> This should look like:
>
> === root ca ===
> current root ca:
> Alias : root-1
> Identifier: 9p_FxU-wdTaciZD5lcOIiP-CLxk
> NotBefore : 2015-10-02 09:26:28
> NotAfter : 2020-10-01 09:26:28
>
> upcoming root ca:
> Alias : root-2
> Identifier: Als6THNt9jedxlF5AD0P5a4bhjY
> NotBefore : 2020-10-01 09:26:25 (2006-11-03 07:00:58)
> NotAfter : 2020-10-01 09:26:28 (2036-11-03 07:00:58)
>
> Oliver
> --
> Protect your environment - close windows and adopt a penguin!
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
