Hello Roni,I think you are mixing up some terms - please consider to read up some PKI basics on what a root cert is, how certificate chains work and the functionality of SCEP. This is beyond the scope of this mailinglist.
Oliver Am 08.12.2017 um 05:04 schrieb Roni Joseph:
Thanks Oliver. I will try this and let you know. Couple of clarifications. >>To configure the certificate for getnextca, you must add a root-certificate with a future notbefore date. First, import your new rootopenxpkiadm certificate import --file rootca2.pem[Roni] When you say import new rootca cert, who is the issuer of this new rootca cert? The current rootca cert I have is the intermediate subca cert generated (openssl)while running sampleconfig.sh. Do we need to have the rollover RA cert, to get the future ID cert GetNewCert) ? For getcertintial to work over scep, the router cert should be created via GUI, and in approved state? Any design guide on what format openxpki (scep) expects/responds for "GetNextCaCert" messages.Thanks, RoniOn Thu, Dec 7, 2017 at 10:42 PM, Oliver Welter <[email protected] <mailto:[email protected]>> wrote:Hi Roni, if you can get the RA/CA cert then the SCEP subsystem is working. I assume you mean GetCertInitial - this will only fetch an EXISTING certificate, to enroll for a new certificate you need to create a CSR on your local machine and send it to the PKI. An example using the sscep tool is provided on the quickstart page http://openxpki.readthedocs.io/en/latest/quickstart.html#enabling-the-scep-service <http://openxpki.readthedocs.io/en/latest/quickstart.html#enabling-the-scep-service> To configure the certificate for getnextca, you must add a root-certificate with a future notbefore date. First, import your new root openxpkiadm certificate import --file rootca2.pem Then set a new alias in the root group with an adminstratively overriden notbefore date (you can omit this if the certificate has a notbefore date in the future itself) openxpki alias --realm ca-one --identifier XXXX --token root --notbefore "2020-01-01 00:00:00" You can check the result with openxpki alias --realm ca-one This should look like: === root ca === current root ca: Alias : root-1 Identifier: 9p_FxU-wdTaciZD5lcOIiP-CLxk NotBefore : 2015-10-02 09:26:28 NotAfter : 2020-10-01 09:26:28 upcoming root ca: Alias : root-2 Identifier: Als6THNt9jedxlF5AD0P5a4bhjY NotBefore : 2020-10-01 09:26:25 (2006-11-03 07:00:58) NotAfter : 2020-10-01 09:26:28 (2036-11-03 07:00:58) Oliver-- Protect your environment - close windows and adopt a penguin!------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
