Hi,
As am trying to configure the certificate for getnextca,
am running the script file and i have generated files like root 2, signer 2,
vault 2,scep 2
after that am adding all certificate to the future notbefore date
Next, importing my new root like
openxpkiadm certificate import --file root 2.pem
Then am setting the new alias like
openxpki alias --realm ca-one --identifier XXXX --token root 2 --notbefore
"2020-01-01 00:00:00"
while checking the result with
openxpki alias --realm ca-one
This should look like:
=== root ca ===
current root ca:
Alias : root-1
Identifier: 9p_FxU-wdTaciZD5lcOIiP-CLxk
NotBefore : 2015-10-02 09:26:28
NotAfter : 2020-10-01 09:26:28
upcoming root ca:
Alias : root-2
Identifier: Als6THNt9jedxlF5AD0P5a4bhjY
NotBefore : 2020-10-01 09:26:25 (2006-11-03 07:00:58)
NotAfter : 2020-10-01 09:26:28 (2036-11-03 07:00:58)
But the problem is while am trying to invoke the command getnextCA am getting
only root 2 CA certificate
Am not able to get the Intermediate CA,May i need to change any other
configurations to get full trust chain certificates for getnextCA.
Thanks,
pratik
________________________________
From: Oliver Welter <[email protected]>
Sent: Friday, December 8, 2017 2:27:23 AM
To: [email protected]
Subject: Re: [OpenXPKI-users] Openxpki server scep support
Hello Roni,
I think you are mixing up some terms - please consider to read up some
PKI basics on what a root cert is, how certificate chains work and the
functionality of SCEP. This is beyond the scope of this mailinglist.
Oliver
Am 08.12.2017 um 05:04 schrieb Roni Joseph:
> Thanks Oliver. I will try this and let you know. Couple of clarifications.
>
> >>
> To configure the certificate for getnextca, you must add a
> root-certificate with a future notbefore date. First, import your new root
>
> openxpkiadm certificate import --file rootca2.pem
>
> [Roni] When you say import new rootca cert, who is the issuer of this
> new rootca cert? The current rootca cert I have is the intermediate
> subca cert generated (openssl)while running sampleconfig.sh.
> Do we need to have the rollover RA cert, to get the future ID cert
> GetNewCert) ?
> For getcertintial to work over scep, the router cert should be created
> via GUI, and in approved state?
> Any design guide on what format openxpki (scep) expects/responds for
> "GetNextCaCert" messages.
>
> Thanks,
> Roni
>
> On Thu, Dec 7, 2017 at 10:42 PM, Oliver Welter <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi Roni,
>
> if you can get the RA/CA cert then the SCEP subsystem is working. I
> assume you mean GetCertInitial - this will only fetch an EXISTING
> certificate, to enroll for a new certificate you need to create a
> CSR on your local machine and send it to the PKI. An example using
> the sscep tool is provided on the quickstart page
>
> http://openxpki.readthedocs.io/en/latest/quickstart.html#enabling-the-scep-service
>
> <http://openxpki.readthedocs.io/en/latest/quickstart.html#enabling-the-scep-service>
>
> To configure the certificate for getnextca, you must add a
> root-certificate with a future notbefore date. First, import your
> new root
>
> openxpkiadm certificate import --file rootca2.pem
>
> Then set a new alias in the root group with an adminstratively
> overriden notbefore date (you can omit this if the certificate has a
> notbefore date in the future itself)
>
> openxpki alias --realm ca-one --identifier XXXX --token root
> --notbefore "2020-01-01 00:00:00"
>
> You can check the result with
>
> openxpki alias --realm ca-one
>
> This should look like:
>
> === root ca ===
> current root ca:
> Alias : root-1
> Identifier: 9p_FxU-wdTaciZD5lcOIiP-CLxk
> NotBefore : 2015-10-02 09:26:28
> NotAfter : 2020-10-01 09:26:28
>
> upcoming root ca:
> Alias : root-2
> Identifier: Als6THNt9jedxlF5AD0P5a4bhjY
> NotBefore : 2020-10-01 09:26:25 (2006-11-03 07:00:58)
> NotAfter : 2020-10-01 09:26:28 (2036-11-03 07:00:58)
>
> Oliver
> --
> Protect your environment - close windows and adopt a penguin!
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
> <https://lists.sourceforge.net/lists/listinfo/openxpki-users>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
Protect your environment - close windows and adopt a penguin!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
