As am trying to enable the CA rollover on the openxpki.
1)a)Mainly openxpki has the SCEP feature and am trying to generate the
certificates like
Ca-one –scep-1.crt ,ca-one-vault-1.crt ,ca-root-1.crt ,ca-one-signer-1.crt
Generally in these ca-root-1.crt is the root CA certificate and
Ca-one-signer-1.crt is the intermediate certificate
While am attempting to invoke getca command I will get three certificates like
Ca-one –scep-1.crt 0 cert
ca-root-1.crt , 1 cert
ca-one-signer-1.crt 2 cert
b)After that I have been generating the certificates like
Ca-one –scep-2.crt ,ca-one-vault-2.crt ,ca-root-2.crt ,ca-one-signer-2.crt
Generally in these ca-root-2.crt is the root CA certificate and
Ca-one-signer-2.crt is the intermediate certificate
And am updating the certs not before and not after the valid time like
Openxpkiadm alias –update –realm ca-one –alias ca-one-scep-2 –notbefore “
2018-01-01:00:00:00”
While we are attempting to invoke GETNEXTCA command we will get only Root CA
certificate (means am getting only one certificate,am not getting full trusted
chain certificates).
Note:
Any idea what I could have done wrong? And what further steps I need to follow
up?
Thanks & Regards,
Pratik
________________________________
From: Oliver Welter <[email protected]>
Sent: Thursday, December 14, 2017 2:31:40 AM
To: [email protected]
Subject: Re: [OpenXPKI-users] Openxpki server scep support
Hello Pratik,
getnextca currently just delivers the upcoming root and does not handle
upcoming RA certificates. We are working on a SCEP refactoring and will
implement such a functionality likely with this rework, for the moment
there is no configurable way to send the RA certs along.
Oliver
Am 11.12.2017 um 10:17 schrieb Pratheesh Lawrence (UST, MYS):
> Hi,
>
>
> As am trying to configure the certificate for getnextca,
>
> am running the script file and i have generated files like root 2,
> signer 2, vault 2,scep 2
>
> after that am adding all certificate to the future notbeforedate
> Next, importing my new root like
> openxpkiadmcertificate import --file root 2.pem
>
> Then am setting the new alias like
>
>
> openxpki alias --realm ca-one --identifier XXXX --token root 2 --notbefore
> "2020-01-01 00:00:00"
>
> while checking the result with
>
> openxpki alias --realm ca-one
>
> This should look like:
>
> === root ca ===
> current root ca:
> Alias: root-1
> Identifier: 9p_FxU-wdTaciZD5lcOIiP-CLxk
> NotBefore: 2015-10-02 09:26:28
> NotAfter : 2020-10-01 09:26:28
>
> upcoming root ca:
> Alias: root-2
> Identifier: Als6THNt9jedxlF5AD0P5a4bhjY
> NotBefore: 2020-10-01 09:26:25 (2006-11-03 07:00:58)
> NotAfter : 2020-10-01 09:26:28 (2036-11-03 07:00:58)
>
>
> But the problem is while am trying to invoke the command getnextCA am
> getting only root 2 CA certificate
>
> Am not able to get the Intermediate CA,May i need to change any other
> configurations to get full trust chain certificates for getnextCA.
>
>
> Thanks,
>
> pratik
>
> ------------------------------------------------------------------------
> *From:* Oliver Welter <[email protected]>
> *Sent:* Friday, December 8, 2017 2:27:23 AM
> *To:* [email protected]
> *Subject:* Re: [OpenXPKI-users] Openxpki server scep support
> Hello Roni,
>
> I think you are mixing up some terms - please consider to read up some
> PKI basics on what a root cert is, how certificate chains work and the
> functionality of SCEP. This is beyond the scope of this mailinglist.
>
> Oliver
>
> Am 08.12.2017 um 05:04 schrieb Roni Joseph:
>> Thanks Oliver. I will try this and let you know. Couple of clarifications.
>>
>> >>
>> To configure the certificate for getnextca, you must add a
>> root-certificate with a future notbefore date. First, import your new root
>>
>> openxpkiadm certificate import --file rootca2.pem
>>
>> [Roni] When you say import new rootca cert, who is the issuer of this
>> new rootca cert? The current rootca cert I have is the intermediate
>> subca cert generated (openssl)while running sampleconfig.sh.
>> Do we need to have the rollover RA cert, to get the future ID cert
>> GetNewCert)?
>> For getcertintial to work over scep, the router cert should be created
>> via GUI, and in approved state?
>> Any design guide on what format openxpki (scep) expects/responds for
>> "GetNextCaCert" messages.
>>
>> Thanks,
>> Roni
>>
>> On Thu, Dec 7, 2017 at 10:42 PM, Oliver Welter <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> Hi Roni,
>>
>> if you can get the RA/CA cert then the SCEP subsystem is working. I
>> assume you mean GetCertInitial - this will only fetch an EXISTING
>> certificate, to enroll for a new certificate you need to create a
>> CSR on your local machine and send it to the PKI. An example using
>> the sscep tool is provided on the quickstart page
>>
>> http://openxpki.readthedocs.io/en/latest/quickstart.html#enabling-the-scep-service
>>
>> <http://openxpki.readthedocs.io/en/latest/quickstart.html#enabling-the-scep-service>
>>
>> To configure the certificate for getnextca, you must add a
>> root-certificate with a future notbefore date. First, import your
>> new root
>>
>> openxpkiadm certificate import --file rootca2.pem
>>
>> Then set a new alias in the root group with an adminstratively
>> overriden notbefore date (you can omit this if the certificate has a
>> notbefore date in the future itself)
>>
>> openxpki alias --realm ca-one --identifier XXXX --token root
>> --notbefore "2020-01-01 00:00:00"
>>
>> You can check the result with
>>
>> openxpki alias --realm ca-one
>>
>> This should look like:
>>
>> === root ca ===
>> current root ca:
>> Alias : root-1
>> Identifier: 9p_FxU-wdTaciZD5lcOIiP-CLxk
>> NotBefore: 2015-10-02 09:26:28
>> NotAfter : 2020-10-01 09:26:28
>>
>> upcoming root ca:
>> Alias : root-2
>> Identifier: Als6THNt9jedxlF5AD0P5a4bhjY
>> NotBefore: 2020-10-01 09:26:25 (2006-11-03 07:00:58)
>> NotAfter : 2020-10-01 09:26:28 (2036-11-03 07:00:58)
>>
>> Oliver
>> --
>> Protect your environment - close windows and adopt a penguin!
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> <mailto:[email protected]>
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>> <https://lists.sourceforge.net/lists/listinfo/openxpki-users>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
Protect your environment - close windows and adopt a penguin!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
