Hello All,
I'm having an issue running Cert Nanny (sscep getcrl). I'm not sure this
completely explains my issue but its an issue: when pulling the SCEP RA
certificate data from the db the query sent from openxpki looks for a
issuing_dn == SCEP RA when it should be the Issuing CA.
*SSCEP:*
> sscep: reply message type is good
> sscep: finding attribute senderNonce
> sscep: allocating 16 bytes for attribute
> sscep: senderNonce in reply: FEE5060C8F47BD4A0AF387868316CC1D
> sscep: finding attribute recipientNonce
> sscep: allocating 16 bytes for attribute
> sscep: recipientNonce in reply: 93793464487352319258088363FFF58D
> sscep: finding attribute pkiStatus
> sscep: allocating 1 bytes for attribute
> sscep: pkistatus: FAILURE
> sscep: finding attribute failInfo
> sscep: allocating 1 bytes for attribute
> sscep: reason: No certificate could be identified matching
*OpenXPKI:*
> 2018/07/20 08:55:08 openxpki.application.ERROR SCEP getcrl - no issuer
> found for serial 2 and issuer CN=OpenXPKI CA-One SCEP RA
> 1,DC=ca-one,DC=openxpki,DC=net [pid=29270|sid=sW9V]
*MySQL:*
> SELECT alias FROM aliases WHERE ( ( group_id = 'ca-one-scep' AND notafter
> > '1532102108' AND notbefore < '1532102108' AND pki_realm = 'ca-one' ) )
> ORDER BY notbefore DESC
Returns "ca-one-scep-1"
mysql> SELECT * FROM aliases;
+-----------------------------+-----------+-----------------
+---------------+------------+------------+------------+
| identifier | pki_realm | alias | group_id
| generation | notafter | notbefore |
+-----------------------------+-----------+-----------------
+---------------+------------+------------+------------+
| __PMgjJeHDX0PYWgXIojjl0ognw | ca-one | ca-one-scep-1 | ca-one-scep
| 1 | 1690040812 | 1532101612 |
| BPwX0U6xMoBe-xlHPVsdt4SUoS4 | ca-one | ca-one-signer-1 | ca-one-signer
| 1 | 1690040809 | 1532101609 |
| aZd1f6Zva4P8xo6ueiZlecp440o | ca-one | ca-one-vault-1 | ca-one-vault
| 1 | 1847893610 | 1532101610 |
| z272hTFvtOTvnSFQoIfPQEYWJM8 | ca-one | root-1 | root
| 1 | 1847893606 | 1532101606 |
+-----------------------------+-----------+-----------------
+---------------+------------+------------+------------+
SELECT data FROM secret WHERE ( ( group_id = 'default' AND pki_realm =
> 'ca-one' ) )
Returns an empty row.
Theres no group_id 'default'. On my customized build this tables was
populated, on my fresh default build its empty.
SELECT certificate.data, certificate.subject, certificate.identifier,
> certificate.notbefore, certificate.notafter FROM certificate INNER JOIN
> aliases ON ( certificate.identifier = aliases.identifier ) WHERE ( (
> aliases.alias = 'ca-one-scep-1' AND aliases.pki_realm = 'ca-one' ) )
>
Returns SCEP RA certificate data.
mysql> SELECT certificate.subject, certificate.identifier, aliases.alias
FROM certificate INNER JOIN aliases ON ( certificate.identifier =
aliases.identifier );
+-----------------------------------------------------------
--+-----------------------------+-----------------+
| subject | identifier
| alias |
+-----------------------------------------------------------
--+-----------------------------+-----------------+
| CN=OpenXPKI CA-One SCEP RA 1,DC=ca-one,DC=openxpki,DC=net |
__PMgjJeHDX0PYWgXIojjl0ognw | ca-one-scep-1 |
| CN=OpenXPKI Issuing CA 1,DC=ca-one,DC=openxpki,DC=net |
BPwX0U6xMoBe-xlHPVsdt4SUoS4 | ca-one-signer-1 |
| CN=OpenXPKI CA-One DataVault,DC=OpenXPKI Internal,DC=ca-one |
aZd1f6Zva4P8xo6ueiZlecp440o | ca-one-vault-1 |
| CN=OpenXPKI CA-One Root CA 1 |
z272hTFvtOTvnSFQoIfPQEYWJM8 | root-1 |
+-----------------------------------------------------------
--+-----------------------------+-----------------+
SELECT certificate.* FROM certificate WHERE ( ( certificate.cert_key = '2' AND
> certificate.issuer_dn LIKE 'CN=OpenXPKI CA-One SCEP RA
> 1,DC=ca-one,DC=openxpki,DC=net' ) ) ORDER BY certificate.cert_key DESC
>
Returns an empty row.
Replacing the SCEP RA CN with the Issuing CN in the sql query returns the
SCEP RA certificate data.
mysql> SELECT certificate.subject,certificate.issuer_dn,certificate.cert_key
FROM certificate;
+-----------------------------------------------------------
---------------------+-------------------------------+------
------------------+
| subject
| issuer_dn | cert_key |
+-----------------------------------------------------------
---------------------+-------------------------------+------
------------------+
| CN=OpenXPKI CA-One DataVault,DC=OpenXPKI
Internal,DC=ca-one,DC=openxpki,DC=net
| CN=OpenXPKI CA-One DataVault | 18427421103479397959 |
| CN=OpenXPKI CA-One SCEP RA 1,DC=ca-one,DC=openxpki,DC=net
| CN=OpenXPKI Issuing CA 1 | 2 |
| CN=172.16.0.3,DC=Test Deployment,DC=OpenXPKI,DC=org
| CN=OpenXPKI Issuing CA 1 | 9441685228882882960123 |
| CN=OpenXPKI Issuing CA 1
| CN=OpenXPKI CA-One Root CA 1 | 1 |
| CN=OpenXPKI CA-One Root CA 1
| CN=OpenXPKI CA-One Root CA 1 | 10457913568878744676 |
+-----------------------------------------------------------
---------------------+-------------------------------+------
------------------+
Shouldn't the SCEP RA be the signer for certificates generated via SCEP? The
client certificate created via SCEP is signed by the Issuing CA not
the SCEP RA.
I'm confused..
Kind Regards,
--
This message (including any attachments) may contain confidential,
proprietary, privileged and/or private
information. The information is
intended to be for the use of the individual or entity designated above. If
you are not the intended recipient of this message, please notify the
sender immediately, and delete the
message and any attachments. Any
disclosure, reproduction, distribution or other use of this message or
any
attachments by an individual or entity other than the intended recipient is
prohibited.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
