Hi Christopher, sscep just assumes that there is only one CA and uses the issuer/serial information from the SCEP RA certificate to request the CRL. This obviously does not work if you have a SCEP service where the SCEP signer is signed by a different CA.
The correct approach would be to ask for the issuer and serial or the "client" certificate to query the CRL for on the command line and embed this information. > Shouldn't the SCEP RA be the signer for certificates generated > via SCEP? The client certificate created via SCEP is signed by > the Issuing CA not the SCEP RA. I'm confused.. > No - the role of the SCEP RA certificate can be compared to the TLS certificate of your Webserver, its just there to provide authentication and integrity/confidentiality. Oliver -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
