Thanks Martin. I opened an issue (https://github.com/openxpki/openxpki/issues/654). As I have new tasks to do I cannot evaluate libscep mode yet. Maybe I evaluate it in future.
Regards Sebastian -----Ursprüngliche Nachricht----- Von: Martin Bartosch <[email protected]> Gesendet: Montag, 30. Juli 2018 13:26 An: Tim Korves via OpenXPKI-users <[email protected]> Betreff: Re: [OpenXPKI-users] SCEP: GetNextCA with SSCEP tool Hi Sebastian, > Hi. I´m currently evaluating openxpki PKI for my company. We want to use the > certificate enrollment via SCEP and we have the requirement to change the > RootCA certificate chain (RootCA, IssuerCA and also SCEPCA). > > For test purpose I’m using the sscep client and executing the getnexca > command. Openxpki is configured with a upcoming RootCA. Sscep is retrieving > the answer and then it´s segfaulting. After debugging the sscep client I > found out that the ASN.1 parsing of the retrieve PEM failed (and that sscep > do not handle this correct of course 😊 ). I am using OpenSSL in version > 1.0.2g. After rolling back to OpenSSL version 1.0.1e the parsing works and > the NextCA certificate is stored. An article I found > (https://github.com/saltstack/salt/issues/27326) indicates that the parsing > of ASN.1 encoded certificate is more strict in newer OpenSSl version. Now I > have the following questions: > > • Can anybody confirm that openxpki (Version (core): 1.20.2) is > generating incomplete cert files with the getnextca scep command? > • If it is a openxpki bug is there a date when it got fixed? „Unfortunately“ we have not experienced this problem yet. We have been running OpenXPKI/SCEP with the GETNEXTCA feature within a large installation successfully for some time now without any issues, in particular not the one you reported. This is interesting news to us because it indicates that there is likely a problem in the SCEP server backend we are currently using. It would help us greatly if you could open a Github ticket with some description how to reproduce. I would also appreciate if you could provide us with the broken certificate so we can have a look ourselves. That said, we are currently actively working on completely replacing the old SCEP server side backend in OpenXPKI with a more modern solution based on LibSCEP: https://github.com/openxpki/libscep The code is already upstream but it is not enabled by default. The reason is that during our tests we encountered some problems within LibSCEP itself when processing certain requests. This is likely not a problem for the majority of installations but we want to fix those errors before we can make the LibSCEP backend the default to assure stability of existing installations. If you want to give it a try (for testing only), build install the LibSCEP shared lib manually. Also build and install the Perl module (src/clients/perl/Crypt-LibSCEP). Unfortunately we have not created official packages for LibSCEP yet. Finally do a case insentive search for „libscep“ in the sample configuration of OpenXPKI. You will find three places where it is referenced (commented out). You need to switch from SCEP to LibSCEP in the OpenXPKI configuration to enable the new service. It should be obvious how to do this. Please note that either the old SCEP or the new LibSCEP backend can be enabled at the same time, it is not possible to run them concurrently. Once you are done, restart the OpenXPKI daemon and retry your tests. Hope this helps. We would appreciate feedback on your test results, of course! Best regards Martin ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
