Hi, > something I have seen just now. > After receiving the certificate sscep complains (correctly) about the > following: > > .... > sscep: PKCS#7 payload size: 1927 bytes > write_local_cert(): found 1 cert(s) > sscep: found certificate with > subject: '/DC=org/DC=OpenXPKI/DC=Test Deployment/CN=c0e6458188af0' > issuer: /CN=example-corp 2018-10 Issuing-CA > request_subject: '/DC=Test Deployment.OpenXPKI.org/CN=c0e6458188af0' > X509_NAME_cmp() workaround: strcmp request subject (/DC=Test > Deployment.OpenXPKI.org/CN=c0e6458188af0) to cert subject > (/DC=org/DC=OpenXPKI/DC=Test Deployment/CN=c0e6458188af0) > sscep: Subject of our request does not match that of the returned Certificate! > sscep: certificate written as /tmp/scep/scep-test.crt
Yes, this is to be expected with a sscep. The tool originally (back in 2005) expected that the returned certificate contains a subject identical to the CSR subject and bailed out if that was not the case. This assumption is incorrect, a decent CA will typically apply its end entity subject naming policy to incoming cert requests which will likely result in a certificate with a different subject than supplied with the CSR. There are two ways around that: 1. the client must create exactly the same subject that will be issued by the CA, anticipating the CA’s policy 2. the client should accept the returned certificate even if its subject does not match the CSR subject The version of sscep you are using accepts the certificate regardless of the returned subject, but with it still writes a warning about the mismatch. The warning can be ignored, of course. cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
