Hi, if I understand you correctly, you sign the CSR with a self-signed certificate that does not use the same key as the CSR? This is not supported by the default workflow - you can use the "signer on behalf" feature which requires to use a known certificate, otherwise you need to change the workflow.
See https://openxpki.readthedocs.io/en/develop/reference/configuration/workflows/scep.html Oliver Am 20.08.19 um 14:42 schrieb Kaushik Basu: > > > Hi, > > I’m facing a problem when trying to enrol on OPENXPKI with an existing > workflow for MS CA. > > Problem : > > 1. My component is working as an agent for cert enrolment. > 2. The caller is sending the CSR along w/ digital signature [PKCS #10], > over the Lan. > 3. For MS CA, I’m generating a new KeyPair, creating self-signed > certificate (with same subject identity) using that KeyPair and > sending the associated private key to enrol() along w/ received CSR > and self-signed certificate. > 4. Working fine for MS CA. > 5. The moment I started working on a requirement of providing support > for OPENXPKI, the same workflow is failing. > 6. Checked that if I use same KeyPair for both CSR and self-signed > certificate, it is working on OPENXPKI. > 7. So, to get it working on OPENXPKI, I need to get the private key > associated w/ CSR, from the caller/client over the Lan. > 8. But getting the private key from the caller/client over the Lan is > not acceptable. > > > > How to proceed now? > > Why the existing workflow is failing for OPENXPKI, but working for MS CA? > > Please help!_ > > > > Thanks, > > Kaushik Basu > * > O* +91 33 4020 4 <tel:%2B91%2033%204020%204813>444 > > *O* +91 33 4020 4 <tel:%2B91%2033%204020%204813>379 [Direct] > *M* +91 9433780575 > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
