Hello Oliver,
Thanks a lot for your help. With your help, we finally got it working! There is a small thing bothering us a bit and need your help again... We have observed that if we use two CSRs generated using same Key Pair, the cert we receives against the first CSR is resent for the request on second CSR. Queries : 1. Does that mean we need to send a different CSR generated from different Key Pair for 'Renewal'? 2. Or there is some rule set at server end which checks the validity of currently issued cert and returns it 'as-is' if the new request does not meet the expiry rule? If it is #2, no issue. But, if it is #1, is there any mechanism to enforce creation of new certificate irrespective of Key pairs which generated the CSR? Thanks, Kaushik -----Original Message----- From: Oliver Welter <[email protected]> Sent: 21 August 2019 11:29 To: [email protected] Subject: Re: [OpenXPKI-users] SCEP enrollment failing on OPENXPKI Hi, if I understand you correctly, you sign the CSR with a self-signed certificate that does not use the same key as the CSR? This is not supported by the default workflow - you can use the "signer on behalf" feature which requires to use a known certificate, otherwise you need to change the workflow. See https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2Fdevelop%2Freference%2Fconfiguration%2Fworkflows%2Fscep.html&data=02%7C01%7Ckaushik.basu%40lexmark.com%7C03a9f48967e6445c42cd08d725fcc25d%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637019639867448064&sdata=MAHvKEBB6fA8Wx%2FNQlJet86XpicGBXKGqVoXj25DOBU%3D&reserved=0 Oliver Am 20.08.19 um 14:42 schrieb Kaushik Basu: > > > Hi, > > I'm facing a problem when trying to enrol on OPENXPKI with an existing > workflow for MS CA. > > Problem : > > 1. My component is working as an agent for cert enrolment. > 2. The caller is sending the CSR along w/ digital signature [PKCS #10], > over the Lan. > 3. For MS CA, I'm generating a new KeyPair, creating self-signed > certificate (with same subject identity) using that KeyPair and > sending the associated private key to enrol() along w/ received CSR > and self-signed certificate. > 4. Working fine for MS CA. > 5. The moment I started working on a requirement of providing support > for OPENXPKI, the same workflow is failing. > 6. Checked that if I use same KeyPair for both CSR and self-signed > certificate, it is working on OPENXPKI. > 7. So, to get it working on OPENXPKI, I need to get the private key > associated w/ CSR, from the caller/client over the Lan. > 8. But getting the private key from the caller/client over the Lan is > not acceptable. > > > > How to proceed now? > > Why the existing workflow is failing for OPENXPKI, but working for MS CA? > > Please help!_ > > > > Thanks, > > Kaushik Basu > * > O* +91 33 4020 4 <tel:%2B91%2033%204020%204813>444 > > *O* +91 33 4020 4 <tel:%2B91%2033%204020%204813>379 [Direct] > *M* +91 9433780575 > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01 > %7Ckaushik.basu%40lexmark.com%7C03a9f48967e6445c42cd08d725fcc25d%7C127 > 090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637019639867448064&sdata=K > FMp2nh2VRb1If43osMVGhLyEdO5%2B6McDlJtt2gh4rU%3D&reserved=0 > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
