Hello Oliver,
As I mentioned earlier, we got things working w/ your suggestion. Now, we are
signing the CSR we are receiving from device with trusted certificate ('signer
on behalf').
We are planning to use this trusted certificate for both 'Enrolment' and
'Renewal' request from device where the device will send the same CSR generated
from same key-pair.
As I understand, the SCEP Server/CA maintains a mapping where public key of the
CSR is mapped w/ corresponding issued certificate. So, the SCEP Server/CA will
check the 'Valid to' date/time field of the issued cert on each 'Renewal'
request. If the 'Valid to' date/time is outside the scope of renewal (as rule
set in config file), the existing certificate will be returned. Otherwise, new
certificate will be issued w/ 'Valid from' set to current date/time and to be
mapped now against the public key for future reference.
Please validate my understanding.
Thanks,
Kaushik
-----Original Message-----
From: Oliver Welter <[email protected]>
Sent: 21 August 2019 11:29
To: [email protected]
Subject: Re: [OpenXPKI-users] SCEP enrollment failing on OPENXPKI
Hi,
if I understand you correctly, you sign the CSR with a self-signed certificate
that does not use the same key as the CSR? This is not supported by the default
workflow - you can use the "signer on behalf"
feature which requires to use a known certificate, otherwise you need to change
the workflow.
See
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2Fdevelop%2Freference%2Fconfiguration%2Fworkflows%2Fscep.html&data=02%7C01%7Ckaushik.basu%40lexmark.com%7C03a9f48967e6445c42cd08d725fcc25d%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637019639867448064&sdata=MAHvKEBB6fA8Wx%2FNQlJet86XpicGBXKGqVoXj25DOBU%3D&reserved=0
Oliver
Am 20.08.19 um 14:42 schrieb Kaushik Basu:
>
>
> Hi,
>
> I'm facing a problem when trying to enrol on OPENXPKI with an existing
> workflow for MS CA.
>
> Problem :
>
> 1. My component is working as an agent for cert enrolment.
> 2. The caller is sending the CSR along w/ digital signature [PKCS #10],
> over the Lan.
> 3. For MS CA, I'm generating a new KeyPair, creating self-signed
> certificate (with same subject identity) using that KeyPair and
> sending the associated private key to enrol() along w/ received CSR
> and self-signed certificate.
> 4. Working fine for MS CA.
> 5. The moment I started working on a requirement of providing support
> for OPENXPKI, the same workflow is failing.
> 6. Checked that if I use same KeyPair for both CSR and self-signed
> certificate, it is working on OPENXPKI.
> 7. So, to get it working on OPENXPKI, I need to get the private key
> associated w/ CSR, from the caller/client over the Lan.
> 8. But getting the private key from the caller/client over the Lan is
> not acceptable.
>
>
>
> How to proceed now?
>
> Why the existing workflow is failing for OPENXPKI, but working for MS CA?
>
> Please help!_
>
>
>
> Thanks,
>
> Kaushik Basu
> *
> O* +91 33 4020 4 <tel:%2B91%2033%204020%204813>444
>
> *O* +91 33 4020 4 <tel:%2B91%2033%204020%204813>379 [Direct]
> *M* +91 9433780575
>
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01
> %7Ckaushik.basu%40lexmark.com%7C03a9f48967e6445c42cd08d725fcc25d%7C127
> 090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637019639867448064&sdata=K
> FMp2nh2VRb1If43osMVGhLyEdO5%2B6McDlJtt2gh4rU%3D&reserved=0
>
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
