Hello,
Would like to start with our existing workflow, what issue we are facing and then our queries to get your help / suggestion. Current enrolment workflow : 1. Get the CSR from device / printer. 2. Sign the CSR using a certificate qualified as 'Authorized Signer' for the given endpoint. 3. Get the certificate enrolled using SCEP protocol. 4. Push the certificate to the device / printer. This workflow is working fine. Renewal workflow : 1. Get the existing valid certificate & old CSR from device. 2. Sign the CSR using the existing certificate. 3. Invoke enrol() beyond the halfway of validity period. 4. Get the certificate renewed using SCEP protocol. It is working fine for MS CA. But it didn't work for OpenXpki. This appeared to us not in-line with SCEP RFC [https://tools.ietf.org/html/draft-nourse-scep-23#appendix-D] which articulates - An enrolment request that occurs more than halfway through the validity period of an existing certificate for the same subject name and key usage MAY be interpreted as a re-enrolment or renewal request and be accepted. A new certificate with new validity dates can be issued, even though the old one is still valid, if the CA policy permits. The server MAY automatically revoke the old client certificate. Clients MUST use GetCACaps (see Appendix C) to determine if the CA supports renewal. Clients MUST support servers that do not implement renewal, or that reject renewal requests. Our queries : 1. Why this workflow is not working for OpenXpki? 2. How can we configure OpenXpki to get the outcome articulated in Appendix D for SCEP RFC? Thanks, Kaushik Basu O +91 33 4020 4<tel:%2B91%2033%204020%204813>444 O +91 33 4020 4<tel:%2B91%2033%204020%204813>379 [Direct] M +91 9433780575
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
