Hi Kaushik,
Renwal in OpenXPKI works different.
1) We do not allow key reuse by default and the SCEP services uses the
so called transaction id, which is usually the digest of the CSR, to
pickup existing workflows so reusing the CSR needs some more work and we
strongly suggest to create new keys/csrs when renewing.
2) The renewal period is not determined by the certificate lifetime but
as an absolute config value, see
https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/scep.html
Oliver
Am 20.12.19 um 12:47 schrieb Kaushik Basu:
Hello,
Would like to start with our existing workflow, what issue we are facing
and then our queries to get your help / suggestion.
*_Current enrolment workflow :_*
1. Get the CSR from device / printer.
2. Sign the CSR using a certificate qualified as ‘Authorized Signer’
for the given endpoint.
3. Get the certificate enrolled using SCEP protocol.
4. Push the certificate to the device / printer.
This workflow is working fine.
*_Renewal workflow :_*
1. Get the existing valid certificate & old CSR from device.
2. Sign the CSR using the existing certificate.
3. Invoke enrol() beyond the halfway of validity period.
4. Get the certificate renewed using SCEP protocol.
It is working fine for MS CA. But it didn’t work for OpenXpki.
This appeared to us not in-line with SCEP RFC
[https://tools.ietf.org/html/draft-nourse-scep-23#appendix-D] which
articulates –
/__/
/_An enrolment request that occurs more than halfway through the
validity period of an existing certificate for the same subject name and
key usage MAY be interpreted as a re-enrolment or renewal request and be
accepted_/. A new certificate with new validity dates can be issued,
even though the old one is still valid, if the CA policy permits. The
server MAY automatically revoke the old client certificate. Clients MUST
use GetCACaps (see Appendix C) to determine if the CA supports renewal.
Clients MUST support servers that do not implement renewal, or that
reject renewal requests.
*_Our queries :_*
1. Why this workflow is not working for OpenXpki?
2. How can we configure OpenXpki to get the outcome articulated in
Appendix D for SCEP RFC?
Thanks,
Kaushik Basu
*
O*+91 33 4020 4 <tel:%2B91%2033%204020%204813>444
*O*+91 33 4020 4 <tel:%2B91%2033%204020%204813>379 [Direct]
*M* +91 9433780575
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
