Hi Oliver, To generate a new CSR, we need to delete the existing certificate on the device / printer. So, we tried out the following workflow :
1. Delete existing certificate on the device. 2. Get the newly generated CSR from device. 3. Get it signed using 'signer on behalf' feature. 4. Push the signed certificate to the device. This workflow worked fine. But the problem is that on 802.1x network, the device is periodically polled for authentication. In some corner cases, when the existing certificate got deleted and the device is yet to receive the new signed certificate, periodic device authentication is failing and the device is getting disconnected from the network. So, essentially we are left with only one option - getting new certificate using old CSR. you mentioned that 'reusing the CSR needs some more work'. Could you please tell me how we can get it working? Thanks, Kaushik ________________________________ From: Oliver Welter <[email protected]> Sent: 20 December 2019 23:16 To: [email protected] <[email protected]> Subject: Re: [OpenXPKI-users] Query on renewal workflow Hi Kaushik, Renwal in OpenXPKI works different. 1) We do not allow key reuse by default and the SCEP services uses the so called transaction id, which is usually the digest of the CSR, to pickup existing workflows so reusing the CSR needs some more work and we strongly suggest to create new keys/csrs when renewing. 2) The renewal period is not determined by the certificate lifetime but as an absolute config value, see https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2Flatest%2Freference%2Fconfiguration%2Fworkflows%2Fscep.html&data=02%7C01%7Ckaushik.basu%40lexmark.com%7Ca51b3536dfb84e977da908d785748ce5%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C1%7C637124607955655272&sdata=Y6BI%2BHF8eU%2Fd2FF2BpgYCCXqTcALb8YjHsehI872QaU%3D&reserved=0 Oliver Am 20.12.19 um 12:47 schrieb Kaushik Basu: > Hello, > > Would like to start with our existing workflow, what issue we are facing > and then our queries to get your help / suggestion. > > *_Current enrolment workflow :_* > > 1. Get the CSR from device / printer. > 2. Sign the CSR using a certificate qualified as ‘Authorized Signer’ > for the given endpoint. > 3. Get the certificate enrolled using SCEP protocol. > 4. Push the certificate to the device / printer. > > This workflow is working fine. > > *_Renewal workflow :_* > > 1. Get the existing valid certificate & old CSR from device. > 2. Sign the CSR using the existing certificate. > 3. Invoke enrol() beyond the halfway of validity period. > 4. Get the certificate renewed using SCEP protocol. > > It is working fine for MS CA. But it didn’t work for OpenXpki. > > This appeared to us not in-line with SCEP RFC > [https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-nourse-scep-23%23appendix-D&data=02%7C01%7Ckaushik.basu%40lexmark.com%7Ca51b3536dfb84e977da908d785748ce5%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C1%7C637124607955655272&sdata=AE04AYu1vUz%2FEsU0rePEmURmhX4TkejOk2ktdSSJ3xQ%3D&reserved=0] > which > articulates – > > /__/ > > /_An enrolment request that occurs more than halfway through the > validity period of an existing certificate for the same subject name and > key usage MAY be interpreted as a re-enrolment or renewal request and be > accepted_/. A new certificate with new validity dates can be issued, > even though the old one is still valid, if the CA policy permits. The > server MAY automatically revoke the old client certificate. Clients MUST > use GetCACaps (see Appendix C) to determine if the CA supports renewal. > Clients MUST support servers that do not implement renewal, or that > reject renewal requests. > > *_Our queries :_* > > 1. Why this workflow is not working for OpenXpki? > 2. How can we configure OpenXpki to get the outcome articulated in > Appendix D for SCEP RFC? > > Thanks, > > Kaushik Basu > * > O*+91 33 4020 4 <tel:%2B91%2033%204020%204813>444 > > *O*+91 33 4020 4 <tel:%2B91%2033%204020%204813>379 [Direct] > *M* +91 9433780575 > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01%7Ckaushik.basu%40lexmark.com%7Ca51b3536dfb84e977da908d785748ce5%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C1%7C637124607955655272&sdata=jTWD0PFdTkjVS9UaZIyg42EwMFAdtAva1Qx0GI01Afw%3D&reserved=0 > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01%7Ckaushik.basu%40lexmark.com%7Ca51b3536dfb84e977da908d785748ce5%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C1%7C637124607955655272&sdata=jTWD0PFdTkjVS9UaZIyg42EwMFAdtAva1Qx0GI01Afw%3D&reserved=0
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
