Re: [OpenXPKI-users] Query on renewal workflow

[Oliver Welter]

Dear Kaushik,

please let me clarify one thing - this is a public mailing list where I 
(and some of my collegues) provide support in our spare time "for free". 
As I already wrote, your setup is not what the "default" OpenXPKI 
workflows are made for and so your questions are beyond the scope I am 
willing and able to answer here on the public list.

As Martin wrote in his post yesterday, we are very excited to see the 
software is used and we are happy to provide support to the community in 
using it but if you need customization beyond what the community 
distribution was made for, we are happy to offer our expertise in 
building PKIs and rollout OpenXPKI in your environment.

So to make your printers work with our software, choose one of those 
options:
1) Fix your devices to support renewal with new keys - this would be the 
prefered solution as it adds extra security and matches "PKI best practise"
2) Subscribe to the developer mailinglist, learn how OpenXPKI works, 
adjust it where needed and, highly appreciated, contribute your changes 
back to the project
3) Get commercial support from somebody - I am happy to provide an offer 
but likely there are also other people outside

best reagrds

Oliver


Am 24.12.19 um 04:22 schrieb Kaushik Basu:

Hello Oliver,

Did you get a chance to look into this? Looking forward to hear from you.


Thanks,
Kaushik
------------------------------------------------------------------------
*From:* Kaushik Basu <kaushik.b...@lexmark.com>
*Sent:* 21 December 2019 08:02
*To:* Oliver Welter <m...@oliwel.de>; 
openxpki-users@lists.sourceforge.net <openxpki-users@lists.sourceforge.net>
*Subject:* Re: [OpenXPKI-users] Query on renewal workflow

Hi Oliver,

To generate a new CSR, we need to delete the existing certificate on the 
device / printer. So, we tried out the following workflow :

1. Delete existing certificate on the device.
2. Get the newly generated CSR from device.
3. Get it signed using 'signer on behalf' feature.
4. Push the signed certificate to the device.

This workflow worked fine. But the problem is that on 802.1x network, 
the device is periodically polled for authentication. In some corner 
cases, when the existing certificate got deleted and the device is yet 
to receive the new signed certificate, periodic device authentication is 
failing and the device is getting disconnected from the network.

So, essentially we are left with only one option - getting new 
certificate using old CSR. you mentioned that '/reusing the CSR needs 
some more work/'. Could you please tell me how we can get it working?


Thanks,
Kaushik

------------------------------------------------------------------------
*From:* Oliver Welter <m...@oliwel.de>
*Sent:* 20 December 2019 23:16
*To:* openxpki-users@lists.sourceforge.net 
<openxpki-users@lists.sourceforge.net>
*Subject:* Re: [OpenXPKI-users] Query on renewal workflow
Hi Kaushik,

Renwal in OpenXPKI works different.

1) We do not allow key reuse by default and the SCEP services uses the
so called transaction id, which is usually the digest of the CSR, to
pickup existing workflows so reusing the CSR needs some more work and we
strongly suggest to create new keys/csrs when renewing.

2) The renewal period is not determined by the certificate lifetime but
as an absolute config value, see
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2Flatest%2Freference%2Fconfiguration%2Fworkflows%2Fscep.html&amp;data=02%7C01%7Ckaushik.basu%40lexmark.com%7Ca51b3536dfb84e977da908d785748ce5%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C1%7C637124607955655272&amp;sdata=Y6BI%2BHF8eU%2Fd2FF2BpgYCCXqTcALb8YjHsehI872QaU%3D&amp;reserved=0

Oliver

Am 20.12.19 um 12:47 schrieb Kaushik Basu:
Hello,

Would like to start with our existing workflow, what issue we are facing 
and then our queries to get your help / suggestion.

*_Current enrolment workflow :_*

  1. Get the CSR from device / printer.
  2. Sign the CSR using a certificate qualified as ‘Authorized Signer’
     for the given endpoint.
  3. Get the certificate enrolled using SCEP protocol.
  4. Push the certificate to the device / printer.

This workflow is working fine.

*_Renewal workflow :_*

  1. Get the existing valid certificate & old CSR from device.
  2. Sign the CSR using the existing certificate.
  3. Invoke enrol() beyond the halfway of validity period.
  4. Get the certificate renewed using SCEP protocol.

It is working fine for MS CA. But it didn’t work for OpenXpki.

This appeared to us not in-line with SCEP RFC 
[https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-nourse-scep-23%23appendix-D&amp;data=02%7C01%7Ckaushik.basu%40lexmark.com%7Ca51b3536dfb84e977da908d785748ce5%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C1%7C637124607955655272&amp;sdata=AE04AYu1vUz%2FEsU0rePEmURmhX4TkejOk2ktdSSJ3xQ%3D&amp;reserved=0] 
which
articulates –

/__/

/_An enrolment request that occurs more than halfway through the 
validity period of an existing certificate for the same subject name and 
key usage MAY be interpreted as a re-enrolment or renewal request and be 
accepted_/. A new certificate with new validity dates can be issued, 
even though the old one is still valid, if the CA policy permits. The 
server MAY automatically revoke the old client certificate. Clients MUST 
use GetCACaps (see Appendix C) to determine if the CA supports renewal.  
Clients MUST support servers that do not implement renewal, or that 
reject renewal requests.

*_Our queries :_*

  1. Why this workflow is not working for OpenXpki?
  2. How can we configure OpenXpki to get the outcome articulated in
     Appendix D for SCEP RFC?

Thanks,

Kaushik Basu
*
O*+91 33 4020 4 <tel:%2B91%2033%204020%204813>444

*O*+91 33 4020 4 <tel:%2B91%2033%204020%204813>379 [Direct]
*M*  +91 9433780575



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&amp;data=02%7C01%7Ckaushik.basu%40lexmark.com%7Ca51b3536dfb84e977da908d785748ce5%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C1%7C637124607955655272&amp;sdata=jTWD0PFdTkjVS9UaZIyg42EwMFAdtAva1Qx0GI01Afw%3D&amp;reserved=0



--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&amp;data=02%7C01%7Ckaushik.basu%40lexmark.com%7Ca51b3536dfb84e977da908d785748ce5%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C1%7C637124607955655272&amp;sdata=jTWD0PFdTkjVS9UaZIyg42EwMFAdtAva1Qx0GI01Afw%3D&amp;reserved=0


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users