Dear Oliver,
Thanks for your valuable input. Just exploring possibilities - if we opt for #3, could you please give me a ballpark estimate - how much it will cost? Thanks, Kaushik -----Original Message----- From: Oliver Welter <[email protected]> Sent: 24 December 2019 16:47 To: [email protected] Subject: Re: [OpenXPKI-users] Query on renewal workflow Dear Kaushik, please let me clarify one thing - this is a public mailing list where I (and some of my collegues) provide support in our spare time "for free". As I already wrote, your setup is not what the "default" OpenXPKI workflows are made for and so your questions are beyond the scope I am willing and able to answer here on the public list. As Martin wrote in his post yesterday, we are very excited to see the software is used and we are happy to provide support to the community in using it but if you need customization beyond what the community distribution was made for, we are happy to offer our expertise in building PKIs and rollout OpenXPKI in your environment. So to make your printers work with our software, choose one of those options: 1) Fix your devices to support renewal with new keys - this would be the prefered solution as it adds extra security and matches "PKI best practise" 2) Subscribe to the developer mailinglist, learn how OpenXPKI works, adjust it where needed and, highly appreciated, contribute your changes back to the project 3) Get commercial support from somebody - I am happy to provide an offer but likely there are also other people outside best reagrds Oliver Am 24.12.19 um 04:22 schrieb Kaushik Basu: > > Hello Oliver, > > Did you get a chance to look into this? Looking forward to hear from you. > > > Thanks, > Kaushik > ---------------------------------------------------------------------- > -- > *From:* Kaushik Basu <[email protected]> > *Sent:* 21 December 2019 08:02 > *To:* Oliver Welter <[email protected]>; > [email protected] > <[email protected]> > *Subject:* Re: [OpenXPKI-users] Query on renewal workflow > > Hi Oliver, > > To generate a new CSR, we need to delete the existing certificate on > the device / printer. So, we tried out the following workflow : > > 1. Delete existing certificate on the device. > 2. Get the newly generated CSR from device. > 3. Get it signed using 'signer on behalf' feature. > 4. Push the signed certificate to the device. > > This workflow worked fine. But the problem is that on 802.1x network, > the device is periodically polled for authentication. In some corner > cases, when the existing certificate got deleted and the device is yet > to receive the new signed certificate, periodic device authentication > is failing and the device is getting disconnected from the network. > > So, essentially we are left with only one option - getting new > certificate using old CSR. you mentioned that '/reusing the CSR needs > some more work/'. Could you please tell me how we can get it working? > > > Thanks, > Kaushik > > ---------------------------------------------------------------------- > -- > *From:* Oliver Welter <[email protected]> > *Sent:* 20 December 2019 23:16 > *To:* [email protected] > <[email protected]> > *Subject:* Re: [OpenXPKI-users] Query on renewal workflow Hi Kaushik, > > Renwal in OpenXPKI works different. > > 1) We do not allow key reuse by default and the SCEP services uses the > so called transaction id, which is usually the digest of the CSR, to > pickup existing workflows so reusing the CSR needs some more work and > we strongly suggest to create new keys/csrs when renewing. > > 2) The renewal period is not determined by the certificate lifetime > but as an absolute config value, see > https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopen > xpki.readthedocs.io%2Fen%2Flatest%2Freference%2Fconfiguration%2Fworkfl > ows%2Fscep.html&data=02%7C01%7Ckaushik.basu%40lexmark.com%7Ca3e9aa > c0463545bb923908d78862de79%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0% > 7C637127830552557239&sdata=cMqQbRmsv3k4p8E0nEPj%2F4h15y4X2KaItAu3W > 7QDmq8%3D&reserved=0 > > Oliver > > Am 20.12.19 um 12:47 schrieb Kaushik Basu: >> Hello, >> >> Would like to start with our existing workflow, what issue we are >> facing and then our queries to get your help / suggestion. >> >> *_Current enrolment workflow :_* >> >> 1. Get the CSR from device / printer. >> 2. Sign the CSR using a certificate qualified as 'Authorized Signer' >> for the given endpoint. >> 3. Get the certificate enrolled using SCEP protocol. >> 4. Push the certificate to the device / printer. >> >> This workflow is working fine. >> >> *_Renewal workflow :_* >> >> 1. Get the existing valid certificate & old CSR from device. >> 2. Sign the CSR using the existing certificate. >> 3. Invoke enrol() beyond the halfway of validity period. >> 4. Get the certificate renewed using SCEP protocol. >> >> It is working fine for MS CA. But it didn't work for OpenXpki. >> >> This appeared to us not in-line with SCEP RFC >> [https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fto >> ols.ietf.org%2Fhtml%2Fdraft-nourse-scep-23%23appendix-D&data=02%7 >> C01%7Ckaushik.basu%40lexmark.com%7Ca3e9aac0463545bb923908d78862de79%7 >> C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637127830552557239&sd >> ata=jQLuqdu%2BDi8zOotOhvGhpc0P37yNpNCAlwQCYwYiYr0%3D&reserved=0] > which >> articulates - >> >> /__/ >> >> /_An enrolment request that occurs more than halfway through the >> validity period of an existing certificate for the same subject name >> and key usage MAY be interpreted as a re-enrolment or renewal request >> and be accepted_/. A new certificate with new validity dates can be >> issued, even though the old one is still valid, if the CA policy >> permits. The server MAY automatically revoke the old client >> certificate. Clients MUST use GetCACaps (see Appendix C) to determine if the >> CA supports renewal. >> Clients MUST support servers that do not implement renewal, or that >> reject renewal requests. >> >> *_Our queries :_* >> >> 1. Why this workflow is not working for OpenXpki? >> 2. How can we configure OpenXpki to get the outcome articulated in >> Appendix D for SCEP RFC? >> >> Thanks, >> >> Kaushik Basu >> * >> O*+91 33 4020 4 <tel:%2B91%2033%204020%204813>444 >> >> *O*+91 33 4020 4 <tel:%2B91%2033%204020%204813>379 [Direct] >> *M* +91 9433780575 >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis >> ts.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C >> 01%7Ckaushik.basu%40lexmark.com%7Ca3e9aac0463545bb923908d78862de79%7C >> 127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637127830552557239&sda >> ta=ItPelM8FiK0QO9Q%2BBSWHqp02Qg0S9LxKqCJq2zL4DcE%3D&reserved=0 >> > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01 > %7Ckaushik.basu%40lexmark.com%7Ca3e9aac0463545bb923908d78862de79%7C127 > 090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637127830552557239&sdata=I > tPelM8FiK0QO9Q%2BBSWHqp02Qg0S9LxKqCJq2zL4DcE%3D&reserved=0 > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01 > %7Ckaushik.basu%40lexmark.com%7Ca3e9aac0463545bb923908d78862de79%7C127 > 090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637127830552567232&sdata=n > 61ITr0LDz39QxwF2tzgmbm6L0jAQjmNEiwXPdwMhiQ%3D&reserved=0 > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01%7Ckaushik.basu%40lexmark.com%7Ca3e9aac0463545bb923908d78862de79%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637127830552567232&sdata=n61ITr0LDz39QxwF2tzgmbm6L0jAQjmNEiwXPdwMhiQ%3D&reserved=0 _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
