Hi Petr,
did you generate a CRL on the PKI already? The default wokrflows of
OpenXPKI do not create a CRL when a certificate is revoked - usually you
create a cronjob/timer to trigger the CRL creation once a day so its
likely that there is no CRL at all.
If this is not the case, what SCEP client are you using? As GetCRL via
SCEP is a very rarely used feature we have seen several clients not
implementing this right so the request send to the server is no what
OpenXPKI expects.
Oliver
Am 26.06.20 um 19:59 schrieb Petr Gotthard:
Hello,
I successfully enrolled a certificate via SCEP. Then I enrolled another
one with the same subject, so I got another certificate and the first
got revoked. So far so good.
I can see the revoked certificate on the website, but I have troubles
obtaining the CRL via SCEP: I am sending the getcrl request using the
newly enrolled key/cert, using the same CA certificate I used for
enrollment, but I am getting pkistatus FAILURE, indicating “No
certificate could be identified matching”. The server logs show no error
(as far as I found).
Do you please have any hints what could be wrong? I am using the
certificate I just enrolled from the same CA, why does it say there is
none matching?
Am I supposed to retrieve the entire CRL, including the entries matching
my own subject, or is there some filtering done?
Kind Regards,
Petr
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
