Hi Petr, to be honest I have no idea - you can try to activate the "developer debug" by starting OpenXPKI with:
openxpkictl start --debug OpenXPKI::Service::LibSCEP::Command::PKIOperation:32 This should write some more detailed information about the requested certificate and the processing in the SCEP lib to the stderr.log. Oliver Am 29.06.20 um 12:23 schrieb Petr Gotthard: > Hi Oliver, > > I called both "Issue a certificate revocation list (CRL)" as well as "Publish > CA/CRL" and I can see the list under "Show Revocation Lists (CRL)". Just the > SCEP doesn't return anything. > > I am using the Jarkko Turkulainen's sscep 0.7.0 with some of the pull > requests applied. > https://github.com/certnanny/sscep > > > Petr > > -----Original Message----- > From: Oliver Welter [mailto:[email protected]] > Sent: Saturday, June 27, 2020 1:59 PM > To: [email protected] > Subject: Re: [OpenXPKI-users] Failure when obtaining CRL via SCEP > > Hi Petr, > > did you generate a CRL on the PKI already? The default wokrflows of > OpenXPKI do not create a CRL when a certificate is revoked - usually you > create a cronjob/timer to trigger the CRL creation once a day so its > likely that there is no CRL at all. > > If this is not the case, what SCEP client are you using? As GetCRL via > SCEP is a very rarely used feature we have seen several clients not > implementing this right so the request send to the server is no what > OpenXPKI expects. > > Oliver > > Am 26.06.20 um 19:59 schrieb Petr Gotthard: >> Hello, >> >> I successfully enrolled a certificate via SCEP. Then I enrolled another >> one with the same subject, so I got another certificate and the first >> got revoked. So far so good. >> >> I can see the revoked certificate on the website, but I have troubles >> obtaining the CRL via SCEP: I am sending the getcrl request using the >> newly enrolled key/cert, using the same CA certificate I used for >> enrollment, but I am getting pkistatus FAILURE, indicating "No >> certificate could be identified matching". The server logs show no error >> (as far as I found). >> >> Do you please have any hints what could be wrong? I am using the >> certificate I just enrolled from the same CA, why does it say there is >> none matching? >> >> Am I supposed to retrieve the entire CRL, including the entries matching >> my own subject, or is there some filtering done? >> >> Kind Regards, >> >> Petr > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
