Hi Sergei, the "sign with old certificate" applies to the "transport" layer, the docs were originally written for the SCEP protocol where the CSR (signed with its own key!) is wrapped with a PKCS#7 signature. The OpenXPKI server uses this "outer signature" certificate to identify the signer and assumes it is a renewal if the subject of the new CSR and the used signer is the same.
Similar logic applies to EST and our proprietary RPC interface where the certificate of the mutual TLS handshake is used - this obviously works only for certificates that are suitable for TLS Client Auth so you can not renew TLS Server certificates directly but via a "surrogate certificate". Have a look at the docs of the enrollment workflow: https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html Renewal via WebUI / manual upload is not supported at this time with the default configuration. We have a customer that uses a solution based on the PKCS#7 signature as in SCEP in conjunction with a "hand crafted" tool to generate such signatures and renew via WebUi but this is far off-standard. Oliver Am 09.04.21 um 03:54 schrieb Sergei Leshchinsky: > > > Hi folks > > I'm planning to use OpenXPKI to do general in-house PKI management > (server cert requests / publishing / CRLs/ renewals). > The issue is with renewals: in doc it's covered by 3 sentences, one of > them makes completely no sense to me: > "Request renewal by sending a new request signed with the existing > certificate. " > Isn't scr signed with corresponding priv key? What does it suppsoe to > mean "signed with existing cert"? > > Further: > "Best strategy is to create the new request from the old certificate > to ensure the subjects match." > Ok, I do get that openxpki does not support renewing with re-use of > original priv key. but if generate new priv key and make csr out of > existing cert (to make sure subject matches exactly) and feed that csr > into new cert request I'm obviously getting "PKCS10 signature is not > valid" > What am I missing? Or what the exact steps (in UI?) I need to follow > for this. > > Thanks > Sergei > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
