Thanks for quick reply Oliver. That makes sense now.
On 09-Apr-21 2:43:54 AM, Oliver Welter <m...@oliwel.de> wrote:
Hi Sergei,
the "sign with old certificate" applies to the "transport" layer, the docs were
originally written for the SCEP protocol where the CSR (signed with its own
key!) is wrapped with a PKCS#7 signature. The OpenXPKI server uses this "outer
signature" certificate to identify the signer and assumes it is a renewal if
the subject of the new CSR and the used signer is the same.
Similar logic applies to EST and our proprietary RPC interface where the
certificate of the mutual TLS handshake is used - this obviously works only for
certificates that are suitable for TLS Client Auth so you can not renew TLS
Server certificates directly but via a "surrogate certificate".
Have a look at the docs of the enrollment workflow:
https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html
[https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html]
Renewal via WebUI / manual upload is not supported at this time with the
default configuration. We have a customer that uses a solution based on the
PKCS#7 signature as in SCEP in conjunction with a "hand crafted" tool to
generate such signatures and renew via WebUi but this is far off-standard.
Oliver
Am 09.04.21 um 03:54 schrieb Sergei Leshchinsky:
Hi folks
I'm planning to use OpenXPKI to do general in-house PKI management (server cert
requests / publishing / CRLs/ renewals).
The issue is with renewals: in doc it's covered by 3 sentences, one of them
makes completely no sense to me:
"Request renewal by sending a new request signed with the existing certificate.
"
Isn't scr signed with corresponding priv key? What does it suppsoe to mean
"signed with existing cert"?
Further:
"Best strategy is to create the new request from the old certificate to ensure
the subjects match."
Ok, I do get that openxpki does not support renewing with re-use of original
priv key. but if generate new priv key and make csr out of existing cert (to
make sure subject matches exactly) and feed that csr into new cert request I'm
obviously getting "PKCS10 signature is not valid"
What am I missing? Or what the exact steps (in UI?) I need to follow for this.
Thanks
Sergei
_______________________________________________ OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
[mailto:OpenXPKI-users@lists.sourceforge.net]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
[https://lists.sourceforge.net/lists/listinfo/openxpki-users]
-- Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
