Hi Eddy, this sounds like the renewal request generate by cryptlib does not look like we expect - we (and also the SCEP standard) expect that for a renewal you send a CSR with a new key but the same Subject as the old certificate and do the "outer" SCEP signature with the old certificate.
Your description leads me to the assumption, that the incoming renewal request is signed with a "third" certificate which was not issued by the CA you are enrolling to. Oliver Am 26.04.21 um 15:46 schrieb Eddy BODIN via OpenXPKI-users: > > Hi, > > > > I’m testing currently openxpki for SCEP enrollment, with SSCEP and > Cryptlib. > > > > When I’m trying an enrollment with SSCEP, every is OK, I get my signed > certificate. I checking the workflow context and I can see that > *csr_subject_key_identifier *is equal to *signer_subject_key_identifier*. > > > > I made the same test with another cryptographic library: Cryplib, but > I get a failure status: Renewal request is for certificate from > foreign realm! It’s very strange. When I check the > *csr_subject_key_identifier *and *signer_subject_key_identifier *they > are different. I don’t understand why these identifiers are different? > > Note: My CSR is self-signed in SSCEP and Cryptlib > > > > Thanks > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
