[OpenXPKI-users] certificate verify error openxpkiadm

Mon, 17 May 2021 03:22:17 -0700 

Hello,

I am able to load a self signed Root CA and the Issuing CA into the
database using the openxpkiadmin command:

root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm certificate import --file
emfytest_RootCA.crt --realm testrealm
Starting import
Successfully imported certificate into database:
  Subject:
 C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech
  Issuer:
C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech
  Identifier: yvxxDgY50iLu9UekXIF3aGV9DlU
  Realm:      testrealm
root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm certificate import --file
emfytest_IssuingCA.crt --realm testrealm
Starting import
Successfully imported certificate into database:
  Subject:
 C=my,ST=pahang,L=kuantan,CN=emfytest_IssuingCA,OU=engineering,O=emfytech
  Issuer:
C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech
  Identifier: aauifzspWz-cX5SzHooYUTLYGGE
  Realm:      testrealm

However when I tried to load the certificate for SCEP, I get a verify error:

root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm alias --realm testrealm
--token scep --file emfytest_SCEP.crt --key emfytest_SCEP.key
2021/05/17 07:31:31 OpenSSL error: O = emfytech, OU = engineering, CN =
emfytest_SCEP, L = kuantan, ST = pahang, C = my
error 20 at 0 depth lookup: unable to get local issuer certificate
2021/05/17 07:31:31 I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__EXIT_STATUS__ => 512
2021/05/17 07:31:31 I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED
   __ERRVAL__: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ =>
512
   __COMMAND__: OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert

With openssl I can reproduce the error when I execute the following:

openssl verify -CAfile emfytest_RootCA.crt -untrusted
emfytest_IssuingCA.crt emfytest_SCEP.crt

The solution I found was to concat the IssuingCA and SCEP certificate and
execute following and it returns OK.
openssl verify -CAfile emfytest_RootCA.crt emfytest_Combined.crt

How can I import the SCEP certificate with openxpkiadm that is excepts it?

Cheers,
Gerard

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to