Hello Gerard, from the error message and your description there are two possible problems ;)
a) your SCEP certificate was not issued by the imported Issuing CA b) OpenXPKI expects the full chain on import and uses the Subject/Authority Key Identifier to build the chain. We have seen some CAs that do not set those attributes as we expect it. In any case you can set one of the force flags --force-no-chain, --force-no-verify or --force-issuer - see the man page of openxpkiadm for details. Oliver Am 17.05.21 um 12:20 schrieb Gerard van den Bosch: > Hello, > > I am able to load a self signed Root CA and the Issuing CA into the > database using the openxpkiadmin command: > > root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm certificate import > --file emfytest_RootCA.crt --realm testrealm > Starting import > Successfully imported certificate into database: > Subject: > C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech > Issuer: > C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech > Identifier: yvxxDgY50iLu9UekXIF3aGV9DlU > Realm: testrealm > root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm certificate import > --file emfytest_IssuingCA.crt --realm testrealm > Starting import > Successfully imported certificate into database: > Subject: > C=my,ST=pahang,L=kuantan,CN=emfytest_IssuingCA,OU=engineering,O=emfytech > Issuer: > C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech > Identifier: aauifzspWz-cX5SzHooYUTLYGGE > Realm: testrealm > > However when I tried to load the certificate for SCEP, I get a verify > error: > > root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm alias --realm > testrealm --token scep --file emfytest_SCEP.crt --key emfytest_SCEP.key > 2021/05/17 07:31:31 OpenSSL error: O = emfytech, OU = engineering, CN > = emfytest_SCEP, L = kuantan, ST = pahang, C = my > error 20 at 0 depth lookup: unable to get local issuer certificate > 2021/05/17 07:31:31 I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; > __EXIT_STATUS__ => 512 > 2021/05/17 07:31:31 I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ > => OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert, > __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ > => 512 > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED > __ERRVAL__: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; > __EXIT_STATUS__ => 512 > __COMMAND__: OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert > > With openssl I can reproduce the error when I execute the following: > > openssl verify -CAfile emfytest_RootCA.crt -untrusted > emfytest_IssuingCA.crt emfytest_SCEP.crt > > The solution I found was to concat the IssuingCA and SCEP certificate > and execute following and it returns OK. > openssl verify -CAfile emfytest_RootCA.crt emfytest_Combined.crt > > How can I import the SCEP certificate with openxpkiadm that is excepts it? > > Cheers, > Gerard > > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
