Hi, > I am stuck in testing autorenew of scep requested certificates. > > This is my initial enrollment with certmonger : > ``` > getcert request -c openxpki -f $certfolder/nginx2.crt -k > $keyfolder/nginx2.key -g 4096 -r -N cn=nginx2.domain.lan -v -w -L > SecretChallenge > ``` > > On client side, Certmonger is aware that the certificate will not be valid > after 2022-02-14 15:03:47.
OpenXPKI supports SCEP enrollment as an initial enrollment (new private key, unauthenticated/self-signed request) and as a renewal request (new private key, request signed with existing/old certificate and key). Renewal requests only work as long as the existing certificate is still valid. With the default configuration/workflows it is not possible to renew an expired certificate. This makes sense, a certificate should be renewed before it expires. > On OpenXPKI side. I understand that the SCEP server find the appropriate > initial workflow (9983). But is it delevering a new certificate by telling > "Delivered certificate via SCEP" ? Am I supposed to see a new workflow ? Works as designed, this indicates that the client sends an initial enrollment request, not a renewal request. If the original private key is used to request the certificate, the existing certificate will be delivered. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users