Hi, Thanks Martin. For those who would like to use certmonger to manage client side certificates, I discovered that it is possible to renew the private key at each certificate renewal with this configuration. This is compliant for OpenXPKI.
/etc/certmonger/certmonger.conf [defaults] max_key_use_count = 1 Regards, Eric Feb 15, 2022, 12:48 by [email protected]: > Hi Martin, > > You're right, certmonger seems to keep the same private key for renewal. > So certmonger may not be usefull as I read in the getcert man : > > -r automatically renews the certificate when its expiration date is close if > the key pair already exists. This option is used by default. > > Certmonger renewal need to keep the same private key : "if the key pair > already exists". Am I wrong ? > > Thanks for your help. > Best regards, > -- > Eric > > Feb 15, 2022, 09:42 by [email protected]: > >> Hi, >> >>> I am stuck in testing autorenew of scep requested certificates. >>> >>> This is my initial enrollment with certmonger : >>> ``` >>> getcert request -c openxpki -f $certfolder/nginx2.crt -k >>> $keyfolder/nginx2.key -g 4096 -r -N cn=nginx2.domain.lan -v -w -L >>> SecretChallenge >>> ``` >>> >>> On client side, Certmonger is aware that the certificate will not be valid >>> after 2022-02-14 15:03:47. >>> >> >> OpenXPKI supports SCEP enrollment as an initial enrollment (new private key, >> unauthenticated/self-signed request) and as a renewal request (new private >> key, request signed with existing/old certificate and key). >> Renewal requests only work as long as the existing certificate is still >> valid. With the default configuration/workflows it is not possible to renew >> an expired certificate. This makes sense, a certificate should be renewed >> before it expires. >> >>> On OpenXPKI side. I understand that the SCEP server find the appropriate >>> initial workflow (9983). But is it delevering a new certificate by telling >>> "Delivered certificate via SCEP" ? Am I supposed to see a new workflow ? >>> >> >> Works as designed, this indicates that the client sends an initial >> enrollment request, not a renewal request. If the original private key is >> used to request the certificate, the existing certificate will be delivered. >> >> Cheers >> >> Martin >> > >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
