Well, the good folks in Cupertino seem to be at it (or not at it) again. TL;DR - on MacOS, when I try and update a cert via SCEP using the built in client, OpenXPKI returns the original, now expired cert.
I'm trying to determine if that's a function of how I'm requesting the update, a problem with MacOS, something in OpenXPKI, or as is often the case, user error or lacking knowledge on my end :) When I look at OpenXPKI, the cert shows its original expiration date - it doesn't appear to be issuing a new cert. Also FWIW, I get the same behavior with sscep on *nix - sscep will get the cert and write it, but it is the same, expired cert for that host. One last note - Apple says that it uses the existing private key for the renewal: https://support.apple.com/en-us/HT204446 Here's the MacOS logs: default 10:38:45.799040-0600 CertificateService Unpacking SCEP message of length: 4158 default 10:38:45.799915-0600 CertificateService Decrypting response payload default 10:38:45.847596-0600 CertificateService Comparing sentNonce of length 8 to receivedNonce of length 16 default 10:38:45.847716-0600 CertificateService ProcessPkiStatus: pkiStatus = 0 default 10:38:45.847759-0600 CertificateService ProcessRequestCertSignatureResponse: ProcessPkiStatus returned: 0 default 10:38:45.847887-0600 CertificateService ProcessRequestCertSignatureResponse: CopyCertsFromCertResp returned: 0 #certs: 1 default 10:38:45.884099-0600 CertificateService CSSM Exception: -2147413719 CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA default 10:38:45.888947-0600 CertificateService CSSM Exception: -2147413719 CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA default 10:38:45.893995-0600 CertificateService CSSM Exception: -2147413719 CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA default 10:38:45.898749-0600 CertificateService Certificate renewal resulted in server returning same certificate default 10:38:45.901748-0600 CertificateService tcp_output [C3:2] flags=[F.] seq=3230206982, ack=86633706, win=2048 state=FIN_WAIT_1 rcv_nxt=86633706, snd_una=3230206982 default 10:38:45.901921-0600 CertificateService Connection 3: cleaning up
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
