Hi, > I agree with you, I am just a newbie in this whole world of PKI and I went > for the easiest way to make it work at the beginning and then start from > there to "make it right". Thanks for the heads up, > > You were right, just that all know what happened, the problems that I faced > was because I messed up running the sampleconfig more than once, even when I > removed everything and started again, the keys in the local folder were still > there and that's why I got the bad results. I delete everything and start > again the process from zero, delete docker containers and volumes and I clean > my configuration. If you follow the quickstart and start the sampleconfig > only **once**, works without problem.
If you plan to set up a PKI for anything remotely resembling a production setup of some sorts I recommend to do proper planning of the PKI. Mistakes in the early phases are sometimes very hard to fix later. If your company needs assistance with this, do not hesitate to contact us via off...@whiterabbitsecurity.com. Our team has been designing and implementing PKIs of any magnitude for a lot of companies in the past years. > I have a last question Oliver; I am really grateful for your time and your > fast response. I notice it that I can only make SCEP successful request with > the first certificate (ca.crt-0) of the chain, for the others I got a > verification error. When I looked at some information about the certificates, > I saw that the ca.crt-0 has as usage: "Digital Signature, Key Encipherment", > so this is a encrypted certificate. Can I use a non-encrypted certificate > like the ca.crt-1 or ca.crt-2? Can this be configured? Or does it have to be > always with the encrypted one? When a SCEP getcacert request is received, the OpenXPKI SCEP server answers with the SCEP RA certificate (always the first certificate in the response) and the CA certificates that form the certificate chain for the RA certificate. The CA Certificate chain (in addition to the separately distributed trusted Root CA) is needed by the end entity performing the SCEP call for creation of the client side keystore. The SCEP RA certificate is needed by the SCEP client for encryption of the SCEP payload. This is the reason why you need to use this for the enrollment. BTW, in case you are working on automation of certificate requests and enrollment, we also have a number of useful tools and standards ways to make this work in an IoT scenario. (hint, hint) Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
