Hi, > I would like to test the exchange of an issuing certificate. > To do this, I have imported three valid issuing certificates into OpenXPKI > (with token certsign). > The call “sscep getca -u http://pki.dbmas/scep/generic -v -c dbmas-ca” only > returns the first issuing certificate > while the query using EST returns all three issuing certificates. > Do I have to do anything else for the SCEP handler in OpenXPKI after the > certificate import?
I assume that with "exchange of an issuing certificate" you meant that you would like to test a CA rollover, i. e. the concurrent operation of multiple Issuing CA certificates within one logical CA. I also assume that you have successfully imported the new Issuing CA certificate into the PKI Realm as a signer token. An indication that it worked properly is that you see all CA Signers listed on the Status Overview page of the RA Operator (hopefully with an "Online" key status). If this is the case, the easiest way to test if the CA rollover worked is to simply issue a CRL and force CRL creation. That should result in CRLs created for all currently valid Issuing CAs, including the newly imported one. Next you might want to test certificate issuance, e. g. via a manual certificate request. The system will automatically determine the most recent Issuing CA capable of issuing the requested certificate in the PKI Realm and use it to issue the certificate. *** Apart from this, the enrollment interfaces can be asked to return the CA certificates required to complete the certificate chain for a requested certificate of the end entity. For SCEP this is the GetCACert command. It will by default return the CA certificate chain that would complete a newly issued end entity certificate. If there are multiple Issuing CAs within the PKI Realm, only the "active" CA Certificate will be returned. (There are ways to fine-tune this, as we have encountered countless severely pathological cases with regard to SCEP clients.) For EST this should behave identical to SCEP. If all three Issuing CA Certificates (even passive ones) are returned, I would expect this behavior to be errorneous, as the default behavior is to return only the active signer token. Before we further analyze, can you please verify that the Issuing CA rollover worked as describe above? Also, please provide the output of openxpkiadm alias --realm REALM --filter all so we can see how this is set up on your system. Best regards, Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
