Re: [OpenXPKI-users] SSCEP and OpenKPKI Demosite

Mon, 12 Aug 2024 04:00:26 -0700 

Am 12.08.24 um 11:27 schrieb Martin Bartosch via OpenXPKI-users:



I have found the same and as Oliver already mentioned, this has been broken for 
a long time. What I did to solve this issue was to use the information in the 
certificate itself. You can get the URL of the CRL from the certificate with a 
very simple script. The URL from the certificate came from the configuration 
specifically config.d/realm.tpl/profile/default.yaml.

You could put a valid value there and all the generated certificates would have 
that URL where you can download the CRL.


You are right. Inclusion of a CDP and/or OCSP AIA is the preferred way of 
distributing revocation information resources anyway, and many crypto library 
implementations and products already come with built-in mechanisms to process 
this information. This is why the GetCRL SCEP operation is commonly not used at 
all.



OK, I will skip getcrl and getcert, what about getnextca? I tested 'sscep 
getnextca' agains demo.openxpki.org and my local installation and both fail 
with HTTP 500:

$ sscep getnextca -u http://demo.openxpki.org/scep/generic -c CA.pem-0 -C 
CAnext -v
sscep: starting sscep, version 0.10.0
sscep: new transaction
sscep: transaction id: SSCEP transactionId
sscep: hostname: demo.openxpki.org
sscep: directory: scep/generic
sscep: port: 80
sscep: SCEP_OPERATION_GETCAPS
sscep: connecting to demo.openxpki.org:80
sscep: server response status code: 200, MIME header: text/plain
Renewal
POSTPKIOperation
SHA-512
SHA-384
SHA-256
SHA-224
SHA-1
DES3
AES
sscep: SCEP_OPERATION_GETNEXTCA
sscep: connecting to demo.openxpki.org:80
sscep: server response status code: 500, MIME header: text/plain
sscep: wrong (or missing) MIME content type
sscep: error while sending message
sscep: getnextCA might be not available

According to documentation openxpki supports getnextca. On my local 
installation I do have an upcoming root-CA.

Best,
-ap



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to