Re: [OpenXPKI-users] SSCEP and OpenKPKI Demosite

Mon, 12 Aug 2024 05:41:20 -0700 


On 12.08.24 12:59, Andreas Piesk via OpenXPKI-users wrote:

Am 12.08.24 um 11:27 schrieb Martin Bartosch via OpenXPKI-users:



I have found the same and as Oliver already mentioned, this has been 
broken for a long time. What I did to solve this issue was to use 
the information in the certificate itself. You can get the URL of 
the CRL from the certificate with a very simple script. The URL from 
the certificate came from the configuration specifically 
config.d/realm.tpl/profile/default.yaml.



You could put a valid value there and all the generated certificates 
would have that URL where you can download the CRL.



You are right. Inclusion of a CDP and/or OCSP AIA is the preferred 
way of distributing revocation information resources anyway, and many 
crypto library implementations and products already come with 
built-in mechanisms to process this information. This is why the 
GetCRL SCEP operation is commonly not used at all.





OK, I will skip getcrl and getcert, what about getnextca? I tested 
'sscep getnextca' agains demo.openxpki.org and my local installation 
and both fail with HTTP 500:



$ sscep getnextca -u http://demo.openxpki.org/scep/generic -c CA.pem-0 
-C CAnext -v

sscep: starting sscep, version 0.10.0
sscep: new transaction
sscep: transaction id: SSCEP transactionId
sscep: hostname: demo.openxpki.org
sscep: directory: scep/generic
sscep: port: 80
sscep: SCEP_OPERATION_GETCAPS
sscep: connecting to demo.openxpki.org:80
sscep: server response status code: 200, MIME header: text/plain
Renewal
POSTPKIOperation
SHA-512
SHA-384
SHA-256
SHA-224
SHA-1
DES3
AES
sscep: SCEP_OPERATION_GETNEXTCA
sscep: connecting to demo.openxpki.org:80
sscep: server response status code: 500, MIME header: text/plain
sscep: wrong (or missing) MIME content type
sscep: error while sending message
sscep: getnextCA might be not available


According to documentation openxpki supports getnextca. On my local 
installation I do have an upcoming root-CA.



You likely used an old documentation - please check comments in 
config.d/realm/democa/workflow/def/scep_getnextcacert.yaml how to setup this


Oli

--
Protect your environment -  close windows and adopt a penguin!



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to