Hi, i´m using OpenXPKI Community Edition v3.28.2 and I am currently testing the issuing certificate rollover. For this purpose, ca-signer-1 and ca-signer-2 exist in the OpenXPKI. The queries via SCEP and EST lead to different results. The query via EST for CA certificates returns the last one (ca-signer-2), whereas the query via SCEP returns the first one (ca-signer-1).
In my opinion Openxpki should return the same result in both cases, preferably the last issuing certificate, as this will be "the new certificate" after the rollover. It would also be dangerous using in a certificate request "the old certificate" as an anchor for the trust chain shortly before it expires. ________________________________ mit freundlichen Grüßen Ralf Bernhard R&D Product Development DBMAS Diagnostic & Monitoring Technologies for Rolling Stock voestalpine Signaling Siershahn GmbH Bahnweg 1 56427 Siershahn, Germany T. +49/2623/6086 - 219 F. +49/2623/6086 - 60 M. +49/151/29261119 ralf.bernh...@voestalpine.com<mailto:ralf.bernh...@voestalpine.com> www.voestalpine.com/railway-systems<https://www.voestalpine.com/railway-systems> www.linkedin.com/company/voestalpine-railway-systems<http://www.linkedin.com/company/voestalpine-railway-systems> voestalpine - One step ahead. Members of the Management Board: Helmut Liebminger (Chairman), Steve-Patrick Stahl (Operations), Harald Hopfgartner (Sales) and Christian Ehmann (Finance) Amtsgericht Montabaur, HRB 5567
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
