Dear Martin, thank you very much for your detailed explanation. I tried the GetNextCACert method a few weeks ago without success. The GetCACert query worked (curl -s http://pki.dbmas/scep/generic?operation=GetCACert | openssl pkcs7 -inform DER), but GetNextCACert returned an error message (140074175780672:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data:crypto/asn1/a_d2i_fp.c:198:). According to the RFC, this message is optional and I would have to check whether it is possibly not activated in the Openxpki.
We have solved the problem differently. Your assumptions were all correct. In the case of SCEP, the “SCEP RA certificate --> ratoken (scep)“ in Openxpki was still based on the old Issuing Certificate. We therefore created a new “SCEP RA certificate”, confirmed it with the new Issuing Certificate and then SCEP delivers the right chain. Now we are fine (too 😉) ________________________________ mit freundlichen Grüßen Ralf Bernhard R&D Product Development DBMAS Diagnostic & Monitoring Technologies for Rolling Stock voestalpine Signaling Siershahn GmbH Bahnweg 1 56427 Siershahn, Germany T. +49/2623/6086 – 219 F. +49/2623/6086 – 60 M. +49/151/29261119 ralf.bernh...@voestalpine.com<mailto:ralf.bernh...@voestalpine.com> www.voestalpine.com/railway-systems<https://www.voestalpine.com/railway-systems> www.linkedin.com/company/voestalpine-railway-systems<http://www.linkedin.com/company/voestalpine-railway-systems> voestalpine – One step ahead. Members of the Management Board: Helmut Liebminger (Chairman), Steve-Patrick Stahl (Operations), Harald Hopfgartner (Sales) and Christian Ehmann (Finance) Amtsgericht Montabaur, HRB 5567
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
