Yes I agree with Martin but we recently checked OpenXPKI for auto enrollment but the SCEP implementation in OpenXPKI is broken ... It doesn't enroll a certificate ...We've tried multiple times the same configuration we're using with previous versions but it doesn't work.Can someone look into and comment on this? Cheers Scotty
Yahoo Mail: Search, Organize, Conquer On Mon, Aug 12, 2024 at 2:28 PM, Martin Bartosch via OpenXPKI-users<openxpki-users@lists.sourceforge.net> wrote: Hi, > I have found the same and as Oliver already mentioned, this has been broken > for a long time. What I did to solve this issue was to use the information in > the certificate itself. You can get the URL of the CRL from the certificate > with a very simple script. The URL from the certificate came from the > configuration specifically config.d/realm.tpl/profile/default.yaml. > > You could put a valid value there and all the generated certificates would > have that URL where you can download the CRL. You are right. Inclusion of a CDP and/or OCSP AIA is the preferred way of distributing revocation information resources anyway, and many crypto library implementations and products already come with built-in mechanisms to process this information. This is why the GetCRL SCEP operation is commonly not used at all. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
