Hi Ed,
check your clocks :) We had some issues with devices that are some
seconds in the future or even some that consider an exact match of the
current time as "invalid" as it is not in the past. If this is the case,
you can add a "notbefore" to the profile validity so the certs will be
dated a timespan into the past.
Oliver
On 07.05.25 23:11, Jean-Baptiste, Edwige via OpenXPKI-users wrote:
Hi,
I don’t understand what is happening with OpenXPKI, sometimes it
takes multiple enrollment to obtain a valid certificate. I have
listed the output with the “invalid certificate”, followed by a valid
one. Can anyone explain why that might happen. No errors are recorded
in the logs.**
pki --scep --url http://192.168.3.9:8080/scep/generic/pkiclient
--cacert-enc /fdsk/scep/RA_CERT.pem --cacert-sig /fdsk/scep/CA_CERT-1.pem
--cacert /fdsk/scep/CA_CERT.pem --in /fdsk/scep/clientKey.pem --san
"device1"
--dn "C=CH, O=strongSwan, CN=device1" --maxpolltime 200 --outform pem >
/fdsk/scep/client1.crt
transaction ID: FA729F68D9523CF2DB5E3657F26AB5E6549D8BBA
using certificate "CN=7721ed02536e:scep-ra"
using trusted intermediate ca certificate "C=DE, O=OpenXPKI, OU=PKI,
CN=OpenXPKI Demo Issuing CA 20250416"
using trusted ca certificate "CN=OpenXPKI Root CA 20250416"
reached self-signed root ca with a path length of 1
Issued certificate "DC=org, DC=OpenXPKI, DC=Test Deployment, CN=device1"
serial: 54:ff:ee:3a:42:82:74:58:cd:9b
using certificate "DC=org, DC=OpenXPKI, DC=Test Deployment, CN=device1"
using trusted intermediate ca certificate "C=DE, O=OpenXPKI, OU=PKI,
CN=OpenXPKI Demo Issuing CA 20250416"
>subject certificate invalid (valid from Apr 24 16:36:20 2025 to May 01
16:36:20 2025)
>Issued certificate is not trusted, valid from Apr 24 16:36:20 2025 until May
01 16:36:20 2025 (currently not valid)
pki --scep --url http://192.168.3.9:8080/scep/generic/pkiclient
<http://192.168.3.9:8080/scep/generic/pkiclient>
--cacert-enc /fdsk/scep/RA_CERT.pem --cacert-sig /fdsk/scep/CA_CERT-1.pem
--cacert /fdsk/scep/CA_CERT.pem --in /fdsk/scep/clientKey.pem --san
"device1"
--dn "C=CH, O=strongSwan, CN=device1" --maxpolltime 200 --outform pem >
/fdsk/scep/client1.crt
transaction ID: FA729F68D9523CF2DB5E3657F26AB5E6549D8BBA
using certificate "CN=7721ed02536e:scep-ra"
using trusted intermediate ca certificate "C=DE, O=OpenXPKI, OU=PKI,
CN=OpenXPKI Demo Issuing CA 20250416"
using trusted ca certificate "CN=OpenXPKI Root CA 20250416"
reached self-signed root ca with a path length of 1
Issued certificate "DC=org, DC=OpenXPKI, DC=Test Deployment, CN=device1"
serial: 54:ff:ee:3a:42:82:74:58:cd:9b
using certificate "DC=org, DC=OpenXPKI, DC=Test Deployment, CN=device1"
using trusted intermediate ca certificate "C=DE, O=OpenXPKI, OU=PKI,
CN=OpenXPKI Demo Issuing CA 20250416"
using trusted ca certificate "CN=OpenXPKI Root CA 20250416"
reached self-signed root ca with a path length of 1
>Issued certificate is trusted, valid from Apr 24 16:36:20 2025 until May 01
16:36:20 2025 (currently valid)
Thanks,
Ed
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
