Hi John,
CA-Identifier is not defined in the regular standards but seems to be
some vendor specifc extension (and searching the internet brings up
totally different meanings of it).
To access different realms in OpenXPKI you can add as second SCEP URL,
it is also possible to select a certificate profile by using the
"Certificate Template" extension but with the default setup it is not
possible to achieve this.
I am sure it is possible to change the workflow in a way to get it
working with your demand but that would require an indepth analysis of
what happens here in the background and add some custom routing to
switch the CA based on "whatever it is". Feel free to reach out via PM
in case you want to involve us on this.
Oliver
On 15.07.25 08:25, Xu, John (CW) via OpenXPKI-users wrote:
Hello Oliver
Thanks for quick response.
With multiple realms (each realm has one CA) in a OpenXPKI instance,
does it work to use the same URL but different CAIdentifier?
Like in this screenshot, SCEP server URL is always the same, but
OpenXPKI issues certificate according to CAIdentifer provided.
If CAIdentifier is scep1, CA in realm “scep1” issues certificates.
If CAIdentifier is scep2, CA in realm “scep2” issues certificates
Best Regards
John
*From:*Oliver Welter <m...@oliwel.de>
*Sent:* Tuesday, July 15, 2025 1:31 PM
*To:* openxpki-users@lists.sourceforge.net
*Subject:* Re: [OpenXPKI-users] How to enroll SCEP using different
CAIdentifer in one realm
*CAUTION: External Email *
Hello John,
the concept of OpenXPKI is "one realm is one authority", having
multiple signer certificates in one realm is meant to provide a
seamless operation in case of a CA rollover. With the default
workflows, the system will always take the issuing CA with the
"newest" CA certificate (the most recent notbefore date).
If you want to have different Issuing CAs in parallel, the intended
solution is to setup another realm for the second CA.
best regards
Oliver
On 15.07.25 05:17, Xu, John (CW) via OpenXPKI-users wrote:
Dear team
I’m running the latest version of OpenxPKI in docker. I’ve
imported two CAs and corresponding issuing CA in the default
democa. One was generated using sampleconfig.sh, the other was
generated using openssl. The two issuing CA show online as the
screenshot in web interface.
Now is the problem, how can I use SCEP to enroll certificates from
different CAs using different CAIdentifier?
Thank you.
Best Regards
John
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
