Re: [OpenXPKI-users] Cannot autorenew scep requested certificate
Hi, > You're right, certmonger seems to keep the same private key for renewal. > So certmonger may not be usefull as I read in the getcert man : > > -r automatically renews the certificate when its expiration date is close if > the key pair already exists. This option is used by default. > > Certmonger renewal need to keep the same private key : "if the key pair > already exists". Am I wrong ? You are right. In my opinion this is not very useful. There is a lot of poorly implemented crypto out there, and this includes the "big players". Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Cannot autorenew scep requested certificate
Hi Martin, You're right, certmonger seems to keep the same private key for renewal. So certmonger may not be usefull as I read in the getcert man : -r automatically renews the certificate when its expiration date is close if the key pair already exists. This option is used by default. Certmonger renewal need to keep the same private key : "if the key pair already exists". Am I wrong ? Thanks for your help.Best regards, --Eric Feb 15, 2022, 09:42 by vc-...@cynops.de: > Hi, > >> I am stuck in testing autorenew of scep requested certificates. >> >> This is my initial enrollment with certmonger : >> ``` >> getcert request -c openxpki -f $certfolder/nginx2.crt -k >> $keyfolder/nginx2.key -g 4096 -r -N cn=nginx2.domain.lan -v -w -L >> SecretChallenge >> ``` >> >> On client side, Certmonger is aware that the certificate will not be valid >> after 2022-02-14 15:03:47. >> > > OpenXPKI supports SCEP enrollment as an initial enrollment (new private key, > unauthenticated/self-signed request) and as a renewal request (new private > key, request signed with existing/old certificate and key). > Renewal requests only work as long as the existing certificate is still > valid. With the default configuration/workflows it is not possible to renew > an expired certificate. This makes sense, a certificate should be renewed > before it expires. > >> On OpenXPKI side. I understand that the SCEP server find the appropriate >> initial workflow (9983). But is it delevering a new certificate by telling >> "Delivered certificate via SCEP" ? Am I supposed to see a new workflow ? >> > > Works as designed, this indicates that the client sends an initial enrollment > request, not a renewal request. If the original private key is used to > request the certificate, the existing certificate will be delivered. > > Cheers > > Martin > ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Cannot autorenew scep requested certificate
Hi, > I am stuck in testing autorenew of scep requested certificates. > > This is my initial enrollment with certmonger : > ``` > getcert request -c openxpki -f $certfolder/nginx2.crt -k > $keyfolder/nginx2.key -g 4096 -r -N cn=nginx2.domain.lan -v -w -L > SecretChallenge > ``` > > On client side, Certmonger is aware that the certificate will not be valid > after 2022-02-14 15:03:47. OpenXPKI supports SCEP enrollment as an initial enrollment (new private key, unauthenticated/self-signed request) and as a renewal request (new private key, request signed with existing/old certificate and key). Renewal requests only work as long as the existing certificate is still valid. With the default configuration/workflows it is not possible to renew an expired certificate. This makes sense, a certificate should be renewed before it expires. > On OpenXPKI side. I understand that the SCEP server find the appropriate > initial workflow (9983). But is it delevering a new certificate by telling > "Delivered certificate via SCEP" ? Am I supposed to see a new workflow ? Works as designed, this indicates that the client sends an initial enrollment request, not a renewal request. If the original private key is used to request the certificate, the existing certificate will be delivered. Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
