Re: [OpenXPKI-users] Cannot autorenew scep requested certificate
Hi, Thanks Martin. For those who would like to use certmonger to manage client side certificates, I discovered that it is possible to renew the private key at each certificate renewal with this configuration. This is compliant for OpenXPKI. /etc/certmonger/certmonger.conf [defaults] max_key_use_count = 1 Regards, Eric Feb 15, 2022, 12:48 by openxpki-users@lists.sourceforge.net: > Hi Martin, > > You're right, certmonger seems to keep the same private key for renewal. > So certmonger may not be usefull as I read in the getcert man : > > -r automatically renews the certificate when its expiration date is close if > the key pair already exists. This option is used by default. > > Certmonger renewal need to keep the same private key : "if the key pair > already exists". Am I wrong ? > > Thanks for your help. > Best regards, > -- > Eric > > Feb 15, 2022, 09:42 by vc-...@cynops.de: > >> Hi, >> >>> I am stuck in testing autorenew of scep requested certificates. >>> >>> This is my initial enrollment with certmonger : >>> ``` >>> getcert request -c openxpki -f $certfolder/nginx2.crt -k >>> $keyfolder/nginx2.key -g 4096 -r -N cn=nginx2.domain.lan -v -w -L >>> SecretChallenge >>> ``` >>> >>> On client side, Certmonger is aware that the certificate will not be valid >>> after 2022-02-14 15:03:47. >>> >> >> OpenXPKI supports SCEP enrollment as an initial enrollment (new private key, >> unauthenticated/self-signed request) and as a renewal request (new private >> key, request signed with existing/old certificate and key). >> Renewal requests only work as long as the existing certificate is still >> valid. With the default configuration/workflows it is not possible to renew >> an expired certificate. This makes sense, a certificate should be renewed >> before it expires. >> >>> On OpenXPKI side. I understand that the SCEP server find the appropriate >>> initial workflow (9983). But is it delevering a new certificate by telling >>> "Delivered certificate via SCEP" ? Am I supposed to see a new workflow ? >>> >> >> Works as designed, this indicates that the client sends an initial >> enrollment request, not a renewal request. If the original private key is >> used to request the certificate, the existing certificate will be delivered. >> >> Cheers >> >> Martin >> > > ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Cannot autorenew scep requested certificate
Hi, > You're right, certmonger seems to keep the same private key for renewal. > So certmonger may not be usefull as I read in the getcert man : > > -r automatically renews the certificate when its expiration date is close if > the key pair already exists. This option is used by default. > > Certmonger renewal need to keep the same private key : "if the key pair > already exists". Am I wrong ? You are right. In my opinion this is not very useful. There is a lot of poorly implemented crypto out there, and this includes the "big players". Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Cannot autorenew scep requested certificate
Hi Martin, You're right, certmonger seems to keep the same private key for renewal. So certmonger may not be usefull as I read in the getcert man : -r automatically renews the certificate when its expiration date is close if the key pair already exists. This option is used by default. Certmonger renewal need to keep the same private key : "if the key pair already exists". Am I wrong ? Thanks for your help.Best regards, --Eric Feb 15, 2022, 09:42 by vc-...@cynops.de: > Hi, > >> I am stuck in testing autorenew of scep requested certificates. >> >> This is my initial enrollment with certmonger : >> ``` >> getcert request -c openxpki -f $certfolder/nginx2.crt -k >> $keyfolder/nginx2.key -g 4096 -r -N cn=nginx2.domain.lan -v -w -L >> SecretChallenge >> ``` >> >> On client side, Certmonger is aware that the certificate will not be valid >> after 2022-02-14 15:03:47. >> > > OpenXPKI supports SCEP enrollment as an initial enrollment (new private key, > unauthenticated/self-signed request) and as a renewal request (new private > key, request signed with existing/old certificate and key). > Renewal requests only work as long as the existing certificate is still > valid. With the default configuration/workflows it is not possible to renew > an expired certificate. This makes sense, a certificate should be renewed > before it expires. > >> On OpenXPKI side. I understand that the SCEP server find the appropriate >> initial workflow (9983). But is it delevering a new certificate by telling >> "Delivered certificate via SCEP" ? Am I supposed to see a new workflow ? >> > > Works as designed, this indicates that the client sends an initial enrollment > request, not a renewal request. If the original private key is used to > request the certificate, the existing certificate will be delivered. > > Cheers > > Martin > ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Cannot autorenew scep requested certificate
Hi, > I am stuck in testing autorenew of scep requested certificates. > > This is my initial enrollment with certmonger : > ``` > getcert request -c openxpki -f $certfolder/nginx2.crt -k > $keyfolder/nginx2.key -g 4096 -r -N cn=nginx2.domain.lan -v -w -L > SecretChallenge > ``` > > On client side, Certmonger is aware that the certificate will not be valid > after 2022-02-14 15:03:47. OpenXPKI supports SCEP enrollment as an initial enrollment (new private key, unauthenticated/self-signed request) and as a renewal request (new private key, request signed with existing/old certificate and key). Renewal requests only work as long as the existing certificate is still valid. With the default configuration/workflows it is not possible to renew an expired certificate. This makes sense, a certificate should be renewed before it expires. > On OpenXPKI side. I understand that the SCEP server find the appropriate > initial workflow (9983). But is it delevering a new certificate by telling > "Delivered certificate via SCEP" ? Am I supposed to see a new workflow ? Works as designed, this indicates that the client sends an initial enrollment request, not a renewal request. If the original private key is used to request the certificate, the existing certificate will be delivered. Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] Cannot autorenew scep requested certificate
Hi, I am stuck in testing autorenew of scep requested certificates. This is my initial enrollment with certmonger : ``` getcert request -c openxpki -f $certfolder/nginx2.crt -k $keyfolder/nginx2.key -g 4096 -r -N cn=nginx2.domain.lan -v -w -L SecretChallenge ``` On client side, Certmonger is aware that the certificate will not be valid after 2022-02-14 15:03:47. ``` $ journalctl -f -t certmonger Feb 14 14:03:52 srvlinux1.domain.lan certmonger[4515]: Certificate in file "/etc/pki/nginx/nginx4.crt" will not be valid after 2022-02-14 15:03:47 EST. Feb 14 14:03:53 srvlinux1.domain.lan certmonger[4524]: Certificate in file "/etc/pki/nginx/nginx4.crt" issued by CA and saved. Feb 14 15:03:58 srvlinux1.domain.lan certmonger[4713]: Certificate in file "/etc/pki/nginx/nginx4.crt" is no longer valid. Feb 14 15:03:59 srvlinux1.domain.lan certmonger[4722]: Certificate in file "/etc/pki/nginx/nginx4.crt" issued by CA and saved. Feb 14 15:04:04 srvlinux1.domain.lan certmonger[4723]: Certificate in file "/etc/pki/nginx/nginx4.crt" is no longer valid. Feb 14 15:04:04 srvlinux1.domain.lan certmonger[4732]: Certificate in file "/etc/pki/nginx/nginx4.crt" issued by CA and saved. ... ``` Certmonger seems to request a renewed certificate to scep server. On OpenXPKI side. I understand that the SCEP server find the appropriate initial workflow (9983). But is it delevering a new certificate by telling "Delivered certificate via SCEP" ? Am I supposed to see a new workflow ? ``` $ tail -f catchall.log 2022/02/15 06:59:17 openxpki.application.INFO SCEP incoming request, found workflow 9983, state SUCCESS [pid=14219|sid=Np/H|sceptid=18613736623267056728949651332883552946253262284120207140875649336207099010943] 2022/02/15 06:59:17 openxpki.application.INFO Delivered certificate via SCEP (zt-Hg4zM5qYeaoWrK0u1ixdFQqU) [pid=14219|sid=Np/H|sceptid=18613736623267056728949651332883552946253262284120207140875649336207099010943] 2022/02/15 06:59:22 openxpki.application.INFO LibSCEP PKIOperation; message type: PKCSReq [pid=14221|sid=RSFS] 2022/02/15 06:59:22 openxpki.application.INFO SCEP incoming request, id 18613736623267056728949651332883552946253262284120207140875649336207099010943 [pid=14221|sid=RSFS|sceptid=18613736623267056728949651332883552946253262284120207140875649336207099010943] 2022/02/15 06:59:22 openxpki.application.INFO SCEP incoming request, found workflow 9983, state SUCCESS [pid=14221|sid=RSFS|sceptid=18613736623267056728949651332883552946253262284120207140875649336207099010943] 2022/02/15 06:59:22 openxpki.application.INFO Delivered certificate via SCEP (zt-Hg4zM5qYeaoWrK0u1ixdFQqU) [pid=14221|sid=RSFS|sceptid=18613736623267056728949651332883552946253262284120207140875649336207099010943] 2022/02/15 06:59:28 openxpki.application.INFO LibSCEP PKIOperation; message type: PKCSReq [pid=14223|sid=DG+g] 2022/02/15 06:59:28 openxpki.application.INFO SCEP incoming request, id 18613736623267056728949651332883552946253262284120207140875649336207099010943 [pid=14223|sid=DG+g|sceptid=18613736623267056728949651332883552946253262284120207140875649336207099010943] ... ``` On the client side, the expiration date is still 2022-02-14 15:03:47 and the certificate is no longer valid. Scep configuration is the default one and I am using default docker setup. Thanks and have a nice day. Eric ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
