Menu
▾
▴
Re: [OpenXPKI-users] Openxpki server scep support
|
From: Pratheesh L. (U. MYS) <Pra...@us...> - 2018-02-27 06:28:28
|
As am trying to enable the CA rollover on the openxpki. 1)a)Mainly openxpki has the SCEP feature and am trying to generate the certificates like Ca-one –scep-1.crt ,ca-one-vault-1.crt ,ca-root-1.crt ,ca-one-signer-1.crt Generally in these ca-root-1.crt is the root CA certificate and Ca-one-signer-1.crt is the intermediate certificate While am attempting to invoke getca command I will get three certificates like Ca-one –scep-1.crt 0 cert ca-root-1.crt , 1 cert ca-one-signer-1.crt 2 cert b)After that I have been generating the certificates like Ca-one –scep-2.crt ,ca-one-vault-2.crt ,ca-root-2.crt ,ca-one-signer-2.crt Generally in these ca-root-2.crt is the root CA certificate and Ca-one-signer-2.crt is the intermediate certificate And am updating the certs not before and not after the valid time like Openxpkiadm alias –update –realm ca-one –alias ca-one-scep-2 –notbefore “ 2018-01-01:00:00:00” While we are attempting to invoke GETNEXTCA command we will get only Root CA certificate (means am getting only one certificate,am not getting full trusted chain certificates). Note: Any idea what I could have done wrong? And what further steps I need to follow up? Thanks & Regards, Pratik ________________________________ From: Oliver Welter <ma...@ol...> Sent: Thursday, December 14, 2017 2:31:40 AM To: ope...@li... Subject: Re: [OpenXPKI-users] Openxpki server scep support Hello Pratik, getnextca currently just delivers the upcoming root and does not handle upcoming RA certificates. We are working on a SCEP refactoring and will implement such a functionality likely with this rework, for the moment there is no configurable way to send the RA certs along. Oliver Am 11.12.2017 um 10:17 schrieb Pratheesh Lawrence (UST, MYS): > Hi, > > > As am trying to configure the certificate for getnextca, > > am running the script file and i have generated files like root 2, > signer 2, vault 2,scep 2 > > after that am adding all certificate to the future notbeforedate > Next, importing my new root like > openxpkiadmcertificate import --file root 2.pem > > Then am setting the new alias like > > > openxpki alias --realm ca-one --identifier XXXX --token root 2 --notbefore > "2020-01-01 00:00:00" > > while checking the result with > > openxpki alias --realm ca-one > > This should look like: > > === root ca === > current root ca: > Alias: root-1 > Identifier: 9p_FxU-wdTaciZD5lcOIiP-CLxk > NotBefore: 2015-10-02 09:26:28 > NotAfter : 2020-10-01 09:26:28 > > upcoming root ca: > Alias: root-2 > Identifier: Als6THNt9jedxlF5AD0P5a4bhjY > NotBefore: 2020-10-01 09:26:25 (2006-11-03 07:00:58) > NotAfter : 2020-10-01 09:26:28 (2036-11-03 07:00:58) > > > But the problem is while am trying to invoke the command getnextCA am > getting only root 2 CA certificate > > Am not able to get the Intermediate CA,May i need to change any other > configurations to get full trust chain certificates for getnextCA. > > > Thanks, > > pratik > > ------------------------------------------------------------------------ > *From:* Oliver Welter <ma...@ol...> > *Sent:* Friday, December 8, 2017 2:27:23 AM > *To:* ope...@li... > *Subject:* Re: [OpenXPKI-users] Openxpki server scep support > Hello Roni, > > I think you are mixing up some terms - please consider to read up some > PKI basics on what a root cert is, how certificate chains work and the > functionality of SCEP. This is beyond the scope of this mailinglist. > > Oliver > > Am 08.12.2017 um 05:04 schrieb Roni Joseph: >> Thanks Oliver. I will try this and let you know. Couple of clarifications. >> >> >> >> To configure the certificate for getnextca, you must add a >> root-certificate with a future notbefore date. First, import your new root >> >> openxpkiadm certificate import --file rootca2.pem >> >> [Roni] When you say import new rootca cert, who is the issuer of this >> new rootca cert? The current rootca cert I have is the intermediate >> subca cert generated (openssl)while running sampleconfig.sh. >> Do we need to have the rollover RA cert, to get the future ID cert >> GetNewCert)? >> For getcertintial to work over scep, the router cert should be created >> via GUI, and in approved state? >> Any design guide on what format openxpki (scep) expects/responds for >> "GetNextCaCert" messages. >> >> Thanks, >> Roni >> >> On Thu, Dec 7, 2017 at 10:42 PM, Oliver Welter <ma...@ol... >> <mailto:ma...@ol...>> wrote: >> >> Hi Roni, >> >> if you can get the RA/CA cert then the SCEP subsystem is working. I >> assume you mean GetCertInitial - this will only fetch an EXISTING >> certificate, to enroll for a new certificate you need to create a >> CSR on your local machine and send it to the PKI. An example using >> the sscep tool is provided on the quickstart page >> http://openxpki.readthedocs.io/en/latest/quickstart.html#enabling-the-scep-service >> <http://openxpki.readthedocs.io/en/latest/quickstart.html#enabling-the-scep-service> >> >> To configure the certificate for getnextca, you must add a >> root-certificate with a future notbefore date. First, import your >> new root >> >> openxpkiadm certificate import --file rootca2.pem >> >> Then set a new alias in the root group with an adminstratively >> overriden notbefore date (you can omit this if the certificate has a >> notbefore date in the future itself) >> >> openxpki alias --realm ca-one --identifier XXXX --token root >> --notbefore "2020-01-01 00:00:00" >> >> You can check the result with >> >> openxpki alias --realm ca-one >> >> This should look like: >> >> === root ca === >> current root ca: >> Alias : root-1 >> Identifier: 9p_FxU-wdTaciZD5lcOIiP-CLxk >> NotBefore: 2015-10-02 09:26:28 >> NotAfter : 2020-10-01 09:26:28 >> >> upcoming root ca: >> Alias : root-2 >> Identifier: Als6THNt9jedxlF5AD0P5a4bhjY >> NotBefore: 2020-10-01 09:26:25 (2006-11-03 07:00:58) >> NotAfter : 2020-10-01 09:26:28 (2036-11-03 07:00:58) >> >> Oliver >> -- >> Protect your environment - close windows and adopt a penguin! >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> OpenXPKI-users mailing list >> Ope...@li... >> <mailto:Ope...@li...> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > > > -- > Protect your environment - close windows and adopt a penguin! > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > _______________________________________________ > OpenXPKI-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! |
