Re: AW: [Openca-Users] SCEP again - certificate chain not accepted by Cisco devices

Fri, 15 Apr 2005 01:14:23 -0700 

Hi,

sorry, I just noticed the question after Dalini wrote the answer...

>> cmds->scepCheckRequest: renewal allowed
>> cmds->scepCheckRequest: multiple certificates matched this request, not
>> yet implemented
>
>> It looks like SCEP beleives that a certificate already matches the
>> request. Any idea where I can look??
>>
> cmds->scepCheckRequest: multiple certificates matched this request, not
> yet implemented

The function you are using is "renewal". I wanted to do the following
when receiving a request for an already existing cert, use the
data of this certicate as a template for the new one (in particular
Role and RA, which is not contained in the cert request itself,
in addition a future version should extract e. g. SubjectAltNames
from the existing certs and add them to the new cert request).

This is easy if only one single previous certificate exists: use
this certificate as template.

What has happened here is that the SCEP interface has identified
that there are multiple (valid) certificates with the matching DN.
Currently it does not know how to handle this: which certificate
should be chosen as template for the new request?

I think the correct reaction might be to determine the certificate
with the latest NotBefore (NotAfter?) date and use this as a reference
for the newly received request.

If you need this feature, I could implement it. We will need this
in our project, too.

> a seconde problem with this could be the openssl, since in the 0.9.7
> series openssl doesn't support issuing of certificates with the same dn
> either (micha wrote a patch for the c version, this can be adopted for
> later version with some minor changes, and its a quite small patch, so
> not to much effort)

It's not OpenSSL, this is clearly caused by ambiguity in the OpenCA
database.

Martin



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to