Hello Pratik,getnextca currently just delivers the upcoming root and does not handle upcoming RA certificates. We are working on a SCEP refactoring and will implement such a functionality likely with this rework, for the moment there is no configurable way to send the RA certs along.
Oliver Am 11.12.2017 um 10:17 schrieb Pratheesh Lawrence (UST, MYS):
Hi, As am trying to configure the certificate for getnextca,am running the script file and i have generated files like root 2, signer 2, vault 2,scep 2after that am adding all certificate to the future notbeforedate Next, importing my new root like openxpkiadmcertificate import --file root 2.pem Then am setting the new alias like openxpki alias --realm ca-one --identifier XXXX --token root 2 --notbefore "2020-01-01 00:00:00" while checking the result with openxpki alias --realm ca-one This should look like: === root ca === current root ca: Alias: root-1 Identifier: 9p_FxU-wdTaciZD5lcOIiP-CLxk NotBefore: 2015-10-02 09:26:28 NotAfter : 2020-10-01 09:26:28 upcoming root ca: Alias: root-2 Identifier: Als6THNt9jedxlF5AD0P5a4bhjY NotBefore: 2020-10-01 09:26:25 (2006-11-03 07:00:58) NotAfter : 2020-10-01 09:26:28 (2036-11-03 07:00:58)But the problem is while am trying to invoke the command getnextCA am getting only root 2 CA certificateAm not able to get the Intermediate CA,May i need to change any other configurations to get full trust chain certificates for getnextCA.Thanks, pratik ------------------------------------------------------------------------ *From:* Oliver Welter <[email protected]> *Sent:* Friday, December 8, 2017 2:27:23 AM *To:* [email protected] *Subject:* Re: [OpenXPKI-users] Openxpki server scep support Hello Roni, I think you are mixing up some terms - please consider to read up some PKI basics on what a root cert is, how certificate chains work and the functionality of SCEP. This is beyond the scope of this mailinglist. Oliver Am 08.12.2017 um 05:04 schrieb Roni Joseph:Thanks Oliver. I will try this and let you know. Couple of clarifications. >> To configure the certificate for getnextca, you must add a root-certificate with a future notbefore date. First, import your new root openxpkiadm certificate import --file rootca2.pem [Roni] When you say import new rootca cert, who is the issuer of this new rootca cert? The current rootca cert I have is the intermediate subca cert generated (openssl)while running sampleconfig.sh. Do we need to have the rollover RA cert, to get the future ID cert GetNewCert)? For getcertintial to work over scep, the router cert should be created via GUI, and in approved state? Any design guide on what format openxpki (scep) expects/responds for "GetNextCaCert" messages. Thanks, RoniOn Thu, Dec 7, 2017 at 10:42 PM, Oliver Welter <[email protected] <mailto:[email protected]>> wrote:Hi Roni, if you can get the RA/CA cert then the SCEP subsystem is working. I assume you mean GetCertInitial - this will only fetch an EXISTING certificate, to enroll for a new certificate you need to create a CSR on your local machine and send it to the PKI. An example using the sscep tool is provided on the quickstart page http://openxpki.readthedocs.io/en/latest/quickstart.html#enabling-the-scep-service <http://openxpki.readthedocs.io/en/latest/quickstart.html#enabling-the-scep-service> To configure the certificate for getnextca, you must add a root-certificate with a future notbefore date. First, import your new root openxpkiadm certificate import --file rootca2.pem Then set a new alias in the root group with an adminstratively overriden notbefore date (you can omit this if the certificate has a notbefore date in the future itself) openxpki alias --realm ca-one --identifier XXXX --token root --notbefore "2020-01-01 00:00:00" You can check the result with openxpki alias --realm ca-one This should look like: === root ca === current root ca: Alias : root-1 Identifier: 9p_FxU-wdTaciZD5lcOIiP-CLxk NotBefore: 2015-10-02 09:26:28 NotAfter : 2020-10-01 09:26:28 upcoming root ca: Alias : root-2 Identifier: Als6THNt9jedxlF5AD0P5a4bhjY NotBefore: 2020-10-01 09:26:25 (2006-11-03 07:00:58) NotAfter : 2020-10-01 09:26:28 (2036-11-03 07:00:58) Oliver-- Protect your environment - close windows and adopt a penguin!------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users-- Protect your environment - close windows and adopt a penguin! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
