Hi Nick, Am 28.06.21 um 05:27 schrieb Nick Dawson: > I know I'm asking for a lot of help lately. My intention is to help > write some docs and a blog post once I get this all sorted. I hope > that's a good way to help :) That would be highly appreciated - we can also add a "use case" section on our read the docs page if you want to contribute it there.... > I'm going back to basics > > Simple question this time: what's the best way to re-cert and re-key > my SCEP? > > I've tried: > > 0. echo $BASE > /usr/local/etc/openxpki/ssl/dzsec/ > #All files owned by openxpki and relative to $BASE > > 1. creating a new CSR with the new key usage flags & a new key.pem > 2. creating a new cert signed by my CA from the key and CSR > 3. removing the old alias for scep-1 > 4. removing the old key from sys.crypto.keys > 5. adding a new alias with: openxpkiadm alias --realm dzsec --token > scep --file ca-one-scep-7.crt --key scep7.pem > 6. adding a new datapool key with: openxpkicli set_data_pool_entry > --arg namespace=scep.cache.getca --arg > key="generic:scep-1:ca-signer-1" --arg value="" --arg force=1 > --authstack DZsec_Operator --authuser <user> --authpass > <randomlongpass> > 7. openxpkicli set_data_pool_entry --arg namespace=scep.cache.getca > --arg key="generic:scep-1:ca-signer-1" --arg value="" --arg > force=1 --authstack DZsec_Operator --authuser <user> --authpass > <randomlongpass> > 8. openxpkiadm alias --realm dzsec > Looks like this should work but you spend way too much ;)
First - there is no need to remove the old alias and keys, if you run #5 with the old alias still in place it will use the next free generation number, this also makes #6 and #7 obsolete as the new generation number will use an new key that is empty (side note, to remove an entry the delete_data_pool_item is the more suitable way, but the result is the same..). In case you did not remove the "System" stack from your setup you can also run those commands without any auth parameters. > === functional token === > scep (scep): > Alias : scep-1 > Identifier: A RANDOM ID > NotBefore : 2021-06-28 02:47:16 > NotAfter : 2023-01-14 02:47:16 > > > 9. service restart > 10. system reboot When you rollover to a new generation, a service restart is not required and OpenXPKI never requires a system reboot (we are not in Windows...) Oliver -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
