[OpenXPKI-users] OpenXPKI issues "invalid certificates" intermittently during SCEP enrollment

Wed, 07 May 2025 14:28:25 -0700 

Hi,
    I don't understand what is happening with OpenXPKI, sometimes it takes 
multiple enrollment to obtain a valid certificate.  I have listed the output 
with the "invalid certificate", followed by a valid one. Can anyone explain why 
that might happen. No errors are recorded in the logs.

pki --scep --url http://192.168.3.9:8080/scep/generic/pkiclient
--cacert-enc /fdsk/scep/RA_CERT.pem --cacert-sig /fdsk/scep/CA_CERT-1.pem
--cacert /fdsk/scep/CA_CERT.pem --in /fdsk/scep/clientKey.pem --san "device1"
--dn "C=CH, O=strongSwan, CN=device1" --maxpolltime 200 --outform pem >
/fdsk/scep/client1.crt
transaction ID: FA729F68D9523CF2DB5E3657F26AB5E6549D8BBA
  using certificate "CN=7721ed02536e:scep-ra"
  using trusted intermediate ca certificate "C=DE, O=OpenXPKI, OU=PKI,
CN=OpenXPKI Demo Issuing CA 20250416"
  using trusted ca certificate "CN=OpenXPKI Root CA 20250416"
  reached self-signed root ca with a path length of 1
Issued certificate "DC=org, DC=OpenXPKI, DC=Test Deployment, CN=device1"
  serial: 54:ff:ee:3a:42:82:74:58:cd:9b
  using certificate "DC=org, DC=OpenXPKI, DC=Test Deployment, CN=device1"
  using trusted intermediate ca certificate "C=DE, O=OpenXPKI, OU=PKI,
CN=OpenXPKI Demo Issuing CA 20250416"
>subject certificate invalid (valid from Apr 24 16:36:20 2025 to May 01 
>16:36:20 2025)
>Issued certificate is not trusted, valid from Apr 24 16:36:20 2025 until May 
>01 16:36:20 2025 (currently not valid)

pki --scep --url http://192.168.3.9:8080/scep/generic/pkiclient
--cacert-enc /fdsk/scep/RA_CERT.pem --cacert-sig /fdsk/scep/CA_CERT-1.pem
--cacert /fdsk/scep/CA_CERT.pem --in /fdsk/scep/clientKey.pem --san "device1"
--dn "C=CH, O=strongSwan, CN=device1" --maxpolltime 200 --outform pem >
/fdsk/scep/client1.crt
transaction ID: FA729F68D9523CF2DB5E3657F26AB5E6549D8BBA
  using certificate "CN=7721ed02536e:scep-ra"
  using trusted intermediate ca certificate "C=DE, O=OpenXPKI, OU=PKI,
CN=OpenXPKI Demo Issuing CA 20250416"
  using trusted ca certificate "CN=OpenXPKI Root CA 20250416"
  reached self-signed root ca with a path length of 1
Issued certificate "DC=org, DC=OpenXPKI, DC=Test Deployment, CN=device1"
  serial: 54:ff:ee:3a:42:82:74:58:cd:9b
  using certificate "DC=org, DC=OpenXPKI, DC=Test Deployment, CN=device1"
  using trusted intermediate ca certificate "C=DE, O=OpenXPKI, OU=PKI,
CN=OpenXPKI Demo Issuing CA 20250416"
  using trusted ca certificate "CN=OpenXPKI Root CA 20250416"
  reached self-signed root ca with a path length of 1
>Issued certificate is trusted, valid from Apr 24 16:36:20 2025 until May 01 
>16:36:20 2025 (currently valid)

Thanks,
Ed

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to