Hi there.
With vanilla docker and 3.32.8 configs, when trying to retrieve scep
certs via getcacert ( /usr/libexec/strongswan/pki --scepca --url ${URL}
--outform pem --caout certs/CAs/scepca ), the issuer certificate
(certs/CAs/scepca-1.pem) is not returned.
sscep had the same results, just used ss pki tool to get an obvious
verbose command output showing that there's a missing certificate.
After *A LOT* of testing with many config combinations, I managed to
find the culprit:
for some reason, 'clca certify' is breaking the scep ra token....
By replacing
clca certify --profile endentity --days 365 ratoken.csr
with
openssl ca -create_serial -config etc/openssl.cnf -extensions
endentity_ext -batch -days 365 -in ratoken.csr -cert issuingca.crt
-passin env:PASSPHRASE -keyfile issuingca.key -out newcert.pem
in sampleconfig.sh, a working certificate is generated.
I've made way too many attempts to try to fix this, but I wasn't able to
find where to fix ( tried changing/adding profile to openssl.cnf, mixed
v.3.32.8 with 3.32.7 configs, etc... )
BTW: shouldn't scep tokens include the :scep-ra application suffix to CN?
openssl req -new -key ratoken.key -passin pass:secret -out
ratoken.csrĀ -subj "/CN=Internal RA" -> -subj "/CN=Internal RA:scep-ra"
Another thing I noticed is that, even removing the '--algorithm rsa' for
the 'clca genkey' command, getcacert works fine too ( I know, scep
doesn't widely support ec algos ( or not al all, not sure about this yet
) ).
Any ideas as to why clca is breaking the scep ratoken ?
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
