Updating:
I am one of those who hate not knowing what is wrong when something
doesn't work and won't rest until the core of the issue is revealed...
So I dug deeper, and now I see the "problem": clca will always use root
certificate to 'certify' any certificate requests ( as intended )... and
up until version 3.32.7, the scep ra certificate was signed by realm
issuer CA....
So, this is probably a real fix to get the config working like previous
versions ( replaced -extension by -name to comply with the use of
profiles ) :
openssl ca -create_serial -config etc/openssl.cnf -name endentity -batch
-days 365 -in ratoken.csr -cert issuingca.crt -passin env:PASSPHRASE
-keyfile issuingca.key -out newcert.pem
Was this change intentional? ( I guess not )
On 08/09/2025 21:15, Mauricio Silveira via OpenXPKI-users wrote:
Hi there.
With vanilla docker and 3.32.8 configs, when trying to retrieve scep
certs via getcacert ( /usr/libexec/strongswan/pki --scepca --url
${URL} --outform pem --caout certs/CAs/scepca ), the issuer
certificate (certs/CAs/scepca-1.pem) is not returned.
sscep had the same results, just used ss pki tool to get an obvious
verbose command output showing that there's a missing certificate.
After *A LOT* of testing with many config combinations, I managed to
find the culprit:
for some reason, 'clca certify' is breaking the scep ra token....
By replacing
clca certify --profile endentity --days 365 ratoken.csr
with
openssl ca -create_serial -config etc/openssl.cnf -extensions
endentity_ext -batch -days 365 -in ratoken.csr -cert issuingca.crt
-passin env:PASSPHRASE -keyfile issuingca.key -out newcert.pem
in sampleconfig.sh, a working certificate is generated.
I've made way too many attempts to try to fix this, but I wasn't able
to find where to fix ( tried changing/adding profile to openssl.cnf,
mixed v.3.32.8 with 3.32.7 configs, etc... )
BTW: shouldn't scep tokens include the :scep-ra application suffix to CN?
openssl req -new -key ratoken.key -passin pass:secret -out
ratoken.csrĀ -subj "/CN=Internal RA" -> -subj "/CN=Internal RA:scep-ra"
Another thing I noticed is that, even removing the '--algorithm rsa'
for the 'clca genkey' command, getcacert works fine too ( I know, scep
doesn't widely support ec algos ( or not al all, not sure about this
yet ) ).
Any ideas as to why clca is breaking the scep ratoken ?
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
