search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

CMP config file Key Update question #140

Closed mikejhathaway closed 6 years ago

mikejhathaway commented 6 years ago

Hi There,

I have a question about the cmp.cnf file, the following works for the initial enrollment but key update is not working as expected, I saw from another post the same configuration being used with an EJBCA and used this as the basis for my config.

I can see that the original device_one.key\cert is being used for the update vs using device_one_new.key\cert, its not obvious to me where I have made a mistake, any pointers are welcome??

Thanks

Mike

# Default options
[default]
# General information
server = enroll.pki.acme.com:8040
path = cmp/eNodeB

# Server authentication
trusted = C:/tools/OpenSSL/data/CMPCA.cer
recipient = "/C=GB/O=ACME/OU=Certification Authorities/CN=CMPv2 Test Certification Authority"
ignore_keyusage = 1

# Client authentication
# key and cert will not be used for [first]
key = C:/tools/OpenSSL/data/device_one.key
cert = C:/tools/OpenSSL/data/device_one.cer

# Certificate enrollment options
implicitconfirm = 1

# Certificate request options
certout = C:/tools/OpenSSL/data/new_device_one.cer

# Initial request options
[first]
# Generic message options
cmd = ir

# Certificate request options
newkey = $default::key
subject = /CN=device1.acme.com

# Renew certificate options
[renew]
# Generic message options
cmd = kur

# Re-key certificate options
[rekey]
# Generic message options
cmd = kur

# Certificate request options
newkey = C:/tools/OpenSSL/data/device_one_new.key
certout = C:/tools/OpenSSL/data/device_one_new.cer
DDvO commented 6 years ago

Hi Mike,

as written in the CLI help output:

 -oldcert val          Certificate to be updated (defaulting to -cert)  ...

you can use the -oldcert option to specify the cert to be updated, else the cert given with the -cert option (which in your case is the original one) is used.

Alternatively you can change the argument of the -certout option to C:/tools/OpenSSL/data/device_one.cer such that on each (successful) enrollment) the previous version of your cert will be overwritten and the next update will refer (via the -cert default) to this current version.

Cheers, David