search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

When an RR message is used to revoke a certificate, the message "issuer's AKI not present" is displayed. #214

Closed gezhouyu closed 3 years ago

gezhouyu commented 4 years ago

Hi Sir, I want to revoke a certificate using the RR message. The commands are as follows: _

openssl cmp -cmd rr -server 10.10.10.10:8888 -path cmp/SubCA -srvcert 111.pem -cert Requestor_cert.pem -key Requestor_key.pem -ignore_keyusage -oldcert TestCert1.cer -revreason 0

_

But the following error message is displayed:

_[root@dggphicprd08002 11111]# openssl cmp -cmd rr -server 10.10.10.10:8888 -path cmp/SubCA -srvcert 111.pem -cert Requestor_cert.pem -key Requestor_key.pem -ignore_keyusage -oldcert TestCert1.cer -revreason 0 CMP INFO: using OpenSSL configuration file '/opt/openssl/../openssl-1.1.0j/openssl.cnf' CMP INFO: no [cmp] section found in config file '/opt/openssl/../openssl-1.1.0j/openssl.cnf'; will thus use just [default] and unnamed section if present Enter pass phrase for Requestor_key.pem: CMP INFO: sending rr CMP INFO: got response 140421837416256:error:390C70A9:CMP routines:send_receive_check:received error:crypto/cmp/cmpses.c:221:PKIStatus: rejection; PKIFailureInfo: badCertTemplate; StatusString: "issuer's AKI not present"

Can you give me some guidance on how I'm going to handle this error? Thanks.

Best wishes, Iya

DDvO commented 3 years ago

Hi @gezhouyu, very sorry that I missed your question so far. The error message apparently means that the certificate that you want to revoke does not have an Authority Key Identifier X.509 extension but the server requires it.