certificatex509certificatejscepopenxpki

OpenXPKI with JSCEP to request CRL


I am trying to obtain the CRL from an OpenXPKI server (the default configuration is used). Requesting and polling of a certificate is possible.

On the OpenXPKI server, I revoked some certificate, created the CRL and published the list. To obtain the CRL I tried different approaches.

First approach:

X509CRL crl = client.getRevocationList(jscepCertificate, jscepKeyPair.getPrivate(), 
              certificate.getIssuerX500Principal(), certificate.getSerialNumber());

Second approach:

X509CRL crl = client.getRevocationList(jscepCertificate, jscepKeyPair.getPrivate(), 
              crlIssuer, crlSerialNumber);

On the server my CRL has the following information:

CRL Serial: 511
CRL Issuer: CN=CA ONE,OU=Test CA,DC=OpenXPKI,DC=ORG
Items: 25

When I try the above code examples (and also some other) I get following error on the CRL requester:

org.jscep.transaction.OperationFailureException: Operation failed due to badCertId

And on the OpenXPKI server I get the following error:

openxpki.application.ERROR:12156 [OpenXPKI::Service::SCEP::Command::PKIOperation (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP/Command/PKIOperation.pm:255); scep-server-1()@f68c] SCEP getcrl - no issuer found for serial 511 and issuer DC=ORG,DC=OpenXPKI,OU=Test CA,CN=CA ONE

Always no issuer found for serial XXX and issuer YYY (XXX and YYY depend on the send information of the CRL request).

Please, could anyone help me or give me some advice? - Thanks in advance!


Solution

  • I solved the problem with the help of the JSCEP and OpenXPKI communities. The problem is that the DN of the issuer is reversed, this means e.g. CN=CA,OU=Test CA,DC=OpenXPKI,DC=ORG is changed to DC=ORG,DC=OpenXPKI,OU=Test CA,CN=CA ONE and the getCRL from the OpenXPKI has no entry for the reversed issuer.

    An easy fix is to reverse the issuer for the getCRL request (check OpenXPKI fix) by changing the code from the get_getcrl_issuer_serial.pm file. Add the following code in line 107:

    $issuer = join ",", reverse split (/,/, $issuer);
    

    A solution for the future would be to make the getCRL logic requester independent and to order the issuer on the request.