Considerations on update and renewal in CMP about xipki HOT 6 OPEN

Hi, thanks for the detailed comment. As you may know, I use my spare time to maintain this project (for free). I will come back to you in the next days when I find time.

from xipki.

Karaf 6.5.2 includes the CMP command.
Karaf 6.5.3 does not have the CMP command.

Karaf 6.5.3 does provide the CMP commands. You need to call the ./prepare.shbefore starting xipki-cli at the first time.
Can you upload the log file data/log/karaf.log of xipki-cli.

from xipki.

I can reproduce the problem you described above. The problem is the public key of the new certificate is not contained in the request, and the server have a bug in this case. As a workaround, use the option --embeds-publickey in the cmp-update-p12 / cmp-update-p11command. This problem is fixed by the patch here 0677d83ba88dcc2ea9354059a252d9360b34a038.

from xipki.

And to your figure and description above:

• The renewaland update processes in you figure above are correct, however, CMP does not provide explict APIs for both cases. They share the same API. So the best is even you do the update, also includes the public key in the request.
• On the right of you figure, the computation of Hash is only for Hash-then-Sign signatures, e.g. RSA and ECDSA. But not for EdDSA. And if the E-Box is for Encryption, it does only to some signature algorithms, e.g. RSA, but not to ECDSA, EDDSA and DSA.

from xipki.

I'd like to review the information you provided right away, but it seems difficult to do so immediately due to other tasks. I will examine it as soon as possible and get back to you with my feedback. Thank you

from xipki.

Thank you for your reply.
I confirmed that the problem was resolved.

from xipki.