Name

OpenXPKI::Service::LibSCEP::Command::GetCACert

Description

Returns the certifcate of the RA and CA issuer including its chain.

The chain is cached/read from the datapool, namespace scep.cache.getca, the key is created by joining servername, scep-alias and issuer-alias with a colon, e.g. 'vpnservice:ca-scep-5:ca-signer-2'.

In case you want a special response, e.g. including extra chain certificates you can set the datapool item manually

If no value is found in the datapool, __build_chain is called to create it and the result is cached using the datapool for seven days.

Return information on the certificates used by the scep server. With default settings, the following certs are returned in order:

scep server certificate: entity certificate used by the scep server
scep server chain: the full chain including without the root certificate for the scep entity certificate
current issuer certificate: the certificate currently used for certificate issuance.
issuer chain: the chain of the issuing ca, starting with the first intermediate certificate.

Certificates used in both scep and issuer chain are only included once.

The responses are cached using the datapool, you can strip chain/root by config settings, see below, or inject arbitrary chains into the datapool.

Functions

execute

Returns the CA certificate chain including the HTTP header needed for the scep CGI script.

__build_chain

Config layout (at scep.<server>) is:

  response
      getca:
          ra:     fullchain
          issuer: fullchain

Options are endentity (cert only), chain (no root) and fullchain (includes root certificate).

The old config option response.getcacert_strip_root is still recognized but deprecated.