A simple plain text journal

Linux, security and plain text

OpenXPKI and Certmonger private key automatic renewal

February 17, 2022 — ebsd

I am playing with OpenXPKI, a wonderful Open Source Certificates Authority. I'd like to share that it's possible to use certmonger on client side to manage certificates renewals (on a tls web server for example). OpenXPKI need that the client regenerate his private key to provide a new certificate. Otherwise if the client server sign a CSR with the same private key, OpenXPKI SCEP server will provides the certificate requested with the "old" private key.

We can ask certmonger to use a private key only one time.

# /etc/certmonger/certmonger.conf
[defaults]
max_key_use_count = 1

Tags: openxpki, certmonger

Comments? Tweet