how to get the certificates chain in the sscep enroll request

Question

how to get the certificates chain in the sscep enroll request

nagendransundaram opened this issue a year ago · 1 comments

scep enroll request responded with certificate chain, but the -l output cert has only one certificate. The chain is missing. Is there anyway to get the entire cert chain

./sscep enroll -u http://example.com/scep -c ca.crt -k local.key -r local.csr -l local.crt

Answer 1 · 2024-01-18T13:46:41.000Z

According to the SCEP standard the SUCCESS PKIMessage contains the end entity certificate and optionally may include additional certificates.
sscep only exports the end entity certificate, via the -l option.
The certificate chain for the EE certificate can be constructed from the delivered end entity certificate and building the certificate chain using the certificates delivered by the SCEP GetCACert operation.