CMP mock server OldCertID check behavior

Petr Gotthard petr.gotthard at
Thu Jul 8 11:17:57 UTC 2021


I am trying to renew a certificate via CMP and authenticate the request using the same cert.

I start the mock server:
openssl cmp -port 8080 -srv_trusted test-ca-cert.pem \
            -srv_key test-server-key.pem -srv_cert test-server-cert.pem \
            -rsp_cert test-client-cert2.pem -rsp_capubs test-ca-cert.pem &

And run the client:
openssl cmp -cmd kur -server localhost:8080/pkix/ -srvcert test-server-cert.pem \
            -key test-client-key.pem -cert test-my-cert.pem \
            -newkey test-client-key2.pem -certout test-my-cert2.pem

However, the CMP server(?) compares the serial number of the old client certificate with the serial of the new (enrolled) certificate and fails. (I can make the enrollment succeed if I force the old and the new certificate to have the same serial.)

CMP error: received error:PKIStatus: rejection; PKIFailureInfo: badRequest; StatusString: "wrong certid"; errorCode: 1D0000BD; errorDetails: CMP routines, wrong certid

What am I doing wrong, please? It is quite obvious the new certificate will have a different certid, isn't it?

Kind Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list