Andrew,<div><br></div><div>Thanks for your suggestion. I change the value of auth.instance_id in the caRouterCert profile to be "empty" (i.e. no value) per your suggestion.</div><div><br></div><div>I could verify through the debug file that the CA accepts this empty value when I run my SCEP test again.</div> <div>The snippet of the debug file:</div><div><br></div><div>Found profile=caRouterCert</div><div>Retrieving Authenticator</div><div>no Authenticator Found >> this log suggests that the changes takes into effect</div> <div><br></div><div>Despite that no Authenticator is Found, the CA does not put the request in the agent queue.</div><div>The CA issues the SCEP client a certificate.</div><div><br></div><div>Now, when I check this particular requests through the CA-agent web interface; i.e. (List Request, Request Type: Show All Request, Request Status: Show All Request), I noticed that the request was completed.</div> <div><br></div><div>Although the CA marks this request as completed, this request does not show its associated issued certificate, despite of the fact that the SCEP client is issued a certificate. When I further explore this "completed request", this is what I got:</div> <div><br></div><div>Request:</div><div> Status: complete</div><div> Type: enrollment</div><div><br></div><div>Subject Public Key:</div><div> Algorithm: undefined</div><div> Public Key: undefined</div><div><br></div> <div>Issued Cert:</div><div> Error: certificate not issued</div><div><br></div><div><br></div><div>Any idea why the CA behaves this way? Is it expected?</div><div><br></div><div>Thanks,</div><div>Erwin</div><div> </div> <div><br><div class="gmail_quote">On Fri, May 21, 2010 at 11:38 AM, Andrew Wnuk <span dir="ltr"><<a href="mailto:awnuk@redhat.com">awnuk@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> <div bgcolor="#ffffff" text="#000000"><div><div></div><div class="h5"> On 05/20/10 17:51, Erwin Himawan wrote: <blockquote type="cite">I would like to configure my DCS's SCEP operation for manual approval, in which the router uses SCEP to submit the request and the CA agent will manually approve the request and to modify the request (if needed). <div><br> </div> <div>Does anybody has any idea how to configure the DCS CA?</div> <div><br> </div> <div>I am thinking to clone the caRouterCert profile. I am not sure what to specify to enable agent to approve the incoming request. </div> <div>Am I in the right direction?</div> </blockquote> <br> </div></div><tt>You could try to modify caRouterCert profile by replacing <br> auth.instance_id=raCertAuth<br> with<br> auth.instance_id=<br> Adding new profile requires extending profile list in CS.cfg.<br> <br> </tt> <blockquote type="cite"> <div><br> </div> <div>Thanks,</div> <div>Erwin</div> <pre><fieldset></fieldset> _______________________________________________ Pki-users mailing list <a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a> </pre> </blockquote> <br> </div> <br>_______________________________________________<br> Pki-users mailing list<br> <a href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br> <br></blockquote></div><br></div>