<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#ffffff"> On 10/20/2010 05:35 AM, <a class="moz-txt-link-abbreviated" href="mailto:Thomas.Peter2@swisscom.com">Thomas.Peter2@swisscom.com</a> wrote: <blockquote cite="mid:4527A721F8118C4C98E4B79EF84DF78905727573F0@sg000036.corproot.net" type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <meta name="Generator" content="Microsoft Exchange Server">  <style></style><font face="Calibri, sans-serif" size="2"> <div>Hi!</div> <div> </div> <div>Can anybody help me with the following question:</div> <div> </div> <div>Is it possible to use the <a moz-do-not-send="true" href="http://directory.fedoraproject.org/wiki/Windows_Certificate_Auto_Enrollment"><font color="#0000ff"><u>Auto Enrollment Proxy for Windows</u></font></a> (AEP) with a Dogtag CA?</div> <div> </div> <div>More precisely:</div> <div>I setup a <a moz-do-not-send="true" href="http://pki.fedoraproject.org/wiki/PKI_Main_Page"><font color="#0000ff"><u>Dogtag Certification Authority</u></font></a> on a computer running Fedora 13. It works fine through the webinterface that is provided with the Dogtag Sertificate System. I also setup AEP according to all the instructions found <a moz-do-not-send="true" href="http://directory.fedoraproject.org/wiki/Auto_Enroll_Documentation"><font color="#0000ff"><u>here</u></font></a>. I'm pretty sure that I did all the configurations needed in my Windows domain and the corresponding Active Directory. When I request a certificate from the domain controller (I request a certificate of the type 'Domain Controller', as described <a moz-do-not-send="true" href="http://directory.fedoraproject.org/wiki/HowTO:_Windows_Domain_Controller_certificate_enrollment"><font color="#0000ff"><u>here</u></font></a>), I can capture a fair amount of TCP traffic (with Wireshark) between the domain controller and the computer that is running the Dogtag CA on the correct port (default 9445). However, my Dogtag CA seems to reject the certificate signing requests (CSR) it receives from my Windows domain controller, the domain controller issues the error message "The certificate request cannot be created. The requested property value is empty". I know this error message does not really state what I observe, why would there be traffic on the wire, if the CSR has not even been created (Windows…). If I request a certificate from the command line, as described <a moz-do-not-send="true" href="http://directory.fedoraproject.org/wiki/Auto_Enroll_Enrollment"><font color="#0000ff"><u>here</u></font></a>, I get the error message "The parameter is incorrect. 0x80070057 (WIN32: 87)".</div> <div> </div> <div>I did not do any special AEP related configuration on my Dogtag CA, as <a moz-do-not-send="true" href="http://directory.fedoraproject.org/wiki/Auto_Enroll_RHCSConfiguration"><font color="#0000ff"><u>this</u></font></a> page seems to be incomplete. </div> <div> </div> <div>Do I need to configure my Dogtag CA in any way for this to work or wouldn't it work at all (because a Dogtag CA might not really be a Red Hat Certificate System CA)?</div> <div> </div> <div>Thank you for your help!</div> <div> </div> <div>Thomas Peter</div> <div> </div> <div> </div> </font> <pre wrap=""> <fieldset class="mimeAttachmentHeader"></fieldset> _______________________________________________ Pki-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a> </pre> </blockquote> Hi:<br> <br> Are you getting anything from the CA's logs when this request is issued? Located in /var/lib/pki-ca/logs.<br> </body> </html>