[Pki-devel] Trouble enrolling with SSCEP

Christina Fu cfu at redhat.com
Fri Apr 8 20:58:27 UTC 2016 

Hi Hayg,

I am running Fedora 22 so I'm not sure if there is any difference at all.

I would like to understand your issue(s) better.
When you said that your request failed because it was "getting 
deferred", does that mean you have it in the enrollment profile for 
manual approval?  In other words, it was your intention to have the 
request manually approved by the CA agents?
You realize that if you require manual agent approval, there is no 
option for sscep to "fetch" the already issued cert right?

Or, did you not intend to have the request deferred and failed?  In 
which case, you want to know why it failed?  If so, do you have relevant 
debug log to give us some clue?

Did I misunderstand your issue?

Christina

On 04/05/2016 02:57 AM, haygastourian at gmail.com wrote:
> Hello everyone,
>
> I've been trying to enroll with dogtag via SSCEP for the last few days 
> to no avail and I've reached the end of my rope, so I'm reaching out 
> for your help (which I very much would appreciate).
>
> I am running Ubuntu and my dogtag versions are:
> hayg at hayg:~$ dpkg -l | grep dogtag
>
>     ii  dogtag-pki                               10.2.6-1            
>      all          Dogtag Public Key Infrastructure (PKI) Suite
>     ii  dogtag-pki-console-theme                 10.2.6-1            
>          all          Certificate System - PKI Console User Interface
>     ii  dogtag-pki-server-theme                  10.2.6-1            
>          all          Certificate System - PKI Server User Interface
>
> My SSCEP:
> [~/sscep]$ cat VERSION
>
>     0.6.1
>
>
> My flatfile.txt:
> hayg at hayg:~$ sudo cat /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
>
>     #UID:172.16.24.238
>     #PWD:1212
>     UID:10.129.25.186
>     PWD:secret
>
> (I restarted my pki-tomcatd service just in case, to make sure it took 
> effect)
>
> On the SSCEP side I'm doing: ./sscep enroll -l cert.pem -r local.csr 
> -k local.key -c astourian.crt -u 
> 'http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe' 
> <http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe%27>
>
> This fails because the request is getting deferred and I have fail on 
> defer set to true, per the docs.
>
> The request actually shows up in 'List Certificates' when I go to the 
> web UI, but when I try to approve it, I get:
>
>     The Certificate System has encountered an unrecoverable error.
>     Error Message:
>     /java.lang.NullPointerException
>     /Please contact your local administrator for assistance.
>
> When I try to resume the enrollment by adding the -R flag to sscep it 
> fails with the following error in the logs:
>
>     CRSEnrollment: No certificate has been found
>
>
> My CSR:
> [~/sscep]$ openssl req -in local.csr -noout -text
>
>     Certificate Request:
>         Data:
>             Version: 0 (0x0)
>             Subject: CN=10.129.25.186
>             Subject Public Key Info:
>                 Public Key Algorithm: rsaEncryption
>                     Public-Key: (1024 bit)
>                     Modulus:
>     00:ab:f4:b7:55:bd:26:51:b7:65:b9:51:4e:08:31:
>     83:ef:d6:b7:97:cc:cb:82:4b:a6:3f:be:ac:1c:9a:
>     f5:1e:0d:56:7c:6a:be:d3:49:17:b6:ba:42:05:eb:
>     6c:e2:ff:2b:0f:64:d5:ae:e8:5b:6c:f8:df:74:ef:
>     1f:a1:94:50:4c:35:90:bc:02:2b:2a:e3:80:b6:e1:
>     75:a0:34:4d:74:0b:47:2c:f5:2d:87:2a:72:4a:93:
>     5b:76:a8:cc:96:56:0b:de:62:69:1e:37:30:eb:49:
>     4a:0a:8c:55:c4:0e:a7:9d:95:88:2d:ed:15:19:c6:
>                         19:93:02:84:40:09:40:44:b1
>                     Exponent: 65537 (0x10001)
>             Attributes:
>                 challengePassword        :secret
>             Requested Extensions:
>                 X509v3 Subject Alternative Name: critical
>                     IP Address:10.129.25.186
>         Signature Algorithm: sha1WithRSAEncryption
>      7e:85:96:60:54:ed:c7:fd:d4:9d:b9:48:4c:d6:5a:2d:b1:62:
>      8f:26:58:04:da:f2:6d:cf:c7:59:dc:b5:b2:a9:69:8d:e0:df:
>      4d:26:7b:51:3e:d5:f4:90:21:d9:20:69:6f:6f:e1:58:28:90:
>      05:a7:38:1b:04:05:e6:84:03:78:95:90:d6:da:0c:56:c1:e9:
>      16:d4:01:15:c5:5e:06:3f:44:48:6e:e5:dd:f6:dc:62:0a:f9:
>      af:e7:c5:3d:0a:86:b1:99:40:90:ff:30:02:92:91:fb:dd:50:
>      f0:df:bf:73:96:6f:04:3e:73:66:02:86:66:a0:00:fa:a7:58:
>              ea:ae 
>
>
> As you can see, the password is "secret" and the CN is the UID from 
> flatfile.txt.
>
> I welcome you all to try enrolling with my server. I can then try 
> approving and see if it works.
>
> Again, I very much appreciate all of your help. Please excuse my wall 
> of text x_x
>
> Thanks,
> Hayg
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160408/a933cbfd/attachment.htm>

More information about the Pki-devel mailing list