[Pki-devel] Trouble enrolling with SSCEP
Christina Fu
cfu at redhat.com
Mon Apr 11 18:05:38 UTC 2016
Hi Hayg,
Good to hear. To answer your previous question, caRouterCert.cfg is the
default sscep enrollment profile. You can see the authentication by
default using flatfile:
auth.instance_id=flatFileAuth
Earlier, I misunderstood you for removing that and rendering a manual
approval.
Christina
On 04/11/2016 05:14 AM, haygastourian at gmail.com wrote:
> Hi Christina,
>
> I got this to work with sscep. It seems the IP in my flatfile was
> wrong. I think the main issue is the lack of a clear error message.
>
> Thanks for your help,
> Hayg
>
> On Mon, Apr 11, 2016 at 10:54 AM, haygastourian at gmail.com
> <mailto:haygastourian at gmail.com> <haygastourian at gmail.com
> <mailto:haygastourian at gmail.com>> wrote:
>
> Hi Christina,
>
> Thank you for your help.
>
> I think using SCEP there is no enrollment profile that I touch? I
> thought setting up the flatfile.txt with the relevant values and
> modifying the config to enable SCEP was all that I needed to do.
> My intention was for it to be *automatically* approved because of
> the IP/password being present in flatfile.txt
>
> Does that help? Sorry if I'm misunderstanding your questions.
>
> Thanks,
> Hayg
>
> On Fri, Apr 8, 2016 at 9:58 PM, Christina Fu <cfu at redhat.com
> <mailto:cfu at redhat.com>> wrote:
>
> Hi Hayg,
>
> I am running Fedora 22 so I'm not sure if there is any
> difference at all.
>
> I would like to understand your issue(s) better.
> When you said that your request failed because it was "getting
> deferred", does that mean you have it in the enrollment
> profile for manual approval? In other words, it was your
> intention to have the request manually approved by the CA agents?
> You realize that if you require manual agent approval, there
> is no option for sscep to "fetch" the already issued cert right?
>
> Or, did you not intend to have the request deferred and
> failed? In which case, you want to know why it failed? If
> so, do you have relevant debug log to give us some clue?
>
> Did I misunderstand your issue?
>
> Christina
>
>
> On 04/05/2016 02:57 AM, haygastourian at gmail.com
> <mailto:haygastourian at gmail.com> wrote:
>> Hello everyone,
>>
>> I've been trying to enroll with dogtag via SSCEP for the last
>> few days to no avail and I've reached the end of my rope, so
>> I'm reaching out for your help (which I very much would
>> appreciate).
>>
>> I am running Ubuntu and my dogtag versions are:
>> hayg at hayg:~$ dpkg -l | grep dogtag
>>
>> ii dogtag-pki 10.2.6-1 all Dogtag Public
>> Key Infrastructure (PKI) Suite
>> ii dogtag-pki-console-theme 10.2.6-1 all
>> Certificate System - PKI Console User Interface
>> ii dogtag-pki-server-theme 10.2.6-1 all
>> Certificate System - PKI Server User Interface
>>
>> My SSCEP:
>> [~/sscep]$ cat VERSION
>>
>> 0.6.1
>>
>>
>> My flatfile.txt:
>> hayg at hayg:~$ sudo cat
>> /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
>>
>> #UID:172.16.24.238
>> #PWD:1212
>> UID:10.129.25.186
>> PWD:secret
>>
>> (I restarted my pki-tomcatd service just in case, to make
>> sure it took effect)
>>
>> On the SSCEP side I'm doing: ./sscep enroll -l cert.pem -r
>> local.csr -k local.key -c astourian.crt -u
>> 'http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe'
>> <http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe%27>
>>
>> This fails because the request is getting deferred and I have
>> fail on defer set to true, per the docs.
>>
>> The request actually shows up in 'List Certificates' when I
>> go to the web UI, but when I try to approve it, I get:
>>
>> The Certificate System has encountered an unrecoverable
>> error.
>> Error Message:
>> /java.lang.NullPointerException
>> /Please contact your local administrator for assistance.
>>
>> When I try to resume the enrollment by adding the -R flag to
>> sscep it fails with the following error in the logs:
>>
>> CRSEnrollment: No certificate has been found
>>
>>
>> My CSR:
>> [~/sscep]$ openssl req -in local.csr -noout -text
>>
>> Certificate Request:
>> Data:
>> Version: 0 (0x0)
>> Subject: CN=10.129.25.186
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (1024 bit)
>> Modulus:
>> 00:ab:f4:b7:55:bd:26:51:b7:65:b9:51:4e:08:31:
>> 83:ef:d6:b7:97:cc:cb:82:4b:a6:3f:be:ac:1c:9a:
>> f5:1e:0d:56:7c:6a:be:d3:49:17:b6:ba:42:05:eb:
>> 6c:e2:ff:2b:0f:64:d5:ae:e8:5b:6c:f8:df:74:ef:
>> 1f:a1:94:50:4c:35:90:bc:02:2b:2a:e3:80:b6:e1:
>> 75:a0:34:4d:74:0b:47:2c:f5:2d:87:2a:72:4a:93:
>> 5b:76:a8:cc:96:56:0b:de:62:69:1e:37:30:eb:49:
>> 4a:0a:8c:55:c4:0e:a7:9d:95:88:2d:ed:15:19:c6:
>> 19:93:02:84:40:09:40:44:b1
>> Exponent: 65537 (0x10001)
>> Attributes:
>> challengePassword :secret
>> Requested Extensions:
>> X509v3 Subject Alternative Name: critical
>> IP Address:10.129.25.186
>> Signature Algorithm: sha1WithRSAEncryption
>> 7e:85:96:60:54:ed:c7:fd:d4:9d:b9:48:4c:d6:5a:2d:b1:62:
>> 8f:26:58:04:da:f2:6d:cf:c7:59:dc:b5:b2:a9:69:8d:e0:df:
>> 4d:26:7b:51:3e:d5:f4:90:21:d9:20:69:6f:6f:e1:58:28:90:
>> 05:a7:38:1b:04:05:e6:84:03:78:95:90:d6:da:0c:56:c1:e9:
>> 16:d4:01:15:c5:5e:06:3f:44:48:6e:e5:dd:f6:dc:62:0a:f9:
>> af:e7:c5:3d:0a:86:b1:99:40:90:ff:30:02:92:91:fb:dd:50:
>> f0:df:bf:73:96:6f:04:3e:73:66:02:86:66:a0:00:fa:a7:58:
>> ea:ae
>>
>>
>> As you can see, the password is "secret" and the CN is the
>> UID from flatfile.txt.
>>
>> I welcome you all to try enrolling with my server. I can then
>> try approving and see if it works.
>>
>> Again, I very much appreciate all of your help. Please excuse
>> my wall of text x_x
>>
>> Thanks,
>> Hayg
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com <mailto:Pki-devel at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160411/a83dc5ba/attachment.htm>
More information about the Pki-devel
mailing list