[Pki-devel] Trouble enrolling with SSCEP

haygastourian at gmail.com haygastourian at gmail.com
Tue Apr 12 09:02:32 UTC 2016 

Hi Christina,

I see, good to know. Thanks for the help.

Best,
Hayg

On Mon, Apr 11, 2016 at 7:05 PM, Christina Fu <cfu at redhat.com> wrote:

> Hi Hayg,
> Good to hear.  To answer your previous question, caRouterCert.cfg is the
> default sscep enrollment profile.  You can see the authentication by
> default using flatfile:
> auth.instance_id=flatFileAuth
> Earlier, I misunderstood you for removing that and rendering a manual
> approval.
>
> Christina
>
>
> On 04/11/2016 05:14 AM, haygastourian at gmail.com wrote:
>
> Hi Christina,
>
> I got this to work with sscep. It seems the IP in my flatfile was wrong. I
> think the main issue is the lack of a clear error message.
>
> Thanks for your help,
> Hayg
>
> On Mon, Apr 11, 2016 at 10:54 AM, <haygastourian at gmail.com>
> haygastourian at gmail.com <haygastourian at gmail.com> wrote:
>
>> Hi Christina,
>>
>> Thank you for your help.
>>
>> I think using SCEP there is no enrollment profile that I touch? I thought
>> setting up the flatfile.txt with the relevant values and modifying the
>> config to enable SCEP was all that I needed to do. My intention was for it
>> to be *automatically* approved because of the IP/password being present
>> in flatfile.txt
>>
>> Does that help? Sorry if I'm misunderstanding your questions.
>>
>> Thanks,
>> Hayg
>>
>> On Fri, Apr 8, 2016 at 9:58 PM, Christina Fu < <cfu at redhat.com>
>> cfu at redhat.com> wrote:
>>
>>> Hi Hayg,
>>>
>>> I am running Fedora 22 so I'm not sure if there is any difference at all.
>>>
>>> I would like to understand your issue(s) better.
>>> When you said that your request failed because it was "getting
>>> deferred", does that mean you have it in the enrollment profile for manual
>>> approval?  In other words, it was your intention to have the request
>>> manually approved by the CA agents?
>>> You realize that if you require manual agent approval, there is no
>>> option for sscep to "fetch" the already issued cert right?
>>>
>>> Or, did you not intend to have the request deferred and failed?  In
>>> which case, you want to know why it failed?  If so, do you have relevant
>>> debug log to give us some clue?
>>>
>>> Did I misunderstand your issue?
>>>
>>> Christina
>>>
>>>
>>> On 04/05/2016 02:57 AM, <haygastourian at gmail.com>haygastourian at gmail.com
>>> wrote:
>>>
>>> Hello everyone,
>>>
>>> I've been trying to enroll with dogtag via SSCEP for the last few days
>>> to no avail and I've reached the end of my rope, so I'm reaching out for
>>> your help (which I very much would appreciate).
>>>
>>> I am running Ubuntu and my dogtag versions are:
>>> hayg at hayg:~$ dpkg -l | grep dogtag
>>>
>>>> ii  dogtag-pki                               10.2.6-1
>>>>      all          Dogtag Public Key Infrastructure (PKI) Suite
>>>> ii  dogtag-pki-console-theme                 10.2.6-1
>>>>      all          Certificate System - PKI Console User Interface
>>>> ii  dogtag-pki-server-theme                  10.2.6-1
>>>>      all          Certificate System - PKI Server User Interface
>>>
>>>
>>> My SSCEP:
>>> [~/sscep]$ cat VERSION
>>>
>>>
>>>> 0.6.1
>>>
>>>
>>> My flatfile.txt:
>>> hayg at hayg:~$ sudo cat /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
>>>
>>>> #UID:172.16.24.238
>>>> #PWD:1212
>>>> UID:10.129.25.186
>>>> PWD:secret
>>>
>>> (I restarted my pki-tomcatd service just in case, to make sure it took
>>> effect)
>>>
>>> On the SSCEP side I'm doing: ./sscep enroll -l cert.pem -r local.csr -k
>>> local.key -c astourian.crt -u '
>>> <http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe%27>
>>> http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe'
>>>
>>> This fails because the request is getting deferred and I have fail on
>>> defer set to true, per the docs.
>>>
>>> The request actually shows up in 'List Certificates' when I go to the
>>> web UI, but when I try to approve it, I get:
>>>
>>>> The Certificate System has encountered an unrecoverable error.
>>>> Error Message:
>>>>
>>>> *java.lang.NullPointerException *Please contact your local
>>>> administrator for assistance.
>>>
>>> When I try to resume the enrollment by adding the -R flag to sscep it
>>> fails with the following error in the logs:
>>>
>>>> CRSEnrollment: No certificate has been found
>>>
>>>
>>> My CSR:
>>> [~/sscep]$ openssl req -in local.csr -noout -text
>>>
>>>> Certificate Request:
>>>>     Data:
>>>>         Version: 0 (0x0)
>>>>         Subject: CN=10.129.25.186
>>>>         Subject Public Key Info:
>>>>             Public Key Algorithm: rsaEncryption
>>>>                 Public-Key: (1024 bit)
>>>>                 Modulus:
>>>>                     00:ab:f4:b7:55:bd:26:51:b7:65:b9:51:4e:08:31:
>>>>                     83:ef:d6:b7:97:cc:cb:82:4b:a6:3f:be:ac:1c:9a:
>>>>                     f5:1e:0d:56:7c:6a:be:d3:49:17:b6:ba:42:05:eb:
>>>>                     6c:e2:ff:2b:0f:64:d5:ae:e8:5b:6c:f8:df:74:ef:
>>>>                     1f:a1:94:50:4c:35:90:bc:02:2b:2a:e3:80:b6:e1:
>>>>                     75:a0:34:4d:74:0b:47:2c:f5:2d:87:2a:72:4a:93:
>>>>                     5b:76:a8:cc:96:56:0b:de:62:69:1e:37:30:eb:49:
>>>>                     4a:0a:8c:55:c4:0e:a7:9d:95:88:2d:ed:15:19:c6:
>>>>                     19:93:02:84:40:09:40:44:b1
>>>>                 Exponent: 65537 (0x10001)
>>>>         Attributes:
>>>>             challengePassword        :secret
>>>>         Requested Extensions:
>>>>             X509v3 Subject Alternative Name: critical
>>>>                 IP Address:10.129.25.186
>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>          7e:85:96:60:54:ed:c7:fd:d4:9d:b9:48:4c:d6:5a:2d:b1:62:
>>>>          8f:26:58:04:da:f2:6d:cf:c7:59:dc:b5:b2:a9:69:8d:e0:df:
>>>>          4d:26:7b:51:3e:d5:f4:90:21:d9:20:69:6f:6f:e1:58:28:90:
>>>>          05:a7:38:1b:04:05:e6:84:03:78:95:90:d6:da:0c:56:c1:e9:
>>>>          16:d4:01:15:c5:5e:06:3f:44:48:6e:e5:dd:f6:dc:62:0a:f9:
>>>>          af:e7:c5:3d:0a:86:b1:99:40:90:ff:30:02:92:91:fb:dd:50:
>>>>          f0:df:bf:73:96:6f:04:3e:73:66:02:86:66:a0:00:fa:a7:58:
>>>>          ea:ae
>>>
>>>
>>> As you can see, the password is "secret" and the CN is the UID from
>>> flatfile.txt.
>>>
>>> I welcome you all to try enrolling with my server. I can then try
>>> approving and see if it works.
>>>
>>> Again, I very much appreciate all of your help. Please excuse my wall of
>>> text x_x
>>>
>>> Thanks,
>>> Hayg
>>>
>>>
>>> _______________________________________________
>>> Pki-devel mailing listPki-devel at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-devel
>>>
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160412/f56eace3/attachment.htm>

More information about the Pki-devel mailing list