[Pki-users] No SCEP Enrollment option in the SSL End Users Services page

Fortunato fortunato.montresor at earthlink.net
Tue Apr 21 19:13:21 UTC 2009 

>From: Marc Sauton <msauton at redhat.com>
>Sent: Apr 20, 2009 1:31 PM
>To: Fortunato <fortunato.montresor at earthlink.net>
>Cc: pki-users at redhat.com
>Subject: Re: [Pki-users] No SCEP Enrollment option in the SSL End Users Services page
>
>Fortunato wrote:
>> Hello list,
>>
>> I don't know exactly where the differences are between Dogtag 1.1.0 and the documentation (currently 7.3)
>Dogtag 1.1.0 is the open source development project of the released 
>commercial product RHCS 7.3.
>One way to get an idea of the changes, is to go through the archive lists:
>https://www.redhat.com/mailman/private/pki-commits/

I'm not a big coder, so going thru the commits is kind of torturous for me. :( 
But I subscribed to pki-commits list and will try. Part of my interest revolves around the IPv6 configuration, on which the documentation is rather scarce. I'd like to get the cert manager to listen on IPv6 addresses. LDAP is listening on localhost6, but how about the other CA services?

# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:9443                0.0.0.0:*                   LISTEN      3411/java           
tcp        0      0 0.0.0.0:9444                0.0.0.0:*                   LISTEN      3411/java           
tcp        0      0 0.0.0.0:9445                0.0.0.0:*                   LISTEN      3411/java           
tcp        0      0 0.0.0.0:9830                0.0.0.0:*                   LISTEN      2452/httpd.worker   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2017/rpcbind        
tcp        0      0 0.0.0.0:11443               0.0.0.0:*                   LISTEN      4025/java           
tcp        0      0 0.0.0.0:11444               0.0.0.0:*                   LISTEN      4025/java           
tcp        0      0 0.0.0.0:11445               0.0.0.0:*                   LISTEN      4025/java           
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2766/sshd           
tcp        0      0 0.0.0.0:33558               0.0.0.0:*                   LISTEN      2030/rpc.statd      
tcp        0      0 0.0.0.0:12888               0.0.0.0:*                   LISTEN      4445/httpd.worker   
tcp        0      0 0.0.0.0:12889               0.0.0.0:*                   LISTEN      4445/httpd.worker   
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2800/sendmail: acce 
tcp        0      0 0.0.0.0:12890               0.0.0.0:*                   LISTEN      4445/httpd.worker   
tcp        0      0 ::ffff:127.0.0.1:9701       :::*                        LISTEN      3411/java           
tcp        0      0 :::389                      :::*                        LISTEN      2350/ns-slapd       
tcp        0      0 :::11180                    :::*                        LISTEN      4025/java           
tcp        0      0 :::111                      :::*                        LISTEN      2017/rpcbind        
tcp        0      0 ::ffff:127.0.0.1:11701      :::*                        LISTEN      4025/java           
tcp        0      0 :::22                       :::*                        LISTEN      2766/sshd           
tcp        0      0 :::9180                     :::*                        LISTEN      3411/java

>> , but under SSL End Users Services there's no SCEP Enrollment option. 
>In the RA's "SSL End Users Services" page, there should be a "SCEP 
>Enrollment" link, url looks like this:
>https://<fqdn:port>/ee/index.cgi (default port 12899)
>Also by default, a CA EE enrollment pages and "List Certificate 
>Profiles" will list the caRouterCert and caRARouterCert profiles.
>**

I was looking at the wrong http[s]:://<fqdn:port>
I have the SCEP web gui now under: https://<fqdn>:12889/ee/scep/index.cgi

>> Am I missing an option/config?
>Should not, seem quite strange if you do not see those.
>>  pki-ra 1.1.0 is installed.
>>   
>ok, so you want to use SCEP with a RA.

Maybe a better description on the CA SCEP versus RA SCEP would be helpfull? I'll try to comment on the document soon. 

>> There are what appear to be 3 tabs: Enrollment, Revocation and Retrieval - under the ca pkiconsole.
>>   
>Those are for SSL sub system certificates.
>> Do any of the listed Certificate Profiles match to what the manual refers to as SCEP Enrollment and the Request Submission - Manager?
>>   
>The Request Submission is to get the one time pin for the device.
>The SCEP Enrollment page shows the link to configure on the device.
>Those 2 are listed in the "EE" pages on the RA instance.
>See the profiles like in the directory 
>/var/lib/rhpki-<ca-instance-id>/profiles/ca/caRA*
>Specially caRARouterCert profile on the CA instance (caRouterCert s for 
>CA mode).
>Some pointers:
>http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html

SCEP screenshots would help. The different ports available for all CM services makes things confusing.

>http://pki.fedoraproject.org/wiki/PKI_SCEP_Support_In_Certificate_System
>http://pki.fedoraproject.org/wiki/PKI_Cisco_Routers_%28IOS%29

Are there any easily available SCEP clients out there? 

>> Regards,
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>   
>
>

More information about the Pki-users mailing list