[Pki-users] No SCEP Enrollment option in the SSL End Users Services page
Chandrasekar Kannan
ckannan at redhat.com
Wed Apr 22 00:02:27 UTC 2009
On Tue, 2009-04-21 at 12:13 -0700, Fortunato wrote:
> >From: Marc Sauton <msauton at redhat.com>
> >Sent: Apr 20, 2009 1:31 PM
> >To: Fortunato <fortunato.montresor at earthlink.net>
> >Cc: pki-users at redhat.com
> >Subject: Re: [Pki-users] No SCEP Enrollment option in the SSL End Users Services page
> >
> >Fortunato wrote:
> >> Hello list,
> >>
> >> I don't know exactly where the differences are between Dogtag 1.1.0 and the documentation (currently 7.3)
> >Dogtag 1.1.0 is the open source development project of the released
> >commercial product RHCS 7.3.
> >One way to get an idea of the changes, is to go through the archive lists:
> >https://www.redhat.com/mailman/private/pki-commits/
>
> I'm not a big coder, so going thru the commits is kind of torturous for me. :(
> But I subscribed to pki-commits list and will try. Part of my interest revolves around the IPv6 configuration, on which the documentation is rather scarce. I'd like to get the cert manager to listen on IPv6 addresses. LDAP is listening on localhost6, but how about the other CA services?
>
> # netstat -tlpn
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN 3411/java
> tcp 0 0 0.0.0.0:9444 0.0.0.0:* LISTEN 3411/java
> tcp 0 0 0.0.0.0:9445 0.0.0.0:* LISTEN 3411/java
> tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 2452/httpd.worker
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2017/rpcbind
> tcp 0 0 0.0.0.0:11443 0.0.0.0:* LISTEN 4025/java
> tcp 0 0 0.0.0.0:11444 0.0.0.0:* LISTEN 4025/java
> tcp 0 0 0.0.0.0:11445 0.0.0.0:* LISTEN 4025/java
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2766/sshd
> tcp 0 0 0.0.0.0:33558 0.0.0.0:* LISTEN 2030/rpc.statd
> tcp 0 0 0.0.0.0:12888 0.0.0.0:* LISTEN 4445/httpd.worker
> tcp 0 0 0.0.0.0:12889 0.0.0.0:* LISTEN 4445/httpd.worker
> tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2800/sendmail: acce
> tcp 0 0 0.0.0.0:12890 0.0.0.0:* LISTEN 4445/httpd.worker
> tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 3411/java
> tcp 0 0 :::389 :::* LISTEN 2350/ns-slapd
> tcp 0 0 :::11180 :::* LISTEN 4025/java
> tcp 0 0 :::111 :::* LISTEN 2017/rpcbind
> tcp 0 0 ::ffff:127.0.0.1:11701 :::* LISTEN 4025/java
> tcp 0 0 :::22 :::* LISTEN 2766/sshd
> tcp 0 0 :::9180 :::* LISTEN 3411/java
>
> >> , but under SSL End Users Services there's no SCEP Enrollment option.
> >In the RA's "SSL End Users Services" page, there should be a "SCEP
> >Enrollment" link, url looks like this:
> >https://<fqdn:port>/ee/index.cgi (default port 12899)
> >Also by default, a CA EE enrollment pages and "List Certificate
> >Profiles" will list the caRouterCert and caRARouterCert profiles.
> >**
>
> I was looking at the wrong http[s]:://<fqdn:port>
> I have the SCEP web gui now under: https://<fqdn>:12889/ee/scep/index.cgi
>
> >> Am I missing an option/config?
> >Should not, seem quite strange if you do not see those.
> >> pki-ra 1.1.0 is installed.
> >>
> >ok, so you want to use SCEP with a RA.
>
> Maybe a better description on the CA SCEP versus RA SCEP would be helpfull? I'll try to comment on the document soon.
>
> >> There are what appear to be 3 tabs: Enrollment, Revocation and Retrieval - under the ca pkiconsole.
> >>
> >Those are for SSL sub system certificates.
> >> Do any of the listed Certificate Profiles match to what the manual refers to as SCEP Enrollment and the Request Submission - Manager?
> >>
> >The Request Submission is to get the one time pin for the device.
> >The SCEP Enrollment page shows the link to configure on the device.
> >Those 2 are listed in the "EE" pages on the RA instance.
> >See the profiles like in the directory
> >/var/lib/rhpki-<ca-instance-id>/profiles/ca/caRA*
> >Specially caRARouterCert profile on the CA instance (caRouterCert s for
> >CA mode).
> >Some pointers:
> >http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html
>
> SCEP screenshots would help. The different ports available for all CM services makes things confusing.
>
> >http://pki.fedoraproject.org/wiki/PKI_SCEP_Support_In_Certificate_System
> >http://pki.fedoraproject.org/wiki/PKI_Cisco_Routers_%28IOS%29
>
> Are there any easily available SCEP clients out there?
http://www.klake.org/~jt/sscep/
>
> >> Regards,
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-users
> >>
> >
> >
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan -- ckannan at redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Pki-users
mailing list