[Pki-users] SSCEP enroll using CA
Marc Sauton
msauton at redhat.com
Fri Apr 24 00:17:32 UTC 2009
Fortunato wrote:
> I'm making lots of progress, but there seems to be a lack (or at least its unclear to me still) in the way to configure SCEP enrollment on the CA.
>
> All the manual references use the RA thru:
>
> http://<fqdn>:12888/ee/scep/index.cgi
>
> to configure SCEP.
>
> But in order to get the CA cert and do a SCEP enroll, most examples use:
>
> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>
> Is there something similar to the RA on the CA web gui to create the SCEP requests?
>
> Lastly, I'm trying to use sscep as follows:
>
> # ./sscep getca -c ca.crt -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
> ...
> ./sscep: CA certificate written as ca.crt
>
> # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>
> But all that is returned is:
>
> ./sscep: sending certificate request
> ./sscep: valid response from server
> ./sscep: pkistatus: FAILURE
> ./sscep: reason: Transaction not permitted or supported
>
> Any helpful logs would be appreciated, but my guess is that I'm overlooking a web gui somewhere off port 9080. Is there something in the CA or RA that could help identify a more specific FAILURE reason?
>
>
Try to get a look at your /var/log/rhpki-ca/debug file, and check
/var/lib/rhpki-ca/conf/flatfile.txt
should be in the form of:
UID:x.x.x.x
PWD:password
See:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list