[Pki-users] SSCEP enroll using CA

Fortunato fortunato.montresor at earthlink.net
Fri Apr 24 01:19:45 UTC 2009


Solved.

The /var/lib/rhpki-ca/conf/flatfile.txt needed to be configured. (At least that section of the manual makes sense now.)

And, mkrequest has to be run before the enroll request with the UID and PWD options, otherwise /var/log/rhpki-ca/debug complains about duplicate requests.

--

All this still begs the question, "How to use the RA to do this?" - but I'll leave that question alone for now.

Thanks all. And now I'm off to try this on IPv6...


-----Original Message-----
>From: Marc Sauton <msauton at redhat.com>
>Sent: Apr 23, 2009 8:43 PM
>To: Fortunato <fortunato.montresor at earthlink.net>
>Cc: pki-users at redhat.com
>Subject: Re: [Pki-users] SSCEP enroll using CA
>
>Marc Sauton wrote:
>> Fortunato wrote:
>>> I'm making lots of progress, but there seems to be a lack (or at 
>>> least its unclear to me still) in the way to configure SCEP 
>>> enrollment on the CA.
>>>
>>> All the manual references use the RA thru:
>>>
>>>   http://<fqdn>:12888/ee/scep/index.cgi
>>> to configure SCEP.
>>>
>>> But in order to get the CA cert and do a SCEP enroll, most examples use:
>>>
>>>   http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>>
>>> Is there something similar to the RA on the CA web gui to create the 
>>> SCEP requests?
>>>
>>> Lastly, I'm trying to use sscep as follows:
>>>
>>>   # ./sscep getca -c ca.crt -u 
>>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>>   ...
>>>   ./sscep: CA certificate written as ca.crt
>>>
>>>   # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u 
>>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>>
>>> But all that is returned is:
>>>        ./sscep: sending certificate request
>>>   ./sscep: valid response from server
>>>   ./sscep: pkistatus: FAILURE
>>>   ./sscep: reason: Transaction not permitted or supported
>>>
>>> Any helpful logs would be appreciated, but my guess is that I'm 
>>> overlooking a web gui somewhere off port 9080. Is there something in 
>>> the CA or RA that could help identify a more specific FAILURE reason?
>>>
>>>   
>> Try to get a look at your /var/log/rhpki-ca/debug file, and check 
>> /var/lib/rhpki-ca/conf/flatfile.txt
>> should be in the form of:
>> UID:x.x.x.x
>> PWD:password
>> See:
>> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html 
>>
>In some tests, I think I used mkrequest, and then something like below, 
>with more verbose output:
>sscep enroll -v -d -k /var/tmp/local.key -r /var/tmp/local.csr -l 
>/var/tmp/local.crt -t 15 -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe 
>-c /var/tmp/ms-cs73-2.crt | tee /var/tmp/sscep.enroll.ca.test2local.txt
>
>>>  
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>   
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>




More information about the Pki-users mailing list