[Pki-users] SSCEP enroll using CA
Chandrasekar Kannan
ckannan at redhat.com
Fri Apr 24 01:30:42 UTC 2009
On Thu, 2009-04-23 at 21:19 -0400, Fortunato wrote:
> Solved.
>
> The /var/lib/rhpki-ca/conf/flatfile.txt needed to be configured. (At least that section of the manual makes sense now.)
>
> And, mkrequest has to be run before the enroll request with the UID and PWD options, otherwise /var/log/rhpki-ca/debug complains about duplicate requests.
>
> --
>
> All this still begs the question, "How to use the RA to do this?" - but I'll leave that question alone for now.
from the docs for RA ..
SCEP Enrollment
In a SCEP enrollment scenario, you use the EE interface to
submit a request in order to retrieve a one-time PIN. The RA
agent is notified of the request and, after validating the
requestor, approves it. Approving the request generates a PIN.
The manager gives this PIN to the router installer. On the
router, the installer enters the URL to the RA and provides the
one-time PIN. The enrollment can then be initiated.
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority.html#Administration_Guide-Introduction-Enrollment_Types
>
> Thanks all. And now I'm off to try this on IPv6...
>
>
> -----Original Message-----
> >From: Marc Sauton <msauton at redhat.com>
> >Sent: Apr 23, 2009 8:43 PM
> >To: Fortunato <fortunato.montresor at earthlink.net>
> >Cc: pki-users at redhat.com
> >Subject: Re: [Pki-users] SSCEP enroll using CA
> >
> >Marc Sauton wrote:
> >> Fortunato wrote:
> >>> I'm making lots of progress, but there seems to be a lack (or at
> >>> least its unclear to me still) in the way to configure SCEP
> >>> enrollment on the CA.
> >>>
> >>> All the manual references use the RA thru:
> >>>
> >>> http://<fqdn>:12888/ee/scep/index.cgi
> >>> to configure SCEP.
> >>>
> >>> But in order to get the CA cert and do a SCEP enroll, most examples use:
> >>>
> >>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
> >>>
> >>> Is there something similar to the RA on the CA web gui to create the
> >>> SCEP requests?
> >>>
> >>> Lastly, I'm trying to use sscep as follows:
> >>>
> >>> # ./sscep getca -c ca.crt -u
> >>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
> >>> ...
> >>> ./sscep: CA certificate written as ca.crt
> >>>
> >>> # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u
> >>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
> >>>
> >>> But all that is returned is:
> >>> ./sscep: sending certificate request
> >>> ./sscep: valid response from server
> >>> ./sscep: pkistatus: FAILURE
> >>> ./sscep: reason: Transaction not permitted or supported
> >>>
> >>> Any helpful logs would be appreciated, but my guess is that I'm
> >>> overlooking a web gui somewhere off port 9080. Is there something in
> >>> the CA or RA that could help identify a more specific FAILURE reason?
> >>>
> >>>
> >> Try to get a look at your /var/log/rhpki-ca/debug file, and check
> >> /var/lib/rhpki-ca/conf/flatfile.txt
> >> should be in the form of:
> >> UID:x.x.x.x
> >> PWD:password
> >> See:
> >> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html
> >>
> >In some tests, I think I used mkrequest, and then something like below,
> >with more verbose output:
> >sscep enroll -v -d -k /var/tmp/local.key -r /var/tmp/local.csr -l
> >/var/tmp/local.crt -t 15 -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
> >-c /var/tmp/ms-cs73-2.crt | tee /var/tmp/sscep.enroll.ca.test2local.txt
> >
> >>>
> >>> _______________________________________________
> >>> Pki-users mailing list
> >>> Pki-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/pki-users
> >>>
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-users
> >
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan -- ckannan at redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Pki-users
mailing list