[Pki-users] SSCEP enroll using CA

Chandrasekar Kannan ckannan at redhat.com
Fri Apr 24 01:30:42 UTC 2009 

On Thu, 2009-04-23 at 21:19 -0400, Fortunato wrote:
> Solved.
> 
> The /var/lib/rhpki-ca/conf/flatfile.txt needed to be configured. (At least that section of the manual makes sense now.)
> 
> And, mkrequest has to be run before the enroll request with the UID and PWD options, otherwise /var/log/rhpki-ca/debug complains about duplicate requests.
> 
> --
> 
> All this still begs the question, "How to use the RA to do this?" - but I'll leave that question alone for now.


from the docs for RA ..

SCEP Enrollment
        
        In a SCEP enrollment scenario, you use the EE interface to
        submit a request in order to retrieve a one-time PIN. The RA
        agent is notified of the request and, after validating the
        requestor, approves it. Approving the request generates a PIN. 
        
        The manager gives this PIN to the router installer. On the
        router, the installer enters the URL to the RA and provides the
        one-time PIN. The enrollment can then be initiated. 
        

http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority.html#Administration_Guide-Introduction-Enrollment_Types


> 
> Thanks all. And now I'm off to try this on IPv6...
> 
> 
> -----Original Message-----
> >From: Marc Sauton <msauton at redhat.com>
> >Sent: Apr 23, 2009 8:43 PM
> >To: Fortunato <fortunato.montresor at earthlink.net>
> >Cc: pki-users at redhat.com
> >Subject: Re: [Pki-users] SSCEP enroll using CA
> >
> >Marc Sauton wrote:
> >> Fortunato wrote:
> >>> I'm making lots of progress, but there seems to be a lack (or at 
> >>> least its unclear to me still) in the way to configure SCEP 
> >>> enrollment on the CA.
> >>>
> >>> All the manual references use the RA thru:
> >>>
> >>>   http://<fqdn>:12888/ee/scep/index.cgi
> >>> to configure SCEP.
> >>>
> >>> But in order to get the CA cert and do a SCEP enroll, most examples use:
> >>>
> >>>   http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
> >>>
> >>> Is there something similar to the RA on the CA web gui to create the 
> >>> SCEP requests?
> >>>
> >>> Lastly, I'm trying to use sscep as follows:
> >>>
> >>>   # ./sscep getca -c ca.crt -u 
> >>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
> >>>   ...
> >>>   ./sscep: CA certificate written as ca.crt
> >>>
> >>>   # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u 
> >>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
> >>>
> >>> But all that is returned is:
> >>>        ./sscep: sending certificate request
> >>>   ./sscep: valid response from server
> >>>   ./sscep: pkistatus: FAILURE
> >>>   ./sscep: reason: Transaction not permitted or supported
> >>>
> >>> Any helpful logs would be appreciated, but my guess is that I'm 
> >>> overlooking a web gui somewhere off port 9080. Is there something in 
> >>> the CA or RA that could help identify a more specific FAILURE reason?
> >>>
> >>>   
> >> Try to get a look at your /var/log/rhpki-ca/debug file, and check 
> >> /var/lib/rhpki-ca/conf/flatfile.txt
> >> should be in the form of:
> >> UID:x.x.x.x
> >> PWD:password
> >> See:
> >> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html 
> >>
> >In some tests, I think I used mkrequest, and then something like below, 
> >with more verbose output:
> >sscep enroll -v -d -k /var/tmp/local.key -r /var/tmp/local.csr -l 
> >/var/tmp/local.crt -t 15 -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe 
> >-c /var/tmp/ms-cs73-2.crt | tee /var/tmp/sscep.enroll.ca.test2local.txt
> >
> >>>  
> >>> _______________________________________________
> >>> Pki-users mailing list
> >>> Pki-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/pki-users
> >>>   
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-users
> >
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-- 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan --  ckannan at redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the Pki-users mailing list