[Pki-users] SCEP: List Request: "Error Certificate Not Issued." However, certificate is issued successfully to client

Erwin Himawan ehimawan at gmail.com
Wed Mar 24 20:59:17 UTC 2010 

Hi All,

I have been playing with DCS in a test environment and so far I am happy
with its functionalities.

During the SCEP test, I looked into various information generated by the CA
in processing a SCEP request.  However, I noticed that the information
obtained through the "list request" was not consistent with the information
obtained from the "list certificate."  According to the "list request" my
SCEP request encountered an error and the certificate was not issued.
 However, in the "List Certificate", this SCEP request
was successfully processed and resulted in the issuance of a certificate.
 Likewise, at the SCEP client, the SCEP client also successfully obtained
the certificate.

Is this a bug or my SCEP test procedure is not correct?

Here is my SCEP test procedure:
1. Using the RA webform, I applied for a SCEP PIN
2. Logging in as an RA, I approved the PIN request, the output of this
approval is a PIN which I distributed it to the SCEP client using out of
band method.
3. My SCEP client is Simple SCEP (sscep).
4. Using the  mkrequest -ip 10.8.122.131 [PIN], I created the CSR.  I could
see that the PIN is included in the CSR as the challenge-password attribute
5. Assuming I have successfully obtained the CA certificate, using the sscep
enroll -c ca.crt -k local.key -r local.csr -l local.crt -u
http://ra.fqdn:12888/ee/scep/pkiclient.cgi, I started SCEP enrollment
6. After a quick wait time, my SCEP client obtained the certificate from the
CA.

After the CA has successfully issued this certificate to my SCEP client, I
checked the CA  "list requests" and "list certificates" pages.

At the "list request" page, I filtered for all type of request and all
status of requests. The output of this query is formatted into three colums;
"status", "assigned to", and "subject."
My SCEP client request has "status=completed".  The assigned to and subject
are empty. Further opening this record, the CA indicates that there is an
error; i.e. the issued certificate section contained: "Error Certificate Not
Issued"

When I opened the "list certificates" and searched for the SCEP client
certificate, the SCEP client certificate was there with status "valid"

Thanks in advance.

Regards,
Erwin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100324/f6f84189/attachment.htm>

More information about the Pki-users mailing list