[Pki-users] Auto Enrollment Proxy for Windows with Dogtag CA?
Thomas.Peter2 at swisscom.com
Thomas.Peter2 at swisscom.com
Thu Oct 21 08:54:21 UTC 2010
RESOLVED! YAY!
Ha! Guess what I found in the logfile "debug" in the same directory: "Use HTTPS port '9444' instead of '9445' when performing EE tasks!". Lol, it was that easy. Works like a charm now!
Thanks for the hint to the log files again!
Greets Thomas
From: Peter Thomas, SCS-HR-RCU-UMT
Sent: Thursday, October 21, 2010 10:44 AM
To: 'pki-users at redhat.com'
Subject: RE: [Pki-users] Auto Enrollment Proxy for Windows with Dogtag CA?
Hi Jack!
Thank you for your response!
I didn't even know about those log files, thanks for the hint. And yes, I'm getting something there. Everytime I do (exatly) this<http://directory.fedoraproject.org/wiki/HowTO:_Windows_Domain_Controller_certificate_enrollment> or the command line part described here<http://directory.fedoraproject.org/wiki/Auto_Enroll_Enrollment>, I get a line like the following in the logfile "/var/lib/pki-ca/log/localhost_access_log.2010-10-21.txt" on my Dogtag CA host:
192.168.1.10 - - [21/Oct/2010:10:26:48 +0200] "POST /ca/ee/ca/profileSubmitSSLClient HTTP/1.1" 404 5765
Obviously something is not right (404!), but what? The address 192.168.1.10 is the address of my domain controller. I also attached the wireshark trace that produced the line above to this mail (192.168.1.13 is the IP address of my Dogtag CA host).
Do you (or anybody) have an idea what might be going on?
Thank you!
Thomas
From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Jack Magne
Sent: Wednesday, October 20, 2010 6:46 PM
To: pki-users at redhat.com
Subject: Re: [Pki-users] Auto Enrollment Proxy for Windows with Dogtag CA?
On 10/20/2010 05:35 AM, Thomas.Peter2 at swisscom.com<mailto:Thomas.Peter2 at swisscom.com> wrote:
Hi!
Can anybody help me with the following question:
Is it possible to use the Auto Enrollment Proxy for Windows<http://directory.fedoraproject.org/wiki/Windows_Certificate_Auto_Enrollment> (AEP) with a Dogtag CA?
More precisely:
I setup a Dogtag Certification Authority<http://pki.fedoraproject.org/wiki/PKI_Main_Page> on a computer running Fedora 13. It works fine through the webinterface that is provided with the Dogtag Sertificate System. I also setup AEP according to all the instructions found here<http://directory.fedoraproject.org/wiki/Auto_Enroll_Documentation>. I'm pretty sure that I did all the configurations needed in my Windows domain and the corresponding Active Directory. When I request a certificate from the domain controller (I request a certificate of the type 'Domain Controller', as described here<http://directory.fedoraproject.org/wiki/HowTO:_Windows_Domain_Controller_certificate_enrollment>), I can capture a fair amount of TCP traffic (with Wireshark) between the domain controller and the computer that is running the Dogtag CA on the correct port (default 9445). However, my Dogtag CA seems to reject the certificate signing requests (CSR) it receives from my Windows domain controller, the domain controller issues the error message "The certificate request cannot be created. The requested property value is empty". I know this error message does not really state what I observe, why would there be traffic on the wire, if the CSR has not even been created (Windows...). If I request a certificate from the command line, as described here<http://directory.fedoraproject.org/wiki/Auto_Enroll_Enrollment>, I get the error message "The parameter is incorrect. 0x80070057 (WIN32: 87)".
I did not do any special AEP related configuration on my Dogtag CA, as this<http://directory.fedoraproject.org/wiki/Auto_Enroll_RHCSConfiguration> page seems to be incomplete.
Do I need to configure my Dogtag CA in any way for this to work or wouldn't it work at all (because a Dogtag CA might not really be a Red Hat Certificate System CA)?
Thank you for your help!
Thomas Peter
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com<mailto:Pki-users at redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
Hi:
Are you getting anything from the CA's logs when this request is issued? Located in /var/lib/pki-ca/logs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101021/8b7a8cd6/attachment.htm>
More information about the Pki-users
mailing list