[Pki-users] SCEP Enrollment fails with Certificate not found .
Elliott William C OSS sIT
WilliamC.Elliott at s-itsolutions.at
Tue Nov 25 12:23:13 UTC 2014
We want to post the results of our solution to problem(s) we were having.
In all, we had three different issues to overcome to get SCEP Enrollment working under RHEL6/Dogtag 9 when using Safenet HSMs.
1. "Certificate not found: osstest:caSigningCert cert-pki-testca1"
This message is somewhat misleading because the correct combination of token and CA nickname are displayed. However the debug messages from
method CryptoContext show that mNickname incorrectly has the token name prepended twice, and is what throws the exception:
[05/Nov/2014:13:29:59][http-9180-1]: CRSEnrollment: CryptoContext: token name: osstest'
[05/Nov/2014:13:29:59][http-9180-1]: CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1'
As described in my first post, mNickname is modified with every call to CryptoContext - an additional token name is then prepended with every call.
In fact, using a HSM, the CA nickname already contains the token name when mNickname is set in init(), and needs never be prepended.
Commenting out the offending line in CrypoContext() resolves the issue, when a HSM is used:
pki-core-9.0.3-38.el6_6.src.rpm and pki-core-9.0.3-32.el6.src.rpm - both are identical in CRSEnrollment.java:
1973 if (mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
1974 mTokenName.equalsIgnoreCase("Internal Key Storage Token") ||
1975 mTokenName.length() == 0) {
1976 keyStorageToken = cm.getInternalKeyStorageToken();
1977 internalKeyStorageToken = keyStorageToken;
1978 CMS.debug("CRSEnrollment: CryptoContext: internal token name: '"+mTokenName+"'");
1979 } else {
1980 keyStorageToken = cm.getTokenByName(mTokenName);
1981 internalKeyStorageToken = null;
1982 // mNickname = mTokenName + ":" + mNickname;
1983 CMS.debug("CRSEnrollment: CryptoContext: token name: "+mTokenName+"'");
1984 }
For some reason, the following relatively careful conditional prepending of the token name was removed from the init() methond and placed into CryptoContext() in version 9.0.3 that is packaged with RHEL6. In these versions we tested, mNickname is brutally prepended with every call.
The following version 9 in the Dogtag git repository still had it right, and also in version 10 it's also correct again:
DOGTAG_9_0_FEDORA_15_16_17_20111028
176 if (!(mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
177 mTokenName.equalsIgnoreCase("Internal Key Storage Token") ||
178 mTokenName.length() == 0)) {
179 int i = mNickname.indexOf(':');
180 if (!((i > -1) && (mTokenName.length() == i) && (mNickname.startsWith(mTokenName)))) {
181 mNickname = mTokenName + ":" + mNickname;
182 }
183 }
DOGTAG_10_1_1_1_FEDORA_20_20140321
248 if (!(mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) ||
249 mTokenName.equalsIgnoreCase("Internal Key Storage Token") || mTokenName.length() == 0)) {
250 int i = mNickname.indexOf(':');
251 if (!((i > -1) && (mTokenName.length() == i) && (mNickname.startsWith(mTokenName)))) {
252 mNickname = mTokenName + ":" + mNickname;
253 }
254 }
*******************
Should we submit a bug report for this in the current RHEL6 packages?
We'd love to see this fixed in the RH packages and not have to compile our own packages with every update of RHEL6.
*******************
2. Could not to unwrap PKCS10 blob
[14/Nov/2014:08:30:08][http-9180-1]: failed to unwrap PKCS10 org.mozilla.jss.crypto.SymmetricKey$NotExtractableException
[14/Nov/2014:08:30:08][http-9180-1]: ServletException javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: null
Here, the CA is unable to process requests from the client (again sscep) encrypted with 3DES although this is the single allowed algorithm enabled by default.
I have no idea what is causing this error, but the workaround is to fall back to DES: allow DES in CS.cfg and configure it on the client.
When using no HSM, just a local nss keystore, the error doesn't occur.
3. FIPS 140-2 mode
The same error message in 2. occurs when the HSM is _not_ in FIPS mode. Both RHEL6/Dogtag 9 and RHEL5/Dogtag 1.3 LunaSA 4 and 5. Without FIPS mode activated, all requests fail with Could not unwrap PKCS10 blob: null. (also when des is used for request)
Workaround: activate FIPS mode on the HSM. -
Case 3. (and maybe case 2.) is very similar to, if not related to [the still open] Bug 825887 (https://bugzilla.redhat.com/show_bug.cgi?id=825887). There, it was the activation of FIPS mode for a local NSS database which triggered the issue. (I assume that FIPS mode for NSS prevents the cloning/exporting of keys - which is of course always the behavior of the HSM, regardless of FIPS mode. ) Our requests also failed at exactly the same call getDESKeyGenerator().clone as described in the Bug 825887.
Best regards,
William
-----Original Message-----
From: Elliott William C OSS sIT
Sent: Dienstag, 21. Oktober 2014 14:55
To: pki-users at redhat.com
Subject: RE: [Pki-users] SCEP Enrollment fails with Certificate not found . [heur][html-removed]
(sorry for the delay - I was out of the office for some time)
The package version we're trying is pki-ca-9.0.3-32.el6.noarch, on RHEL6 as I said. But since the last email we've also tried 9.0.3-38, with the same result.
We always ran through the wizard panels using all default values, changing nothing, but now we configure the ca with pkisilent with the same default values to make sure the configuration doesn't change from one test to the next.
The only change we make is afterwords to enable scep in the config:
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.enable=true
ca.scep.encryptionAlgorithm=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.nonceSizeLimit=16
The whole thing always works fine when we use the internal token (and with RHEL5/Dogtag 1.3 on the hsm), but throws the exception when the hsm is used as token.
We use sscep to submit requests to the ca.
We had never set the two parameters (scep.nickname, scep.tokenname) you suggested trying.
Here are the results of your suggestions below :
** 1. This is our current configuration which always produces the exception.
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: true
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1'
handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...
** 2. Setting ca.scep.nickname at first produced no discernable change,
other than, requests for the ca cert. with "sscep getca" then fail reliably.
Due to token name not being set:
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name:
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: internal token name: ''
CRSEnrollment: CryptoContext: mNickname: 'caSigningCert cert-pki-testca1'
handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...
** 3. setting both ca.scep.nickname and ca.scep.tokenname also does not get around the problem.
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest' <-- from sscep getca request
CRSEnrollment: CryptoContext: mNickname: 'osstest:caSigningCert cert-pki-testca1'
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1' <-- from sscep enroll request
handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
best regards,
William
-----Original Message-----
From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu
Sent: Donnerstag, 02. Oktober 2014 02:15
To: pki-users at redhat.com
Subject: Re: [Pki-users] SCEP Enrollment fails with Certificate not found . [heur][html-removed]
btw, I'm not suggesting that you need either or both config params.
three sets of config you can try:
1. don't specify either ca.scep.nickname or ca.scep.tokenname
(I think by default it takes the ca signing cert, if that's what you
intend to use anyway)
2. specify nickname only ca.scep.nickname (without the token)
ca.scep.nickname=caSigningCert cert-pki-testca1
(I think by default, if the nickname you specified matches that of the
ca, it will find the token for you)
3. specify both nickname and token:
ca.scep.nickname=caSigningCert cert-pki-testca1
ca.scep.tokenname=osstest
(last resort, because when you do this, it thinks it's not using the ca
signing cert.. )
Let us know.
Christina
On 10/01/2014 05:00 PM, Christina Fu wrote:
> What's your scep config values, specifically:
> ca.scep.nickname
> ca.scep.tokenname
>
> Christina
>
> On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>>
>> Hello,
>>
>> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs
>> setup for SCEP enrollment. But, no matter whether we try the older
>> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a
>> successful SCEP request. The following exception occurs in the debug log:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>>
>> [29/Sep/2014:13:41:17][http-9180-1]:
>> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>>
>> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>>
>> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>>
>> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>>
>> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>>
>> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>>
>> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>>
>> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>>
>> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>>
>> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>>
>> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>>
>> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>>
>> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>>
>> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>>
>> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>>
>> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>>
>> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>>
>> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>>
>> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>>
>> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>>
>> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>>
>> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>>
>> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>>
>> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>>
>> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>>
>> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>>
>> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>>
>> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>>
>> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>>
>> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>>
>> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>>
>> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>>
>> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>>
>> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>>
>> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>>
>> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>>
>> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>>
>> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>> at
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>> at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
>> javax.servlet.ServletException: Failed to process message in CEP
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> What stands out is the line with mNickname. After restarting the
>> service, with the first request, the HSM token name appears to be
>> listed twice in the *mNickname* string. Interestingly, with each new
>> request, the number of token names increases by one in the string.
>> i.e. with the 2^nd attempt, the same exception occurs but the token
>> name appears three times:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>> at
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>> at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
>> javax.servlet.ServletException: Failed to process message in CEP
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> As mentioned, the exception occurs with both versions 4 and 5 of
>> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating
>> with SCEP enrollment.) With local tokens, (no HSMs) the error does
>> not occur.
>>
>> Any Ideas, how we can track this down? We definitely need to get this
>> running.
>>
>> Best regards!
>>
>> William Elliott
>>
>> s IT Solutions
>>
>> Open System Services
>>
>> s IT Solutions AT Spardat GmbH
>>
>> A-1110 Wien, Geiselbergstraße 21 - 25
>>
>> Phone: +43 (0)5 0100 - 39376
>>
>> Fax: +43 (0)5 0100 9 - 39376
>>
>> Mobile: +43 (0)5 0100 6 - 39376
>>
>> _mailto:william.elliott at s-itsolutions.at
>> <mailto:william.elliott%20at%20s-itsolutions.at>_
>>
>> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>>
>> Head Office: Vienna Commercial Register No.: 152289f Commercial Court
>> of Vienna
>>
>> This message and any attached files are confidential and intended
>> solely for the addressee(s). Any publication, transmission or other
>> use of the information by a person or entity other than the intended
>> addressee is prohibited. If you receive this in error please contact
>> the sender and delete the material. The sender does not accept
>> liability for any errors or omissions as a result of the transmission.
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list