[Pki-users] SCEP Enrollment fails with Certificate not found .

Christina Fu cfu at redhat.com
Thu Oct 2 00:14:52 UTC 2014 

btw, I'm not suggesting that you need either or both config params.

three sets of config you can try:
1. don't specify either ca.scep.nickname or ca.scep.tokenname
(I think by default it takes the ca signing cert, if that's what you 
intend to use anyway)

2. specify nickname only ca.scep.nickname (without the token)
ca.scep.nickname=caSigningCert cert-pki-testca1
(I think by default, if the nickname you specified matches that of the 
ca, it will find the token for you)

3. specify both nickname and token:
ca.scep.nickname=caSigningCert cert-pki-testca1
ca.scep.tokenname=osstest
(last resort, because when you do this, it thinks it's not using the ca 
signing cert.. )

Let us know.
Christina

On 10/01/2014 05:00 PM, Christina Fu wrote:
> What's your scep config values, specifically:
> ca.scep.nickname
> ca.scep.tokenname
>
> Christina
>
> On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>>
>> Hello,
>>
>> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs 
>> setup for SCEP enrollment.  But, no matter whether we try the older 
>> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a 
>> successful SCEP request. The following exception occurs in the debug log:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: 
>> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>>
>> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>>
>> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>>
>> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>>
>> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>>
>> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>>
>> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>>
>> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>>
>> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>>
>> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>>
>> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>>
>> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>>
>> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>>
>> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>>
>> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>>
>> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>>
>> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>>
>> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>>
>> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>>
>> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>>
>> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>>
>> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>>
>> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>>
>> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>>
>> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>>
>> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>>
>> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>>
>> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>>
>> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>>
>> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>>
>> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>>
>> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>>
>> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>>
>> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>>
>> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>>
>> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>>
>> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>>
>> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>>         at 
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>>         at 
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>>         at 
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>>         at 
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>>         at 
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>>         at 
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>>         at 
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>>         at 
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>>         at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException 
>> javax.servlet.ServletException: Failed to process message in CEP 
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> What stands out is the line with mNickname. After restarting the 
>> service, with the first request, the HSM token name appears to be 
>> listed twice in the *mNickname* string.  Interestingly, with each new 
>> request, the number of token names increases by one in the string. 
>> i.e. with the 2^nd attempt, the same exception occurs but the token 
>> name appears three times:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: 
>> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: 
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>>         at 
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>>         at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>>         at 
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>>         at 
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>>         at 
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>>         at 
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>>         at 
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>>         at 
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>>         at 
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>>         at 
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>>         at 
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>>         at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException 
>> javax.servlet.ServletException: Failed to process message in CEP 
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> As mentioned, the exception occurs with both versions 4 and 5 of 
>> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating 
>> with SCEP enrollment.) With local tokens, (no HSMs) the error does 
>> not occur.
>>
>> Any Ideas, how we can track this down? We definitely need to get this 
>> running.
>>
>> Best regards!
>>
>> William Elliott
>>
>> s IT Solutions
>>
>> Open System Services
>>
>> s IT Solutions AT Spardat GmbH
>>
>> A-1110 Wien, Geiselbergstraße 21 - 25
>>
>> Phone: +43 (0)5 0100 - 39376
>>
>> Fax: +43 (0)5 0100 9 - 39376
>>
>> Mobile: +43 (0)5 0100 6 - 39376
>>
>> _mailto:william.elliott at s-itsolutions.at 
>> <mailto:william.elliott%20at%20s-itsolutions.at>_
>>
>> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>>
>> Head Office: Vienna Commercial Register No.: 152289f Commercial Court 
>> of Vienna
>>
>> This message and any attached files are confidential and intended 
>> solely for the addressee(s). Any publication, transmission or other 
>> use of the information by a person or entity other than the intended 
>> addressee is prohibited. If you receive this in error please contact 
>> the sender and delete the material. The sender does not accept 
>> liability for any errors or omissions as a result of the transmission.
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141001/4309f22e/attachment.htm>

More information about the Pki-users mailing list