[Pki-users] error -12271 trying to ESC connect to TPS

Ebbe Hansen ehansen at spyrus.com
Tue Nov 25 19:32:29 UTC 2008 

If I do not have a certificate in my cert-store issued by the RedHat CA
(ESC running on windows-XP) the browser (IE) indicates "The page cannot
be displayed"

The server is a "straight" RadHat 7.3 PKI installation with latest
FireFox installed. Could FireFox have changed come of the original
RedHat 7.3 SSL libraries?

Ebbe


-----Original Message-----
From: Jack Magne [mailto:jmagne at redhat.com] 
Sent: Tuesday, November 25, 2008 11:25 AM
To: Ebbe Hansen
Cc: pki-users at redhat.com
Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS

Ebbe:

When you go to the URL with the browser, does it ask you for a cert?
This is unusual, I will have to check around for you.

thanks,
jack

Ebbe Hansen wrote:
> Jack,
>
> In my configuration the URL actually is:
> https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi
>
> After clicking the "Test URL" button on the ESC (Smart Card Manager) I
> observe the error:
>
> "Could not establish an encrypted connection bacause your certfcite
was
> rejected by
> Redhat4.spyrus.com. Error Code: -12271"
>
>
> When accessting the TPS with a browser I receive the following
display:
>
> <?xml version="1.0" encoding="UTF-8" ?> 
> - <ServiceInfo>
>   <IssuerName>Spyrus, Inc.</IssuerName> 
> - <Services>
>  
>
<Operation>https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi</Opera
> tion> 
>   <UI>https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi</UI> 
>  
>
<EnrolledTokenBrowserURL>http://www.spyrus.com</EnrolledTokenBrowserURL>
>
>   <EnrolledTokenURL /> 
>   <TokenType>userKey</TokenType> 
>   </Services>
>   </ServiceInfo>
>
>
> Ebbe
>
> -----Original Message-----
> From: Jack Magne [mailto:jmagne at redhat.com] 
> Sent: Monday, November 24, 2008 6:30 PM
> To: Ebbe Hansen
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
>
> Ebbe:
>
> Try this as your phone home URL.
>
> https://smartcardserver.example.com:7888/cgi-bin/home.cgi
>
> Also , you can try this with a browser and it should simply print out
a 
> simple XML file for you.
>
> I will take a look at the doc and see how it can be improved.
>
> Ebbe Hansen wrote:
>   
>> Jack,
>>
>> I am trying to setup the initial "phone home" configuration with the
>> intent to Format a blank token.
>> The ESC User guide (and the ESC) is indicating the initial Phone Hole
>> connection must be secured using https (e.g.
>> "https://smartcardserver.example.com:7888").
>>
>> When connecting to the Admin services for all other PKI components
>>     
> (CA,
>   
>> DRM, TKS and TPS) a client certificate is required to gain access.
The
>> error message I observe when trying to connect with the ESC indicates
>>     
> a
>   
>> client certificate is also expected in this case - but I haven't
found
>> anything in the ESC Guide that documents this?
>>
>> Ebbe
>>
>>
>> -----Original Message-----
>> From: Jack Magne [mailto:jmagne at redhat.com] 
>> Sent: Monday, November 24, 2008 9:54 AM
>> To: Ebbe Hansen
>> Cc: pki-users at redhat.com
>> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
>>
>> Ebbe:
>>
>> Could you state exactly what operation you are trying to do with ESC 
>> with respect to TPS.
>> Are you performing the "phone home" step or actually attempting an 
>> enrollment?
>> The default case should not require client auth which appears to be
>>     
> the 
>   
>> case with your error.
>>
>> thanks,
>> jack
>>
>> Ebbe Hansen wrote:
>>   
>>     
>>> I am not successful connecting the ESC (Smart Card Manager) client
to
>>>       
>
>   
>>> the TPS. I have configured TPS and ESC as documented in ESC Guide.
>>>
>>> The error message says: "Could not establish an encrypted connection

>>> because your certificate was rejected. Error -12271".
>>>
>>> Looks like the ESC needs a user certificate and key to establish SSL

>>> connection.
>>>
>>> Not sure how the ESC can be configured to access a dedicated user 
>>> certificate & key? Can ESC detect and possibly use the TPS Admin 
>>> cert/key if running on same platform?
>>>
>>> Ehansen @ SPYRUS Corp.
>>>
>>>
>>>     
>>>       
>
------------------------------------------------------------------------
>   
>>   
>>     
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>   
>>>     
>>>       
>>   
>>

More information about the Pki-users mailing list