[Pki-users] SSCEP enroll using CA
Fortunato
fortunato.montresor at earthlink.net
Thu Apr 23 23:53:03 UTC 2009
I'm making lots of progress, but there seems to be a lack (or at least its unclear to me still) in the way to configure SCEP enrollment on the CA.
All the manual references use the RA thru:
http://<fqdn>:12888/ee/scep/index.cgi
to configure SCEP.
But in order to get the CA cert and do a SCEP enroll, most examples use:
http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
Is there something similar to the RA on the CA web gui to create the SCEP requests?
Lastly, I'm trying to use sscep as follows:
# ./sscep getca -c ca.crt -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
...
./sscep: CA certificate written as ca.crt
# ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
But all that is returned is:
./sscep: sending certificate request
./sscep: valid response from server
./sscep: pkistatus: FAILURE
./sscep: reason: Transaction not permitted or supported
Any helpful logs would be appreciated, but my guess is that I'm overlooking a web gui somewhere off port 9080. Is there something in the CA or RA that could help identify a more specific FAILURE reason?
More information about the Pki-users
mailing list