[Pki-users] SSCEP enroll using CA
Marc Sauton
msauton at redhat.com
Fri Apr 24 00:43:33 UTC 2009
Marc Sauton wrote:
> Fortunato wrote:
>> I'm making lots of progress, but there seems to be a lack (or at
>> least its unclear to me still) in the way to configure SCEP
>> enrollment on the CA.
>>
>> All the manual references use the RA thru:
>>
>> http://<fqdn>:12888/ee/scep/index.cgi
>> to configure SCEP.
>>
>> But in order to get the CA cert and do a SCEP enroll, most examples use:
>>
>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>
>> Is there something similar to the RA on the CA web gui to create the
>> SCEP requests?
>>
>> Lastly, I'm trying to use sscep as follows:
>>
>> # ./sscep getca -c ca.crt -u
>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>> ...
>> ./sscep: CA certificate written as ca.crt
>>
>> # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u
>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>
>> But all that is returned is:
>> ./sscep: sending certificate request
>> ./sscep: valid response from server
>> ./sscep: pkistatus: FAILURE
>> ./sscep: reason: Transaction not permitted or supported
>>
>> Any helpful logs would be appreciated, but my guess is that I'm
>> overlooking a web gui somewhere off port 9080. Is there something in
>> the CA or RA that could help identify a more specific FAILURE reason?
>>
>>
> Try to get a look at your /var/log/rhpki-ca/debug file, and check
> /var/lib/rhpki-ca/conf/flatfile.txt
> should be in the form of:
> UID:x.x.x.x
> PWD:password
> See:
> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html
>
In some tests, I think I used mkrequest, and then something like below,
with more verbose output:
sscep enroll -v -d -k /var/tmp/local.key -r /var/tmp/local.csr -l
/var/tmp/local.crt -t 15 -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
-c /var/tmp/ms-cs73-2.crt | tee /var/tmp/sscep.enroll.ca.test2local.txt
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list