[Pki-users] SSCEP enroll using CA

Marc Sauton msauton at redhat.com
Fri Apr 24 00:43:33 UTC 2009 

Marc Sauton wrote:
> Fortunato wrote:
>> I'm making lots of progress, but there seems to be a lack (or at 
>> least its unclear to me still) in the way to configure SCEP 
>> enrollment on the CA.
>>
>> All the manual references use the RA thru:
>>
>>   http://<fqdn>:12888/ee/scep/index.cgi
>> to configure SCEP.
>>
>> But in order to get the CA cert and do a SCEP enroll, most examples use:
>>
>>   http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>
>> Is there something similar to the RA on the CA web gui to create the 
>> SCEP requests?
>>
>> Lastly, I'm trying to use sscep as follows:
>>
>>   # ./sscep getca -c ca.crt -u 
>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>   ...
>>   ./sscep: CA certificate written as ca.crt
>>
>>   # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u 
>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>
>> But all that is returned is:
>>        ./sscep: sending certificate request
>>   ./sscep: valid response from server
>>   ./sscep: pkistatus: FAILURE
>>   ./sscep: reason: Transaction not permitted or supported
>>
>> Any helpful logs would be appreciated, but my guess is that I'm 
>> overlooking a web gui somewhere off port 9080. Is there something in 
>> the CA or RA that could help identify a more specific FAILURE reason?
>>
>>   
> Try to get a look at your /var/log/rhpki-ca/debug file, and check 
> /var/lib/rhpki-ca/conf/flatfile.txt
> should be in the form of:
> UID:x.x.x.x
> PWD:password
> See:
> http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Registration_Authority-Working_With_the_Registration_Authority.html 
>
In some tests, I think I used mkrequest, and then something like below, 
with more verbose output:
sscep enroll -v -d -k /var/tmp/local.key -r /var/tmp/local.csr -l 
/var/tmp/local.crt -t 15 -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe 
-c /var/tmp/ms-cs73-2.crt | tee /var/tmp/sscep.enroll.ca.test2local.txt

>>  
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>   
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list