[Pki-users] SCEP Authentication
Andrew Wnuk
awnuk at redhat.com
Fri May 21 22:49:33 UTC 2010
Erwin,
Could you open a bug including all details?
Thank you,
Andrew
On 05/21/10 11:48, Erwin Himawan wrote:
> Andrew,
>
> Thanks for your suggestion. I change the value of auth.instance_id in
> the caRouterCert profile to be "empty" (i.e. no value) per your
> suggestion.
>
> I could verify through the debug file that the CA accepts this empty
> value when I run my SCEP test again.
> The snippet of the debug file:
>
> Found profile=caRouterCert
> Retrieving Authenticator
> no Authenticator Found >> this log suggests that the changes takes
> into effect
>
> Despite that no Authenticator is Found, the CA does not put the
> request in the agent queue.
> The CA issues the SCEP client a certificate.
>
> Now, when I check this particular requests through the CA-agent web
> interface; i.e. (List Request, Request Type: Show All Request, Request
> Status: Show All Request), I noticed that the request was completed.
>
> Although the CA marks this request as completed, this request does not
> show its associated issued certificate, despite of the fact that the
> SCEP client is issued a certificate. When I further explore this
> "completed request", this is what I got:
>
> Request:
> Status: complete
> Type: enrollment
>
> Subject Public Key:
> Algorithm: undefined
> Public Key: undefined
>
> Issued Cert:
> Error: certificate not issued
>
>
> Any idea why the CA behaves this way? Is it expected?
>
> Thanks,
> Erwin
>
> On Fri, May 21, 2010 at 11:38 AM, Andrew Wnuk <awnuk at redhat.com
> <mailto:awnuk at redhat.com>> wrote:
>
> On 05/20/10 17:51, Erwin Himawan wrote:
>> I would like to configure my DCS's SCEP operation for manual
>> approval, in which the router uses SCEP to submit the request and
>> the CA agent will manually approve the request and to modify the
>> request (if needed).
>>
>> Does anybody has any idea how to configure the DCS CA?
>>
>> I am thinking to clone the caRouterCert profile. I am not sure
>> what to specify to enable agent to approve the incoming request.
>> Am I in the right direction?
>
> You could try to modify caRouterCert profile by replacing
> auth.instance_id=raCertAuth
> with
> auth.instance_id=
> Adding new profile requires extending profile list in CS.cfg.
>
>>
>> Thanks,
>> Erwin
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100521/2df6557f/attachment.htm>
More information about the Pki-users
mailing list