[Pki-users] SCEP Authentication

Andrew Wnuk awnuk at redhat.com
Fri May 21 22:49:33 UTC 2010 

Erwin,

Could you open a bug including all details?

Thank you,
Andrew

On 05/21/10 11:48, Erwin Himawan wrote:
> Andrew,
>
> Thanks for your suggestion.  I change the value of auth.instance_id in 
> the caRouterCert profile  to be "empty" (i.e. no value) per your 
> suggestion.
>
> I could verify through the debug file that the CA accepts this empty 
> value when I run my SCEP test again.
> The snippet of the debug file:
>
> Found profile=caRouterCert
> Retrieving Authenticator
> no Authenticator Found >> this log suggests that the changes takes 
> into effect
>
> Despite that no Authenticator is Found, the CA does not put the 
> request in the agent queue.
> The CA issues the SCEP client a certificate.
>
> Now, when I check this particular requests through the CA-agent web 
> interface; i.e. (List Request, Request Type: Show All Request, Request 
> Status: Show All Request), I noticed that the request was completed.
>
> Although the CA marks this request as completed, this request does not 
> show its associated issued certificate, despite of the fact that the 
> SCEP client is  issued a certificate.  When I further explore this 
> "completed request", this is what I got:
>
> Request:
>    Status: complete
>    Type: enrollment
>
> Subject Public Key:
>     Algorithm: undefined
>     Public Key: undefined
>
> Issued Cert:
>    Error: certificate not issued
>
>
> Any idea why the CA behaves this way?  Is it expected?
>
> Thanks,
> Erwin
>
> On Fri, May 21, 2010 at 11:38 AM, Andrew Wnuk <awnuk at redhat.com 
> <mailto:awnuk at redhat.com>> wrote:
>
>     On 05/20/10 17:51, Erwin Himawan wrote:
>>     I would like to configure my DCS's SCEP operation for manual
>>     approval, in which the router uses SCEP to submit the request and
>>     the CA agent will manually approve the request and to modify the
>>     request (if needed).
>>
>>     Does anybody has any idea how to configure the DCS CA?
>>
>>     I am thinking to clone the caRouterCert profile.  I am not sure
>>     what to specify to enable agent to approve the incoming request.
>>     Am I in the right direction?
>
>     You could try to modify caRouterCert profile by replacing
>         auth.instance_id=raCertAuth
>     with
>         auth.instance_id=
>     Adding new profile requires extending profile list in CS.cfg.
>
>>
>>     Thanks,
>>     Erwin
>>
>>
>>     _______________________________________________
>>     Pki-users mailing list
>>     Pki-users at redhat.com  <mailto:Pki-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/pki-users
>>        
>
>
>     _______________________________________________
>     Pki-users mailing list
>     Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/pki-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100521/2df6557f/attachment.htm>

More information about the Pki-users mailing list