[Pki-users] Auto Enrollment Proxy for Windows with Dogtag CA?

Jack Magne jmagne at redhat.com
Wed Oct 20 16:46:29 UTC 2010 

On 10/20/2010 05:35 AM, Thomas.Peter2 at swisscom.com wrote:
> Hi!
> Can anybody help me with the following question:
> Is it possible to use the _Auto Enrollment Proxy for Windows_ 
> <http://directory.fedoraproject.org/wiki/Windows_Certificate_Auto_Enrollment> 
> (AEP) with a Dogtag CA?
> More precisely:
> I setup a _Dogtag Certification Authority_ 
> <http://pki.fedoraproject.org/wiki/PKI_Main_Page> on a computer 
> running Fedora 13. It works fine through the webinterface that is 
> provided with the Dogtag Sertificate System. I also setup AEP 
> according to all the instructions found _here_ 
> <http://directory.fedoraproject.org/wiki/Auto_Enroll_Documentation>. 
> I'm pretty sure that I did all the configurations needed in my Windows 
> domain and the corresponding Active Directory. When I request a 
> certificate from the domain controller (I request a certificate of the 
> type 'Domain Controller', as described _here_ 
> <http://directory.fedoraproject.org/wiki/HowTO:_Windows_Domain_Controller_certificate_enrollment>), 
> I can capture a fair amount of TCP traffic (with Wireshark) between 
> the domain controller and the computer that is running the Dogtag CA 
> on the correct port (default 9445). However, my Dogtag CA seems to 
> reject the certificate signing requests (CSR) it receives from my 
> Windows domain controller, the domain controller issues the error 
> message "The certificate request cannot be created. The requested 
> property value is empty". I know this error message does not really 
> state what I observe, why would there be traffic on the wire, if the 
> CSR has not even been created (Windows...). If I request a certificate 
> from the command line, as described _here_ 
> <http://directory.fedoraproject.org/wiki/Auto_Enroll_Enrollment>, I 
> get the error message "The parameter is incorrect. 0x80070057 (WIN32: 
> 87)".
> I did not do any special AEP related configuration on my Dogtag CA, as 
> _this_ 
> <http://directory.fedoraproject.org/wiki/Auto_Enroll_RHCSConfiguration> page 
> seems to be incomplete.
> Do I need to configure my Dogtag CA in any way for this to work or 
> wouldn't it work at all (because a Dogtag CA might not really be a Red 
> Hat Certificate System CA)?
> Thank you for your help!
> Thomas Peter
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>    
Hi:

Are you getting anything from the CA's logs when this request is issued? 
Located in /var/lib/pki-ca/logs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101020/b0eadcf7/attachment.htm>

More information about the Pki-users mailing list