[Pki-users] Auto Enrollment Proxy for Windows with Dogtag CA?
Jack Magne
jmagne at redhat.com
Wed Oct 20 16:46:29 UTC 2010
On 10/20/2010 05:35 AM, Thomas.Peter2 at swisscom.com wrote:
> Hi!
> Can anybody help me with the following question:
> Is it possible to use the _Auto Enrollment Proxy for Windows_
> <http://directory.fedoraproject.org/wiki/Windows_Certificate_Auto_Enrollment>
> (AEP) with a Dogtag CA?
> More precisely:
> I setup a _Dogtag Certification Authority_
> <http://pki.fedoraproject.org/wiki/PKI_Main_Page> on a computer
> running Fedora 13. It works fine through the webinterface that is
> provided with the Dogtag Sertificate System. I also setup AEP
> according to all the instructions found _here_
> <http://directory.fedoraproject.org/wiki/Auto_Enroll_Documentation>.
> I'm pretty sure that I did all the configurations needed in my Windows
> domain and the corresponding Active Directory. When I request a
> certificate from the domain controller (I request a certificate of the
> type 'Domain Controller', as described _here_
> <http://directory.fedoraproject.org/wiki/HowTO:_Windows_Domain_Controller_certificate_enrollment>),
> I can capture a fair amount of TCP traffic (with Wireshark) between
> the domain controller and the computer that is running the Dogtag CA
> on the correct port (default 9445). However, my Dogtag CA seems to
> reject the certificate signing requests (CSR) it receives from my
> Windows domain controller, the domain controller issues the error
> message "The certificate request cannot be created. The requested
> property value is empty". I know this error message does not really
> state what I observe, why would there be traffic on the wire, if the
> CSR has not even been created (Windows...). If I request a certificate
> from the command line, as described _here_
> <http://directory.fedoraproject.org/wiki/Auto_Enroll_Enrollment>, I
> get the error message "The parameter is incorrect. 0x80070057 (WIN32:
> 87)".
> I did not do any special AEP related configuration on my Dogtag CA, as
> _this_
> <http://directory.fedoraproject.org/wiki/Auto_Enroll_RHCSConfiguration> page
> seems to be incomplete.
> Do I need to configure my Dogtag CA in any way for this to work or
> wouldn't it work at all (because a Dogtag CA might not really be a Red
> Hat Certificate System CA)?
> Thank you for your help!
> Thomas Peter
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
Hi:
Are you getting anything from the CA's logs when this request is issued?
Located in /var/lib/pki-ca/logs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20101020/b0eadcf7/attachment.htm>
More information about the Pki-users
mailing list