Re: [Openca-Users] SCEP and external CA

Thu, 31 May 2007 00:02:53 -0700 

Hi Matthias!
Thanks for reply. I'll try to explain my problem a little bit more in detail: 


When requesting a certificate witch contains serial number and ip-address 
the DN looks something like this:


unstructuredName=router.test.domain+unstructuredAddress=123.234.123.234+serialNumber=ABC098765AB,CN=router.test.domain


And the "+" -signs are the cause for all the trouble. When trying to issue 
the certificate it results in an "Error 700: The compilation of the command 
cmdIssueCertificate failed. openssl syntax for multi-valued RDNs is unknown 
at /usr/lib/perl5/vendor_perl/5.8.8/X500/DN.pm line 104".



This perl-module is written in 2002 and it seems, that it was never updated. 
:-( I even don't know, wether it came with the openca-installation or with 
an other perl-package. Anyhow, when exporting the certficate-request (or 
doing a cut and paste from the log-file) I can sign the request with openssl 
by commandline - something like:



openssl ca -batch -config 
/usr/local/openca/ca/etc/openssl/openssl/VPN_Server.conf -keyfile 
/usr/local/openca/ca/var/crypto/keys/cakey.pem  -extfile 
/usr/local/openca/ca/etc/openssl/extfiles/VPN_Server.ext  -preserveDN  -in 
/root/tmp/req.pem



does the job quite well. In this case I receive a certificate. I can import 
the cert into CA and RA ... but it's never delivert to the router by the 
scep-server. (A commandline "enrollment term" followed by "crypto pki import 
openca.test.domain certificate" on the router works fine too)



This problem was discussed in an earlier thread opened by Kurt Hockenmaier. 
But as soon as you modify a request by hand the cert is rejected by the 
router (in the thread mentioned above the pix accepted the cert... ).



So the easiest way would be a proper import of the cert for me. But I 
actually don't know, how to do so.


Thanks for support and best regards

Jörg Kirmße

_________________________________________________________________

FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/




-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users






















					Reply via email to