Hi Oliver, thanks for your help, SCEP is now working for me. I successfully enrolled with a Cisco VPN Client 4.6.00.45 on Win2K. I will go on testing with various other Cisco devices (VPN Clients, IOS , PIX and VPN Concentrators )
Great work to all developers !!! Regards Michael >Hi Michael, > >I dont have any ideas of scep but the error seemt to be related to a >very simple issue: >> >> <html xmlns="http://www.w3.org/1999/xhtml"; lang="C" >> xml:lang="C"><head><title>Allgemeiner Fehler</title> >> </head><body bgcolor="#FFFFFF"><CENTER><BR><HR >> WIDTH=80%><BR></CENTER><OL><OL><H1><FONT COLOR=red>Fehler >> 6293017</FONT></H1><OL> <B>Allgemeiner Fehler</B> Es gibt ein Problem mit >> der Konfiguration. Ein Nutzer kann nur auf eine Rolle abgebildet werden, >> wenn die Authentifizierung .ber Zertifikate durchgef.hrt worden >> ist.</OL></OL></OL> > >Go to etc/access_control/scep.xml and set "map_user_to_role" to no - >restart the daemon and try again.... > >Oliver > Common Informations > ------------------------------------------------ > OpenCA Version : 0.9.2.1 > Perl Version : v5.8.4 > OpenSSL Version : 0.9.7e > Operating System: Linux Debian SID Kernel 2.6.9 > ------------------------------------------------ > > Problem Description: > > Hi I tried to get SCEP working, but no success. > I created new keys and certs for SCEP (2048 bit, ROLE : Webserver) > > When I try with some SCEP client to retrieve the CA cert I get following > Error : > > with SSCEP : > > gaia:/usr/local/src/sscep# ./sscep getca -f ./sscep.conf > ./sscep: starting sscep, version 20030417 > ./sscep: hostname: 192.168.0.170 > ./sscep: directory: cgi-bin/scep/scep > ./sscep: port: 80 > ./sscep: SCEP_OPERATION_GETCA > ./sscep: requesting CA certificate > ./sscep: scep msg: GET > /cgi-bin/scep/scep?operation=GetCACert&message=CAIdentifier HTTP/1.0 > > ./sscep: server returned status code 200 > ./sscep: wrong MIME content type > ./sscep: error while sending message > > > If I try with Cisco VPN Client 4.6.00.45 I get also a Error. When I decode > the Ethereal Trace I can see following Response from the SCEP RA : > (sorry only in german, I have no clue how to change SCEP to english error > messages ... ) > > <html xmlns="http://www.w3.org/1999/xhtml"; lang="C" > xml:lang="C"><head><title>Allgemeiner Fehler</title> > </head><body bgcolor="#FFFFFF"><CENTER><BR><HR > WIDTH=80%><BR></CENTER><OL><OL><H1><FONT COLOR=red>Fehler > 6293017</FONT></H1><OL> <B>Allgemeiner Fehler</B> Es gibt ein Problem mit > der Konfiguration. Ein Nutzer kann nur auf eine Rolle abgebildet werden, > wenn die Authentifizierung .ber Zertifikate durchgef.hrt worden > ist.</OL></OL></OL> > > Here my SCEP config in config.xml > > <!-- ===================== --> > <!-- configuration of SCEP --> > <!-- ===================== --> > > <option> > <name>SCEP_RA_CERT</name> > <value>/home/openca/certs/scep-cert.pem</value> > </option> > <option> > <name>SCEP_RA_KEY</name> > <value>/home/openca/certs/scepkey.pem</value> > </option> > <option> > <name>SCEP_RA_PASSWD</name> > <value></value> > </option> > > > Is it a requirement that SCEP Key and Cert is in some specific directory, > must it be in the www directory ? or is it enough if webserver is able to > read the certs and keys ? > > Thanks > Michael > > > > -- > +++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl > AKTION f�r Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben > -- +++ GMX - die erste Adresse f�r Mail, Message, More +++ 1 GB Mailbox bereits in GMX FreeMail http://www.gmx.net/de/go/mail ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
