Hi Marc, > I have included the dump from an sscep attempt. As you can see, sscep > submits the request to my OpenCA server correctly. > > I manually approve and sign the request on the RA and CA, and check the > VALID list on the Public side, and all is well. However, SSCEP fails to > download the certificate, even though it does acknowledge that it's > there... > > Anyone had a similar experience? This is only a test system so I'm not > concerned that the certificates are included.
this is great news, as your SCEP enrollment is basically working. However, the error message indicates that the *client* does not get what it expects. The SCEP standard draft requires that the CN specified in the original request must match the issued certificate's DN. This is very likely not the case for your example, and although I have not checked it myself I guess it's the serial number that was inserted into the CN. In etc/servers/ca.conf.template (and also in ra.conf.template, just to be sure) change this option to "No": SET_CERTIFICATE_SERIAL_IN_DN "N" Then it should work. cheers Martin ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
