Hi dalini, see inline
dalini wrote : > but the sscep error looks, like something isn't working like expected > sometimes its a bit confusing which cert is for ra and ca at the > scep-client configuration... so maybe you should try for the sscep > client to change the certs used f=FCr encryption and ca parameters in the > config file, usaly this can be a source for errors the sscep error is now gone, it was as you suggested. the sscep client took the wrong certificate. After I changed this in the sscep.conf, I was able to successfully download my cert after signing. > what operations are u doing with the certificates > on the ca/ra side - changes in dn and so on... I tried both changing the request and also leave the request untouched > some devices have special requirements for this > so the request from cisco devices have combined attributes > (with "+" in the editform) - you should move them to the left most > entries, best on top of the others - like the entries for fqdn and ip, > mainly this should be: unstructuredAddress and unstructuredName I tried this, but at no success, strange enough I did a manual PKCS10 enrollment from the same VPN3000 Concentrator, and there the VPN3000 has no problems with the cert fields :-( So is this SCEP specific that I have to change the cert values ? Anybody already got VPN3000 to OpenCA SCEP interface successfully running ? I can now confirm that the VPN Client (4.06.03.0021) on WinXP is also able to successfully enroll with OpenCA SCEP interface (no changes in cert are nessecary) Regarding IOS Routers, I saw in the debug of the router that the router already failed to enroll and upload the CSR request. I will try with different IOS version... here is the router log : Jun 26 20:19:09.338: E ../cert-c/source/certobj.c(1295) : Error #72Ah Jun 26 20:19:09.338: E ../cert-c/source/certobj.c(719) : Error #72Ah Jun 26 20:19:09.338: E ../cert-c/source/p7certsq.c(62) : Error #703h Jun 26 20:19:09.338: crypto_certc_pkcs7_extract_certs_and_crls failed (1795): Jun 26 20:19:09.338: crypto_certc_pkcs7_extract_certs_and_crls failed Jun 26 20:19:09.342: %CRYPTO-6-CERTFAIL: Certificate enrollment failed. Greetings Michael -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
