Re: [Openca-Users] Problem with scep ans sscep enrollment

Fri, 22 Jul 2005 04:06:15 -0700 

Hi,

>>please check your setup:
>
>>- SCEP RA certificate is configured for OpenCA
>
> How can i check this. I check the key usage and it's Digital Signature,
> Non Repudiation, Key Encipherment, Data Encipherment Usage. Is it enough.

looks good and should work. Somewhat christmas-treeish, but OK for
the time being... (DigitalSignature and KeyEncipherment should be
sufficient)

>>- SCEP RA key does not (!) have a passphrase, a passphrase must be
>>set in config.xml, but it is ignored (my experience).
>
> Is it the passphrase wich is asked when i want to download the ScepRA
> certificate and Key in the ra web interface? I set and unset this
> passphrase as the ScepRAPasswd in the config.xml without success.

As I said, the password is IGNORED and not used. You must leave
your SCEP private key unprotected (without pass phrase). Check this
with openssl rsa -text -in <file>, it should print the private key
data without asking for a pass phrase.
It will NOT work otherwise in the current version.

>>On the client side try to get the CA certificates (getcacert).
>>Verify that the first certificate returned is the SCEP RA certificate
>
> it's ok. before using sscep getca command,the parameter CACertfile in
> sscep.conf was ./ca.crt-0

Yes, should be OK.

> after launchng this command i have two file
>
> ca.crt-0-0 SCEP certificate
>
> ca.crt-0-1 CA certificate

seems to be OK.

> I go in /usr/local/ssl the path i indicate in the RA configuration. After
> doing an openssl version i see 0.9.7a. Oh!!!!!!!!!!!!!!!my god i've
> installed the 0.9.7c version and it seems that it's the 0.9.7a version
> which is used by openca. Is this can be the problem.

maybe, maybe not. It's best to make sure you have as few as possible
causes for error...

Martin



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to