Re: [Openca-Users] SECP + Cisco PIX: certificate request is rejected SOLVED

Thu, 09 Mar 2006 13:28:07 -0800 

Ives Steglich wrote:


If you edit the request, you should NOT use the available + connected
fields in the subject name:

this is like the request my look like:
name  value
name  value
name1 value1 + name1 value2 + namex value x

you should transform it into

name value
name value
name1 value1
name2 value2
namex vlauex

and make sure that the + connected fields from the request are empty!

as i just saw, your certificates have the form:
Subject: C=DE, O=XEN Test RA, OU=Trustcenter, CN=apache/serialNumber=5

usually cisco-devices don't like it to get an certificate back with an
changed cn, you are not at this stage yet but if the device rejects the
certificate you should disable this atomatic attachment of the serial
number in the cn... this can be changed in etc/servers/##.conf.template
(## = ra, ca, usw.  Value: SET_CERTIFICATE_SERIAL_IN_DN) to enable or
disable it



Dalini,
I've also checked the pending requests, nothing in the database. I've also changed the host+domain name of the pix 
to create different requests - same result.

But to be shure I've setup a completely new CA and RA installation.
The request of the pix was still rejected without ScepRenewalRDNMatch "unstructuredName". After configuring ScepRenewalRDNMatch "unstructuredName" the request was accepted and following your recommendations for editing the request (also setting up SET_CERTIFICATE_SERIAL_IN_DN), 
the PIX received it's certificate.

Dalini and Martin - Thanks a lot for your patience and your guidance !
OpenCA is a great piece of work and the devlopers will keep a safe place in my hall of fame :-) 

Cheers
Kurt








-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to