Hi Julius, which exact problems do you have when you request a certificate with ip address or serial number in it? Does openca make any problems or does the router not accept the delivered certificate? I also set up a CA with cisco routers requesting their certificates over scep and that worked fine, but I did not include ip address or certificates. I am not sure but I think in scep.conf you have to choose a default role for scep requests and there you can also decide in which format the DN will be, and I think it has to be unstructuredName Furthermore you must have a look on pub.conf, ra.conf and ca.conf that they do not add additional entries like email or cert serial to the DN because then the cisco router won't accept the certificate any more.
Kind regards, Matthias On 5/24/07, Geier Julius <[EMAIL PROTECTED]> wrote: > Hi all, > I've done almost well, but now im stuck! :-( > > I have a CA and a RA running on SuSE Linux quite well. Also basic SCEP is > working. My SCEP-Client is a CISCO-Router. As long as I request > certificates without serial number and IP-address the CA can sign the > request and it is automatically imported by the router. > > Unfortunately there is a requirement for including IP-address and/or serial > number. In this case I experienced problems with the DN.pm perl-module. (... > multivalued dn not supported or so ...) > > So I exported the request and signed it externally with all configurations > used by openca (somthing like openssl ca -keyfile /usr/local/ssl .... > -extfile ... and so on) > > As a result I got the certificate. I created a new pem-file and imported it > (tar cvf /usr/local/openca/ca/var/tmp/fd0 * ) to ca and ra with no problem. > Last but not least the certificate was in both databases (cadb and radb in > the certificate-table). > > But unfortunately it is not delivert to the router (traced with wireshark). > As soon as I enroll the certificate manually on the router (cut and paste > via command line) everything is working fine. > > My simple questions are: what is the scep-server looking for in the > database? How can I export and import certificates from an external CA (in > fact, openssl commandline would be enough for me ;-) )? > > I would really appreciate, if someone could help me. If logfile is requred, > pls. send a short message. Debug is always switched on in log.xml - but it's > a huge amount of data. > > Thanks and best regards > > Jörg Kirmße > > _________________________________________________________________ > FREE pop-up blocking with the new MSN Toolbar - get it now! > http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
