Hi Marian,thanks for the feedback. The empty DN problem is a known issue - we are currently reworking the SCEP implementation which will improve the logging and remediate this issue.
For the system status, you are right - the status is critical if there is no valid crl.
Oliver Am 14.12.2015 um 09:25 schrieb Marian Thieme:
Hello again, I did a bit more of testing: generate crl, create certificates, revoke a certificate, regenerate the crl and found that there is no problem here. Everything works as expected. Only the scep enrollment didn't work. After checking again the logs (openxpki.log) I noticed a suspicious entry: 2015/12/14 09:05:39 openxpki.system.ERROR:1923 [OpenXPKI::Crypto::CLI (435); raop(RA Operator)@08ee] OpenSSL error: Using configuration from /var/tmp/openxpki19239E0vq3Zb Check that the request matches the signature Signature ok end of string encountered while processing type of subject name element #3 And indeed, while generating my playing certificate and the csr, I didn't specify a common name. When specifying the CN attribute then the workflow finished successfully ! Maybe the error message (or workflow failure reason) could be kind of more exact. Another point, regarding the system status: Is it possible that when having no crl generated (even an empty one) the system status is indicated as critical ? Regards, Marian On 12/13/15 16:57, Marian Thieme wrote:I used the openxpki script /usr/share/doc/libopenxpki-perl/examples/sampleconfig.sh The System Status page lists 2 tokens with status online: certsign and datasafe I noticed, on the top of that page there is a warning saying: your system status is critical ! On 12/13/15 09:37, Oliver Welter wrote:Hi, Am 12.12.2015 um 14:52 schrieb Marian Thieme:Afterwards I manually approved it but for some reason I cannot finish it. It keeps in state PREPARED (Paused) with reason: "Certificate signing token is not online" Will reconsult the SCEP docs and revise what I did so far.This is not scep related, your CA key is not usable. Did you use the sampleconfig script or did you create your keys by hand? Check the "Information -> System Status" page, you should see a "certsign" token here and this must be online. Oliver ------------------------------------------------------------------------------ _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users------------------------------------------------------------------------------ _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
