Hi Everyone,
I am trying to achieve certificate auto enrollment using sscep for some
debian clients.
All scep enroll requests fail with the error "Requester is not in
authorized signer list."
What I do not understand is where is the authorized signer list defined?
I thought I am doing unauthorized requests, not requests on behalf .. why
do I need the authorized signer at all?
---- Some more detailed background - I just wanted to put my questions
first ----
The goal is to have some kind of "zero touch" certificate enrollment.
As a first testing step no authentication is required.
( I do not want to put complexity too high at the moment :) )
I have installed openxpki on debian 8.11 and I am able to get the CA
certificates on my debian 9 clients with sscep installed using:
*sscep getca -u $SRV_OPENXPKI -v -c $scepra_crt_f*
I then create the certificate request using (which works without any
problem, too):
*openssl req -new -keyout $key_f -out $csr_f -newkey rsa:2048 -nodes -subj
"${SUBJECTPATH}/CN=${COMMONNAME}"*
After this I try to get enroll the certificate using previously created csr:
*sscep enroll -v -u $SRV_OPENXPKI -k $key_f -r $csr_f -c
"${scepra_crt_f}-0" -l $crt_f -t 10 -n 1*
The certificate_enroll workflow corresponding to the request fails within
openxpki due to error: "Requester is not in authorized signer list."
The error I can see within openxpki logs are:
*openxpki.application.INFO <http://openxpki.application.INFO> Execute
action global_check_authorized_signer on workflow #2815
[pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]*
*2018/10/13 06:31:14 2815 Trusted Signer chain validation FAILED *
*2018/10/13 06:31:14 openxpki.application.WARN Trusted Signer chain
validation FAILED
[pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]*
*2018/10/13 06:31:14 2815 Trusted Signer not found in trust list
(CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE). *
*2018/10/13 06:31:14 openxpki.application.INFO
<http://openxpki.application.INFO> Trusted Signer not found in trust list
(CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE.
[pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]*
I have already tried to make changes according to the following entry to
mailing list:
https://sourceforge.net/p/openxpki/mailman/message/34705147/
And tried to find some information within the following documentations:
https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/scep.html
https://media.readthedocs.org/pdf/openxpki/stable/openxpki.pdf
Unfortunately all without luck.
Maybe you can help me understand.
Thanks in advance.
Kind Regards
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
