Hi Martin,
there is nothing to setup for anonymous inital enrollment so it looks
like the workflow does branch into the wrong subtre.
Can you please check in the workflow view what the values for
"csr_subject" and "signer_subject" are and if csr_subject_key_identifier
and signer_subject_key_identifier are set and are equal.
Please also open the workflow history and check what "START_*" state was
passed - I assume you see START_ONBEHALF.
best regards
Oliver
Am 13.10.2018 um 12:55 schrieb Martin Krämer:
Hi Everyone,
I am trying to achieve certificate auto enrollment using sscep for some
debian clients.
All scep enroll requests fail with the error "Requester is not in
authorized signer list."
What I do not understand is where is the authorized signer list defined?
I thought I am doing unauthorized requests, not requests on behalf ..
why do I need the authorized signer at all?
---- Some more detailed background - I just wanted to put my questions
first ----
The goal is to have some kind of "zero touch" certificate enrollment.
As a first testing step no authentication is required.
( I do not want to put complexity too high at the moment :) )
I have installed openxpki on debian 8.11 and I am able to get the CA
certificates on my debian 9 clients with sscep installed using:
*sscep getca -u $SRV_OPENXPKI -v -c $scepra_crt_f*
I then create the certificate request using (which works without any
problem, too):
*openssl req -new -keyout $key_f -out $csr_f -newkey rsa:2048 -nodes
-subj "${SUBJECTPATH}/CN=${COMMONNAME}"*
*
*
After this I try to get enroll the certificate using previously created csr:
*sscep enroll -v -u $SRV_OPENXPKI -k $key_f -r $csr_f -c
"${scepra_crt_f}-0" -l $crt_f -t 10 -n 1*
The certificate_enroll workflow corresponding to the request fails
within openxpki due to error: "Requester is not in authorized signer list."
The error I can see within openxpki logs are:
*openxpki.application.INFO <http://openxpki.application.INFO> Execute
action global_check_authorized_signer on workflow #2815
[pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]*
*2018/10/13 06:31:14 2815 Trusted Signer chain validation FAILED *
*2018/10/13 06:31:14 openxpki.application.WARN Trusted Signer chain
validation FAILED
[pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]*
*2018/10/13 06:31:14 2815 Trusted Signer not found in trust list
(CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE). *
*2018/10/13 06:31:14 openxpki.application.INFO
<http://openxpki.application.INFO> Trusted Signer not found in trust
list (CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE.
[pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]*
I have already tried to make changes according to the following entry to
mailing list:
https://sourceforge.net/p/openxpki/mailman/message/34705147/
And tried to find some information within the following documentations:
https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/scep.html
https://media.readthedocs.org/pdf/openxpki/stable/openxpki.pdf
Unfortunately all without luck.
Maybe you can help me understand.
Thanks in advance.
Kind Regards
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
