Hi Oliver, all your assumptions are correct. values of csr_subject & signer_subject match. values of csr_subject_key_identifier & signer_subject_key_identifier match.
Following values (I can share anything since it is just my test environment for now): *csr_subject = CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE* *signer_subject = CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE* *csr_subject_key_identifier = 1D:70:CB:9F:84:F0:D9:9A:4C:94:74:96:42:35:6F:0B:EE:B1:E7:8E * *signer_subject_key_identifier = 1D:70:CB:9F:84:F0:D9:9A:4C:94:74:96:42:35:6F:0B:EE:B1:E7:8E* The "START_*" entry is "START_ONBEHALF". Here is the full entry (every column as a new line): *2018-10-13 06:31:14* *START_ONBEHALF* *global_set_error_signer_not_authorized* *AUTORUN* *scep-server-1* *openxpki-000001* So you think that instead of having an "unauthorized request" the workflow of “signer on behalf” is startet? >From the documentation I understood that there are differnet types of requests and I thought which workflow type is started depends on: 1. the request type (e.g. if it is enroll or renewal) 2. the policy: section of scep-server-1.yaml Is that correct? Thanks for your reply Kind Regards Martin Am Sa., 13. Okt. 2018 um 16:43 Uhr schrieb Oliver Welter <[email protected]>: > Hi Martin, > > there is nothing to setup for anonymous inital enrollment so it looks > like the workflow does branch into the wrong subtre. > > Can you please check in the workflow view what the values for > "csr_subject" and "signer_subject" are and if csr_subject_key_identifier > and signer_subject_key_identifier are set and are equal. > > Please also open the workflow history and check what "START_*" state was > passed - I assume you see START_ONBEHALF. > > best regards > > Oliver > > > Am 13.10.2018 um 12:55 schrieb Martin Krämer: > > Hi Everyone, > > > > I am trying to achieve certificate auto enrollment using sscep for some > > debian clients. > > All scep enroll requests fail with the error "Requester is not in > > authorized signer list." > > What I do not understand is where is the authorized signer list defined? > > I thought I am doing unauthorized requests, not requests on behalf .. > > why do I need the authorized signer at all? > > > > ---- Some more detailed background - I just wanted to put my questions > > first ---- > > > > The goal is to have some kind of "zero touch" certificate enrollment. > > As a first testing step no authentication is required. > > ( I do not want to put complexity too high at the moment :) ) > > > > I have installed openxpki on debian 8.11 and I am able to get the CA > > certificates on my debian 9 clients with sscep installed using: > > *sscep getca -u $SRV_OPENXPKI -v -c $scepra_crt_f* > > > > I then create the certificate request using (which works without any > > problem, too): > > *openssl req -new -keyout $key_f -out $csr_f -newkey rsa:2048 -nodes > > -subj "${SUBJECTPATH}/CN=${COMMONNAME}"* > > * > > * > > After this I try to get enroll the certificate using previously created > csr: > > *sscep enroll -v -u $SRV_OPENXPKI -k $key_f -r $csr_f -c > > "${scepra_crt_f}-0" -l $crt_f -t 10 -n 1* > > > > The certificate_enroll workflow corresponding to the request fails > > within openxpki due to error: "Requester is not in authorized signer > list." > > > > The error I can see within openxpki logs are: > > *openxpki.application.INFO <http://openxpki.application.INFO> Execute > > action global_check_authorized_signer on workflow #2815 > > > [pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]* > > *2018/10/13 06:31:14 2815 Trusted Signer chain validation FAILED * > > *2018/10/13 06:31:14 openxpki.application.WARN Trusted Signer chain > > validation FAILED > > > [pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]* > > *2018/10/13 06:31:14 2815 Trusted Signer not found in trust list > > (CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE). * > > *2018/10/13 06:31:14 openxpki.application.INFO > > <http://openxpki.application.INFO> Trusted Signer not found in trust > > list (CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE. > > > [pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]* > > > > I have already tried to make changes according to the following entry to > > mailing list: > > https://sourceforge.net/p/openxpki/mailman/message/34705147/ > > > > And tried to find some information within the following documentations: > > > https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/scep.html > > https://media.readthedocs.org/pdf/openxpki/stable/openxpki.pdf > > > > Unfortunately all without luck. > > > > Maybe you can help me understand. > > Thanks in advance. > > > > Kind Regards > > > > Martin > > > > > > > > > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
