Hi Martin, I am unable to reproduce the problem here...what version on what OS are you running? Can you upload to pastebin (or send by PM) the CSR/KEY used so I can check if there are some "hidden characters".
> From the documentation I understood that there are differnet types of > requests and I thought which workflow type is started depends on: > 1. the request type (e.g. if it is enroll or renewal) > 2. the policy: section of scep-server-1.yaml I think you are mixing some terms we use in another way - "worflow type" is the "overall" workflow in OpenXPKI terms, what you are refering to is the "type of operational mode" and this is only determined by the data of the request. The settings in the policy section can just turn on or off certain authentication/approval modes so workflows are directly send to failure if something is missing. Oliver > Is that correct? > > Thanks for your reply > > Kind Regards > > Martin > > > Am Sa., 13. Okt. 2018 um 16:43 Uhr schrieb Oliver Welter <[email protected] > <mailto:[email protected]>>: > > Hi Martin, > > there is nothing to setup for anonymous inital enrollment so it looks > like the workflow does branch into the wrong subtre. > > Can you please check in the workflow view what the values for > "csr_subject" and "signer_subject" are and if > csr_subject_key_identifier > and signer_subject_key_identifier are set and are equal. > > Please also open the workflow history and check what "START_*" state > was > passed - I assume you see START_ONBEHALF. > > best regards > > Oliver > > > Am 13.10.2018 um 12:55 schrieb Martin Krämer: > > Hi Everyone, > > > > I am trying to achieve certificate auto enrollment using sscep for > some > > debian clients. > > All scep enroll requests fail with the error "Requester is not in > > authorized signer list." > > What I do not understand is where is the authorized signer list > defined? > > I thought I am doing unauthorized requests, not requests on behalf .. > > why do I need the authorized signer at all? > > > > ---- Some more detailed background - I just wanted to put my > questions > > first ---- > > > > The goal is to have some kind of "zero touch" certificate enrollment. > > As a first testing step no authentication is required. > > ( I do not want to put complexity too high at the moment :) ) > > > > I have installed openxpki on debian 8.11 and I am able to get the CA > > certificates on my debian 9 clients with sscep installed using: > > *sscep getca -u $SRV_OPENXPKI -v -c $scepra_crt_f* > > > > I then create the certificate request using (which works without any > > problem, too): > > *openssl req -new -keyout $key_f -out $csr_f -newkey rsa:2048 -nodes > > -subj "${SUBJECTPATH}/CN=${COMMONNAME}"* > > * > > * > > After this I try to get enroll the certificate using previously > created csr: > > *sscep enroll -v -u $SRV_OPENXPKI -k $key_f -r $csr_f -c > > "${scepra_crt_f}-0" -l $crt_f -t 10 -n 1* > > > > The certificate_enroll workflow corresponding to the request fails > > within openxpki due to error: "Requester is not in authorized > signer list." > > > > The error I can see within openxpki logs are: > > *openxpki.application.INFO <http://openxpki.application.INFO> > <http://openxpki.application.INFO> Execute > > action global_check_authorized_signer on workflow #2815 > > > > [pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]* > > *2018/10/13 06:31:14 2815 Trusted Signer chain validation FAILED * > > *2018/10/13 06:31:14 openxpki.application.WARN Trusted Signer chain > > validation FAILED > > > > [pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]* > > *2018/10/13 06:31:14 2815 Trusted Signer not found in trust list > > (CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE). * > > *2018/10/13 06:31:14 openxpki.application.INFO > <http://openxpki.application.INFO> > > <http://openxpki.application.INFO> Trusted Signer not found in trust > > list (CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE. > > > > [pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]* > > > > I have already tried to make changes according to the following > entry to > > mailing list: > > https://sourceforge.net/p/openxpki/mailman/message/34705147/ > > > > And tried to find some information within the following > documentations: > > > > https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/scep.html > > https://media.readthedocs.org/pdf/openxpki/stable/openxpki.pdf > > > > Unfortunately all without luck. > > > > Maybe you can help me understand. > > Thanks in advance. > > > > Kind Regards > > > > Martin > > > > > > > > > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
