Hi, > CSR: https://pastebin.com/etyybJx8
Your CSR Subject contains an invalid encoding of the ST attribute. The DER encoding states that this is a UTF8STRING, but it isn’t. The reason the workflow very likely fails is that it checks string equality of the CSR Subject CSR and a self-signed Cert CSR which the sscep tool builds on-the-fly. Due to the broken encoding the string equality match on the server side is false, and this results in the workflow branching in the „enrollment on behalf“ case. This case is not allowed/configured on your server, hence the request gets rejected. My suggestion is to try to send a request without funny Umlauts and once this works retry with correct UTF8 encoding. Please note that this also requires sscep to handle UTF8 properly. Don’t know if that’s the case. (Personal side note: I’d probably completely leave out the ST attribute for certificates used in Europe/Germany. I'd even go one step further, using the DC notation for EE certs. But that’s probably a matter of taste.) Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
