Hi Martin, thank you for reply and detailed explanation.
Like you suggested I have removed the ST attribute completely. Unfortunately the result is still the same. Only difference is that within the Workflow context I see "signer_validity_ok = 1" insead of previously "signer_validity_ok = 1" Once again the CSR & KEY if required: CSR: *https://pastebin.com/jkiAUTaE <https://pastebin.com/jkiAUTaE>* KEY: *https://pastebin.com/zRtYDnGY <https://pastebin.com/zRtYDnGY>* Here are the client ouputs (I have put the commands from yesterday in a short script for easier usage): *root@c0e6458188af0:~# /root/sscep-request.sh * *create certificate request* *Generating a 2048 bit RSA private key* *...................................................................+++* *......+++* *writing new private key to '/tmp/scep/scep-test.key'* *-----* *run sscep enroll* *sscep: starting sscep, version 0.6.1* *sscep: new transaction* *sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E* *sscep: hostname: openxpki-000001* *sscep: directory: scep/scep* *sscep: port: 80* *sscep: Read request with transaction id: 1530C0219471D901F7DAFBAC5A3AC84C* *sscep: generating selfsigned certificate* *sscep: SCEP_OPERATION_ENROLL* *sscep: sending certificate request* *sscep: creating inner PKCS#7* *sscep: inner PKCS#7 in mem BIO * *sscep: request data dump * *-----BEGIN CERTIFICATE REQUEST-----* *MIIClzCCAX8CAQAwUjELMAkGA1UEBhMCREUxFDASBgNVBAcMC0ZyZXVkZW5iZXJn* *MRUwEwYDVQQKDAxFeGFtcGxlIENvcnAxFjAUBgNVBAMMDWMwZTY0NTgxODhhZjAw* *ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCowncKGWtoWCmFi0IEjDkU* *xi2wIiW+AZ5zoveyw9i7oq+ovlVgSvNc7im8fd1Tzud9GUJa+DCx/HXzeVLRfGSQ* *m91F3nmlGNWLTI6qaa6WUlKTl3ZBxXqw/e1P6LvWGZDXw0CYc1oED7CFPOt9i5of* *DTXBXvPjJBk6TRhi4Eek141bqMjKdk+Mp4hB6RityRI0uHnnNqiL1j9M+ba3zJ3K* *Du2yv9joWAc4LI+R5Fog42frEc0/RoKGsbJ+8U/1iUZdktZQQ8EOFiD9j/eDS2ao* *TKnCuXUQ20IVRiWa7YTPGCydOqy96QcMaq8zFxNaUXbYCVvw5flXtVweSYM6wPzv* *AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAXk/HvaBiTM7iEaP7Zf/GoxLOAEQw* *tSLSQM/a313nKq2gg2WQmiYScHWWBNxCBqxotFBUJRp38L7arvzwFUzTUKsvxCSF* *TQ/rmNLukqkyBXrSaI5w1sidNBspXmBYS8bCI0rZiHav3/D5A93xep6864pZFQJe* *CZt58Uea1j1LpGeWC2A/r/1wQyXqr80HmxMij8pOHjKGpvSNZbZSzSzneLyasL1f* *5jZL+7LM+i5AYdlkynnUJ8yGWoTnYpy+jbDTAJ7R7OBLYHkJQ81D7QKHNx9fjBa4* *D5e3/KmF7UD/PT0usBUmvqQ/tU9tQ8QkXa1tl61IsoWFNLMFZIeXjRJNFA==* *-----END CERTIFICATE REQUEST-----* *sscep: data payload size: 667 bytes* *sscep: successfully encrypted payload* *sscep: envelope size: 1327 bytes* *sscep: creating outer PKCS#7* *sscep: signature added successfully* *sscep: adding signed attributes* *sscep: adding string attribute transId* *sscep: adding string attribute messageType* *sscep: adding octet attribute senderNonce* *sscep: PKCS#7 data written successfully* *sscep: applying base64 encoding* *sscep: base64 encoded payload size: 3852 bytes* *sscep: server returned status code 200* *sscep: MIME header: x-pki-message* *sscep: valid response from server* *sscep: reading outer PKCS#7* *sscep: PKCS#7 payload size: 2263 bytes* *sscep: PKCS#7 contains 0 bytes of enveloped data* *sscep: verifying signature* *sscep: signature ok* *sscep: finding signed attributes* *sscep: finding attribute transId* *sscep: allocating 32 bytes for attribute* *sscep: reply transaction id: 1530C0219471D901F7DAFBAC5A3AC84C* *sscep: finding attribute messageType* *sscep: allocating 1 bytes for attribute* *sscep: reply message type is good* *sscep: finding attribute senderNonce* *sscep: allocating 16 bytes for attribute* *sscep: senderNonce in reply: 4B58A8A856766D6E73468A23D4A3659E* *sscep: finding attribute recipientNonce* *sscep: allocating 16 bytes for attribute* *sscep: recipientNonce in reply: 7C694BF704971EFBE53D23C4E89D4A06* *sscep: finding attribute pkiStatus* *sscep: allocating 1 bytes for attribute* *sscep: pkistatus: FAILURE* *sscep: finding attribute failInfo* *sscep: allocating 1 bytes for attribute* *sscep: reason: Transaction not permitted or supported* *root@c0e6458188af0:~#* And the logfiles of the openxpki server: *root@openxpki-000001:~# cat /var/log/openxpki/scep.log * *2018/10/16 11:37:09 DEBUG:8748 Config for service scep loaded* *2018/10/16 11:37:09 INFO:8748 SCEP handler initialized* *2018/10/16 11:37:09 DEBUG:8748 Autodetect config file for service scep: scep.conf* *2018/10/16 11:37:09 DEBUG:8748 No config file found, falling back to default* *2018/10/16 11:37:09 INFO:8748 Incoming request from 192.168.33.32 with PKIOperation* *2018/10/16 11:37:10 DEBUG:8748 Response send* *root@openxpki-000001:~# cat /var/log/openxpki/catchall.log * *2018/10/16 11:37:09 openxpki.application.INFO <http://openxpki.application.INFO> SCEP incoming request, id 1530C0219471D901F7DAFBAC5A3AC84C [pid=8749|sid=VKiE|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:09 openxpki.application.INFO <http://openxpki.application.INFO> SCEP try to start new workflow for 1530C0219471D901F7DAFBAC5A3AC84C [pid=8749|sid=VKiE|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:09 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_initialize on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:09 openxpki.application.INFO <http://openxpki.application.INFO> Execute action global_map_url_params on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:09 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_set_workflow_attributes on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:09 openxpki.application.INFO <http://openxpki.application.INFO> Execute action global_load_policy on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:09 openxpki.application.INFO <http://openxpki.application.INFO> Execute action global_set_profile on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:09 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_parse_pkcs10 on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:10 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_render_subject on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:10 openxpki.application.INFO <http://openxpki.application.INFO> Rendering subject: CN=c0e6458188af0,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:10 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_set_workflow_attributes on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:10 openxpki.application.INFO <http://openxpki.application.INFO> Execute action global_check_authorized_signer on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:10 openxpki.application.WARN Trusted Signer chain validation FAILED [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:10 openxpki.application.INFO <http://openxpki.application.INFO> Trusted Signer not found in trust list (CN=c0e6458188af0,O=Example Corp,l=Freudenberg,C=DE). [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:10 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_set_mode_onbehalf on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:10 openxpki.application.INFO <http://openxpki.application.INFO> Execute action global_set_error_signer_not_authorized on workflow #1791 [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:10 openxpki.application.INFO <http://openxpki.application.INFO> SCEP started new workflow with id 1791, state FAILURE [pid=8749|sid=VKiE|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *2018/10/16 11:37:10 openxpki.application.ERROR SCEP Request failed without error code set - default to badRequest [pid=8749|sid=VKiE|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* *root@openxpki-000001:~# cat /var/log/openxpki/workflows.log * *2018/10/16 11:37:09 1791 Execute action enroll_initialize on workflow #1791 * *2018/10/16 11:37:09 1791 Execute action global_map_url_params on workflow #1791 * *2018/10/16 11:37:09 1791 Execute action enroll_set_workflow_attributes on workflow #1791 * *2018/10/16 11:37:09 1791 Execute action global_load_policy on workflow #1791 * *2018/10/16 11:37:09 1791 Execute action global_set_profile on workflow #1791 * *2018/10/16 11:37:09 1791 Execute action enroll_parse_pkcs10 on workflow #1791 * *2018/10/16 11:37:10 1791 Execute action enroll_render_subject on workflow #1791 * *2018/10/16 11:37:10 1791 Rendering subject: CN=c0e6458188af0,DC=Test Deployment,DC=OpenXPKI,DC=org * *2018/10/16 11:37:10 1791 Execute action enroll_set_workflow_attributes on workflow #1791 * *2018/10/16 11:37:10 1791 Execute action global_check_authorized_signer on workflow #1791 * *2018/10/16 11:37:10 1791 Trusted Signer chain validation FAILED * *2018/10/16 11:37:10 1791 Trusted Signer not found in trust list (CN=c0e6458188af0,O=Example Corp,l=Freudenberg,C=DE). * *2018/10/16 11:37:10 1791 Execute action enroll_set_mode_onbehalf on workflow #1791 * *2018/10/16 11:37:10 1791 Execute action global_set_error_signer_not_authorized on workflow #1791 * *root@openxpki-000001:~# * Am Mo., 15. Okt. 2018 um 20:05 Uhr schrieb Martin Bartosch <[email protected] >: > Hi, > > > CSR: https://pastebin.com/etyybJx8 > > Your CSR Subject contains an invalid encoding of the ST attribute. The DER > encoding states that this is a UTF8STRING, but it isn’t. > The reason the workflow very likely fails is that it checks string > equality of the CSR Subject CSR and a self-signed Cert CSR which the sscep > tool builds on-the-fly. Due to the broken encoding the string equality > match on the server side is false, and this results in the workflow > branching in the „enrollment on behalf“ case. This case is not > allowed/configured on your server, hence the request gets rejected. > > My suggestion is to try to send a request without funny Umlauts and once > this works retry with correct UTF8 encoding. Please note that this also > requires sscep to handle UTF8 properly. Don’t know if that’s the case. > > (Personal side note: I’d probably completely leave out the ST attribute > for certificates used in Europe/Germany. I'd even go one step further, > using the DC notation for EE certs. But that’s probably a matter of taste.) > > Cheers > > Martin > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
