Hi, something I have seen just now. After receiving the certificate sscep complains (correctly) about the following:
.... sscep: PKCS#7 payload size: 1927 bytes write_local_cert(): found 1 cert(s) sscep: found certificate with subject: '/DC=org/DC=OpenXPKI/DC=Test Deployment/CN=c0e6458188af0' issuer: /CN=example-corp 2018-10 Issuing-CA request_subject: '/DC=Test Deployment.OpenXPKI.org/CN=c0e6458188af0' X509_NAME_cmp() workaround: strcmp request subject (/DC=Test Deployment.OpenXPKI.org/CN=c0e6458188af0) to cert subject (/DC=org/DC=OpenXPKI/DC=Test Deployment/CN=c0e6458188af0) *sscep: Subject of our request does not match that of the returned Certificate!* sscep: certificate written as /tmp/scep/scep-test.crt Am Di., 16. Okt. 2018 um 18:54 Uhr schrieb Martin Krämer < [email protected]>: > Hi Martin, > > wow fast reply. :) > > First I want to say I found another very interesting thing. > (Not changed "allow_anon_enroll=1" yet) > If I change the subject within the CSR to: "CN=<myhost>,DC=Test > Deployment.openxpki.org" my request gets stuck on "pending". > Then I have the possiblity to "Reject Request" in red button & "Reject > Request" in green button. > After I have done the "Reject Request" with green button, I can now > "Approve Request". > Then my SSCEP client correctly receives the certificate. > (Here are some screenshots: https://imgur.com/a/FaJTwju ) > > Maybe you can explain to me WHY changing the subject to the one above is > required? :) > > Now based on your instructions I changed "allow_anon_enroll = 1" & I > changed the subject like described above. > The workflow stops again in status "pending". > I have now directly the possibility to select "Approve Request" (without > previous "Reject Request"). > Then my SSCEP client correctly receives the certificate. > > Now based on another mailing list entry I have read some days ago ( > https://sourceforge.net/p/openxpki/mailman/message/34705147/ ) > I additionally changed: scep.SERVERNAME.eligible.initial.value = 1 > Now the certificate gets enrolled fully automatic. :):):):) > Of course I will have to change the eligible check using a connector to > something more useful later :) > > PS: Maybe some site note - between all of the three tests above I have > reset my openxpki virtual server machine using an snapshot. > I know that scep.SERVERNAME.policy.max_active_certs = 1 is set ant wanted > to prevent errors/ different behaviour due to this. > Of course this is something that I further need to test... > > Kind Regards > > Martin > > > > Am Di., 16. Okt. 2018 um 18:00 Uhr schrieb Martin Bartosch < > [email protected]>: > >> Hi, >> >> Yes, I was about to ask for the context. The context and the WF history >> really help understanding what is going on in the system. >> >> Your context shows that your configuration does not allow anonymous >> enrollment (p_allow_anon_enroll = 0). >> >> In your config set >> >> scep.SERVERNAME.policy.allow_anon_enroll = 1 >> >> and retry. >> >> Cheers >> >> Martin >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
