Hi, > I followed the instructions at > https://openxpki.readthedocs.io/en/latest/quickstart.html to setup a test > server configuration and can log in, etc. I built an sscep client to test the > SCEP service. Everything appears to work OK up to the last stage. > > For the last stage, > > sscep enroll -u http://carmd-er-n00000.sierrawireless.local/scep/scep \ > -k tmp/scep-test.key -r tmp/scep-test.csr \ > -c tmp/cacert-0 \ > -l tmp/scep-test.crt \ > -t 10 -n 1 > > I get the following error: > > sscep: sending certificate request > > sscep: valid response from server > > sscep: reply transaction id: 1C80739573B63A52747F2A777BCF6112 > > sscep: pkistatus: FAILURE > > sscep: reason: Transaction not permitted or supported >
The command you use tries to perform an anonymous initial enrollment against the SCEP server. The OpenXPKI team believes that certificate enrollment should be both authenticated and authorized, hence anonymous SCEP initial enrollment is disabled by default. If you wish to allow this, set scep.SERVER.policy.allow_anon_enroll: 1 in your configuration. You should consider the security implications for production deployments. Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
