Hi Oliver
The log gave me the right hint, I forgot to install the openca-tools!
Sorry for this...
Now I get this in the scep-log which looks way better ;-)
2019/07/16 08:17:54 INFO:2402 Incoming request from 192.168.0.1 with
GetCACert
2019/07/16 08:17:54 DEBUG:2402 Response send
2019/07/16 08:17:54 INFO:2402 Incoming request from 192.168.0.1 with
PKIOperation
2019/07/16 08:17:59 DEBUG:2402 Response send
openxpki.log shows nothing.
catchall.log shows:
2019/07/16 08:43:12 openxpki.application.INFO SCEP incoming request, id
5256F14B11407EF53F403E6EF809215F
[pid=2813|sid=CZwT|sceptid=5256F14B11407EF53F403E6EF809215F]
2019/07/16 08:43:12 openxpki.application.INFO SCEP try to start new
workflow for 5256F14B11407EF53F403E6EF809215F
[pid=2813|sid=CZwT|sceptid=5256F14B11407EF53F403E6EF809215F]
2019/07/16 08:43:13 openxpki.application.INFO Rendering subject:
CN=192.168.0.1,DC=Test Deployment,DC=OpenXPKI,DC=org
[pid=2813|sid=CZwT|wftype=certificate_enroll|wfid=29695|sceptid=5256F14B11407EF53F403E6EF809215F]
2019/07/16 08:43:13 openxpki.application.WARN Trusted Signer chain
validation FAILED
[pid=2813|sid=CZwT|wftype=certificate_enroll|wfid=29695|sceptid=5256F14B11407EF53F403E6EF809215F]
2019/07/16 08:43:13 openxpki.application.INFO Trusted Signer not found
in trust list ([email protected],CN=192.168.0.1,OU=Test,O=Test
GmbH,L=Test,ST=Test,C=DE).
[pid=2813|sid=CZwT|wftype=certificate_enroll|wfid=29695|sceptid=5256F14B11407EF53F403E6EF809215F]
2019/07/16 08:43:13 openxpki.application.INFO SCEP started new workflow
with id 29695, state FAILURE
[pid=2813|sid=CZwT|sceptid=5256F14B11407EF53F403E6EF809215F]
2019/07/16 08:43:13 openxpki.application.ERROR SCEP Request failed
without error code set - default to badRequest
[pid=2813|sid=CZwT|sceptid=5256F14B11407EF53F403E6EF809215F]
Can you point me to the right direction? I think I need to edit the
workflow, but how to add trusted signer?
My scep-server-1.yaml in realm "ca-one" shows this in authorized-signer
section, do I have to edit this?
authorized_signer:
rule1:
# Full DN
subject: CN=.+:scepclient,.*
rule2:
# Full DN
subject: CN=.+:pkiclient,.*
Regards
Stefan
Am 16.07.19 um 06:53 schrieb Oliver Welter:
Hi Stefan,
can you plese have a look at the openxpki.log - an empty SCEP response
indicates that something really went wrong...
Oliver
Am 15.07.19 um 18:02 schrieb Stefan:
Hello
I am completely new with openxpki and scep.
I already setup the openxpki server and I am able to sign certificates
over the Web-GUI.
Now I would like to implement scep.
I followed this section:
https://openxpki.readthedocs.io/en/latest/subsystems/scep.html
If I generate a certificate on a fortigate with scep, I get this in the
scep log:
2019/07/15 17:49:56 INFO:1643 Incoming request from 192.168.0.1 with
GetCACert
2019/07/15 17:49:56 DEBUG:1643 Response send
2019/07/15 17:49:56 INFO:1643 Incoming request from 192.168.0.1 with
PKIOperation
2019/07/15 17:49:57 ERROR:1643 SCEP response is empty
Now, I am stuck.
What do I have to configure and what items are necessary to enter on the
fortigate and on the scep server?
The fortigate wants a challenge password, with which password does this
correspond on openxpki?
Are there any examples?
My Idea is to generate a certificate on the fortigate, approve this
request on the Web-GUI of openxpki and then the fortigate gets the
certificate automatically.
Many thanks for any help/hints.
Regards
Stefan
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
