Hi everyone.
I was able to get OpenXPKI working fine, except the SCEP enrollment with Cisco ASA. With other routers(mikrotik) or sscep client its working just fine. With Cisco asa it ends with message: Trusted Signer not found in trust list. it doesnt matter if I comment out whole authorized_signer section, allow anon_enroll etc. as the next step in the flow is everytime: action enroll_set_mode_onbehalf debug log: successful with mikrotik: 2019/08/05 13:15:31 openxpki.application.INFO Trusted Signer chain - certificate is self signed [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] 2019/08/05 13:15:31 openxpki.application.DEBUG Trusted Signer Authorization unknown / global / CN=cert111.mikenopa.com,OU=IT,O=Mikenopa a.s.,L=Prague,ST=Czechia,C=CZ / SCmQGyiWmF3Rp2katVVR2wqbn2I [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] 2019/08/05 13:15:31 openxpki.application.DEBUG Trusted Signer Authorization matched subrule rule1/CN=.*mikenopa.com.* [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] 2019/08/05 13:15:31 openxpki.application.INFO Trusted Signer not found in trust list (CN=cert111.mikenopa.com,OU=IT,O=Mikenopa a.s.,L=Prague,ST=Czechia,C=CZ). [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] 2019/08/05 13:15:31 openxpki.application.DEBUG Execute action enroll_set_mode_initial [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] unsuccesfull with Cisco ASA: 2019/08/05 16:02:20 openxpki.application.INFO Trusted Signer chain - certificate is self signed [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] 2019/08/05 16:02:20 openxpki.application.DEBUG Trusted Signer Authorization unknown / global / 1.2.840.113549.1.9.2=CZPRGLAB-FW1.mikenopa.com / pr0xb8evy_hME7__2f5ODZarJxA [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] 2019/08/05 16:02:20 openxpki.application.DEBUG Trusted Signer Authorization matched subrule rule3/1.2.840.113549.1.9.2=.*mikenopa.com.* [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] 2019/08/05 16:02:20 openxpki.application.INFO Trusted Signer not found in trust list (1.2.840.113549.1.9.2=CZPRGLAB-FW1.mikenopa.com). [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] 2019/08/05 16:02:20 openxpki.application.DEBUG Execute action enroll_set_mode_onbehalf [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] my guess is, that isco ASA is sending csr_subject CN=CZPRGLAB-FW1,OU=IT,O=Mikenopa a.s.,L=Prague,ST=Czechia,C=CZ ok, but signer_subject 1.2.840.113549.1.9.2=CZPRGLAB-FW1.mikenopa.com is not CN, but ISO 1.2.840.113549.1.9.2 which is unstructuredName. any idea, how to override this issue, or is it known bug? workflow in the attachments best regards -- ________________________________ [Mikenopa]<http://bit.ly/mikenopa> Tomas Benda Research and Development M: +420 724 619 013 | E: [email protected]<mailto:[email protected]> Rohanske nabrezi 671/15 | 186 00 | Prague 8 | Czech Republic www.mikenopa.com<http://bit.ly/mikenopa> Athens - Berlin - Brussels - Budapest - Copenhagen - Istanbul - London - Moscow - Oslo - Paris - Prague - Stockholm - Singapore ________________________________
Workflow Context #17407 cert_profile I18N_OPENXPKI_PROFILE_MIKENOPA_SCEP cert_subject CN=CZPRGLAB-FW1,DC=Mikenopa,DC=com cert_subject_parts C CZ CN CZPRGLAB-FW1 L Prague O Mikenopa a.s. OU IT ST Czechia cert_subject_style enroll creator generic csr_digest_alg sha1 csr_key_alg rsa csr_key_params key_length 2048 csr_subject CN=CZPRGLAB-FW1,OU=IT,O=Mikenopa a.s.,L=Prague,ST=Czechia,C=CZ csr_subject_key_identifier 66:42:F6:3D:AB:EB:4B:8C:69:59:3A:43:46:22:24:B4:36:B8:5A:82 error_code Requester is not in authorized signer list. interface scep p_allow_anon_enroll 1 p_allow_eligibility_recheck 1 p_allow_man_approv 1 p_allow_man_authen ) p_allow_replace 1 p_approval_points 0 p_auto_revoke_existing_certs 1 p_max_active_certs 10 pkcs10 -----BEGIN CERTIFICATE REQUEST----- MIIC5zCCAc8CAQAwbDELMAkGA1UEBhMCQ1oxEDAOBgNVBAgTB0N6ZWNoaWExDzAN BgNVBAcTBlByYWd1ZTEWMBQGA1UEChMNTWlrZW5vcGEgYS5zLjELMAkGA1UECxMC SVQxFTATBgNVBAMTDENaUFJHTEFCLUZXMTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAPRoJ24+XzSxxNlBDjGJUEI8pReToZ6cuvhsVCgpOay8bPzTbK30 907l4rbS/BTtXkUXFOWpX+f+2SWPtxk499zNTWTFM5W+JvhYe8amnOfvTrgca81H pDkZmTBXoinPb0lU4XcUvKAvq9LsHOAecaoVsAQ1Zry2b5rZ/4PuDqI3tMuSvdp/ o40U0nOPUYhhfKFdedg8X7ygBJxCVOG+z8IIwa9Nd4S+yu8XSAa1BGyNT+sNF0kX 5774qpHv0vCBO2Kujm0mScajs7V+b4axDrCW4Xd+zkIVeY6vXqyqWO4dnhfGAp99 5NhJ2NFyob3BiU5/9AEt4s9ysmV4LSHP4cMCAwEAAaA2MBMGCSqGSIb3DQEJBzEG EwRqb2pvMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3 DQEBBQUAA4IBAQAk8tU3baeMGfHn9FVsi+zbMgkqQAQo1sNaFu8YSfJI6AKWdfif 6LbhcJ8txb5PN05x1kl6pv0kvXx3oLGPwRWRUVoPnIyPchqy53P+zwVHMuhg0OKN s9CMIYqxowXvFZ9/aduGoPy4ik/y5gCKg509inWMTbyVGu/PkpyVWA70LvNuE9W3 dr0wNW6LQBlvBrmF3B7BxX8Rr8UJj87ukopy3Py9OgqPdS5XEGM4ZDPUb4m+RG0g PwHqMjOvtShZrFRPi8yoY8H5SqrTa9vnvDqz2/qndI6c01ST1YkBhGjNcW6nNymU ikVgrarA4cqV71WaZqI6OlW41foqBNzM+LBV -----END CERTIFICATE REQUEST----- req_attributes challengePassword jojo request_mode initial server generic signer_authorized 0 signer_cert -----BEGIN CERTIFICATE----- MIIC7DCCAdSgAwIBAgIgZGFmZjRiMGE3NjRhNjVjYmEyMmYwMzA5MWUxM2QxYzIw DQYJKoZIhvcNAQELBQAwKjEoMCYGCSqGSIb3DQEJAhYZQ1pQUkdMQUItRlcxLm1p a2Vub3BhLmNvbTAeFw0xOTA4MDUyMjM1NDhaFw0yOTA4MDIyMjM1NDhaMCoxKDAm BgkqhkiG9w0BCQIWGUNaUFJHTEFCLUZXMS5taWtlbm9wYS5jb20wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0aCduPl80scTZQQ4xiVBCPKUXk6GenLr4 bFQoKTmsvGz802yt9PdO5eK20vwU7V5FFxTlqV/n/tklj7cZOPfczU1kxTOVvib4 WHvGppzn7064HGvNR6Q5GZkwV6Ipz29JVOF3FLygL6vS7BzgHnGqFbAENWa8tm+a 2f+D7g6iN7TLkr3af6ONFNJzj1GIYXyhXXnYPF+8oAScQlThvs/CCMGvTXeEvsrv F0gGtQRsjU/rDRdJF+e++KqR79LwgTtiro5tJknGo7O1fm+GsQ6wluF3fs5CFXmO r16sqljuHZ4XxgKffeTYSdjRcqG9wYlOf/QBLeLPcrJleC0hz+HDAgMBAAEwDQYJ KoZIhvcNAQELBQADggEBAATvMHSKotJCAOYaBjBmZ8d8f/K/uW2qXN6CsxiefxmC 2EgMaFi9NQUSeuaZ3WpH3iM7jb6z4AcrYfeJAPvp+kAtE6Cvn67bIkc70OuDeL0H ot2BXzsiwS1GMV9IiwA7u3Qsf2ZlrEdcRQBbQeI5PtR1SJf4iQJfqowY1oHqykji vHO9evtX2+GGwzgwaaZFXSZ4oTPrWIPoqWoAWqYBIrZkfBjev+hKFHjeUrjMDYF/ jxXWrT5EChpB+4Uww5xWpkDWh6KBNH3RhNfYXjXz4DCaHgxsXCwbUV7CqQE1N/Lt odY1UJZoMLhiqTnV7hNmFB404+xpX4MG9VxtiAmF0XY= -----END CERTIFICATE----- signer_in_current_realm 0 signer_revoked 0 signer_subject 1.2.840.113549.1.9.2=CZPRGLAB-FW1.mikenopa.com signer_subject_key_identifier 66:42:F6:3D:AB:EB:4B:8C:69:59:3A:43:46:22:24:B4:36:B8:5A:82 signer_trusted 0 signer_validity_ok 0 sources _url_params api cert_subject_alt_name PROFILE cert_subject_parts PKCS10 interface api pkcs10 api req_attributes PKCS10 req_extensions PKCS10 server api signer_cert api transaction_id api transaction_id DAFF4B0A764A65CBA22F03091E13D1C2 url_remote_addr 1.1.1.1 wf_current_action global_set_error_signer_not_authorized workflow_id 17407
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
