Hi Tomas, this is a known problem with some Cisco SCEP implementations - the default workflow shipped with OpenXPKI expects that the DN of the CSR and the self-signed SCEP "authentication" certificate match. As you already pointed out this is not the case with your request.
If you do not need on-behalf enrollment you can just rework the workflow so it always goes into the INITIAL mode. Oliver Am 06.08.19 um 12:47 schrieb Tomas Benda: > Hi everyone. > > > I was able to get OpenXPKI working fine, except the SCEP enrollment with > Cisco ASA. With other routers(mikrotik) or sscep client > > its working just fine. > > With Cisco asa it ends with message: *Trusted Signer not found in trust > * *list.* > > it doesnt matter if I comment out whole *authorized_signer* section, > allow*anon_enroll* etc. as the next step in the flow is everytime: > *action enroll_set_mode_onbehalf > * > > > debug log: > > *successful* with mikrotik: > > 2019/08/05 13:15:31 openxpki.application.INFO Trusted Signer chain - > certificate is self signed > [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] > 2019/08/05 13:15:31 openxpki.application.DEBUG Trusted Signer > Authorization unknown / global / > CN=cert111.mikenopa.com,OU=IT,O=Mikenopa a.s.,L=Prague,ST=Czechia,C=CZ / > SCmQGyiWmF3Rp2katVVR2wqbn2I > [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] > 2019/08/05 13:15:31 openxpki.application.DEBUG Trusted Signer > Authorization matched subrule rule1/CN=.*mikenopa.com.* > [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] > 2019/08/05 13:15:31 openxpki.application.INFO Trusted Signer not found > in trust list (CN=cert111.mikenopa.com,OU=IT,O=Mikenopa > a.s.,L=Prague,ST=Czechia,C=CZ). > [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] > 2019/08/05 13:15:31 openxpki.application.DEBUG Execute action > enroll_set_mode_initial > [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] > > *unsuccesfull***with Cisco ASA: > > 2019/08/05 16:02:20 openxpki.application.INFO Trusted Signer chain - > certificate is self signed > [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] > 2019/08/05 16:02:20 openxpki.application.DEBUG Trusted Signer > Authorization unknown / global / > 1.2.840.113549.1.9.2=CZPRGLAB-FW1.mikenopa.com / > pr0xb8evy_hME7__2f5ODZarJxA > [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] > 2019/08/05 16:02:20 openxpki.application.DEBUG Trusted Signer > Authorization matched subrule > rule3/1.2.840.113549.1.9.2=.*mikenopa.com.* > [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] > 2019/08/05 16:02:20 openxpki.application.INFO Trusted Signer not found > in trust list (1.2.840.113549.1.9.2=CZPRGLAB-FW1.mikenopa.com). > [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] > 2019/08/05 16:02:20 openxpki.application.DEBUG Execute action > enroll_set_mode_onbehalf > [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] > ** > > ** > > my guess is, that isco ASA is sending > > > csr_subject > CN=CZPRGLAB-FW1,OU=IT,O=Mikenopa a.s.,L=Prague,ST=Czechia,C=CZ > > ok, > > but > > > signer_subject > 1.2.840.113549.1.9.2=CZPRGLAB-FW1.mikenopa.com > > > is not CN, but ISO 1.2.840.113549.1.9.2 which is unstructuredName. > > > any idea, how to override this issue, or is it known bug? > > > workflow in the attachments > > > best regards > > > -- > ------------------------------------------------------------------------ > > Mikenopa <http://bit.ly/mikenopa> > > > > > *Tomas Benda* > Research and Development > > M: +420 724 619 013 | E: [email protected] > <mailto:[email protected]> > Rohanske nabrezi 671/15 | 186 00 | Prague 8 | Czech Republic > www.mikenopa.com <http://bit.ly/mikenopa> > Athens - Berlin - Brussels - Budapest - Copenhagen - Istanbul - London - > Moscow - Oslo - Paris - Prague - Stockholm - Singapore > > > ------------------------------------------------------------------------ > > > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
