Sorry for stupid question, I find out easilly. thank you very much
________________________________ [Mikenopa]<http://bit.ly/mikenopa> Tomas Benda Research and Development M: +420 724 619 013 | E: [email protected]<mailto:[email protected]> Rohanske nabrezi 671/15 | 186 00 | Prague 8 | Czech Republic www.mikenopa.com<http://bit.ly/mikenopa> Athens - Berlin - Brussels - Budapest - Copenhagen - Istanbul - London - Moscow - Oslo - Paris - Prague - Stockholm - Singapore ________________________________ On 8/6/19 10:14 PM, Tomas Benda wrote: Hi Oliver, any hint on reworking the workflow? Lets say, I have no clue, where to start. thank you ________________________________ [Mikenopa]<http://bit.ly/mikenopa> Tomas Benda Research and Development M: +420 724 619 013 | E: [email protected]<mailto:[email protected]> Rohanske nabrezi 671/15 | 186 00 | Prague 8 | Czech Republic www.mikenopa.com<http://bit.ly/mikenopa> Athens - Berlin - Brussels - Budapest - Copenhagen - Istanbul - London - Moscow - Oslo - Paris - Prague - Stockholm - Singapore ________________________________ On 8/6/19 2:54 PM, Oliver Welter wrote: Hi Tomas, this is a known problem with some Cisco SCEP implementations - the default workflow shipped with OpenXPKI expects that the DN of the CSR and the self-signed SCEP "authentication" certificate match. As you already pointed out this is not the case with your request. If you do not need on-behalf enrollment you can just rework the workflow so it always goes into the INITIAL mode. Oliver Am 06.08.19 um 12:47 schrieb Tomas Benda: Hi everyone. I was able to get OpenXPKI working fine, except the SCEP enrollment with Cisco ASA. With other routers(mikrotik) or sscep client its working just fine. With Cisco asa it ends with message: *Trusted Signer not found in trust * *list.* it doesnt matter if I comment out whole *authorized_signer* section, allow*anon_enroll* etc. as the next step in the flow is everytime: *action enroll_set_mode_onbehalf * debug log: *successful* with mikrotik: 2019/08/05 13:15:31 openxpki.application.INFO Trusted Signer chain - certificate is self signed [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] 2019/08/05 13:15:31 openxpki.application.DEBUG Trusted Signer Authorization unknown / global / CN=cert111.mikenopa.com,OU=IT,O=Mikenopa a.s.,L=Prague,ST=Czechia,C=CZ / SCmQGyiWmF3Rp2katVVR2wqbn2I [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] 2019/08/05 13:15:31 openxpki.application.DEBUG Trusted Signer Authorization matched subrule rule1/CN=.*mikenopa.com.* [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] 2019/08/05 13:15:31 openxpki.application.INFO Trusted Signer not found in trust list (CN=cert111.mikenopa.com,OU=IT,O=Mikenopa a.s.,L=Prague,ST=Czechia,C=CZ). [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] 2019/08/05 13:15:31 openxpki.application.DEBUG Execute action enroll_set_mode_initial [pid=17418|sid=NYfJ|wftype=certificate_enroll|wfid=12799|sceptid=E75485DAC0150B95890F9A5B4624FE6D512779A907E9D14680D6620089D43670] *unsuccesfull***with Cisco ASA: 2019/08/05 16:02:20 openxpki.application.INFO Trusted Signer chain - certificate is self signed [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] 2019/08/05 16:02:20 openxpki.application.DEBUG Trusted Signer Authorization unknown / global / 1.2.840.113549.1.9.2=CZPRGLAB-FW1.mikenopa.com / pr0xb8evy_hME7__2f5ODZarJxA [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] 2019/08/05 16:02:20 openxpki.application.DEBUG Trusted Signer Authorization matched subrule rule3/1.2.840.113549.1.9.2=.*mikenopa.com.* [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] 2019/08/05 16:02:20 openxpki.application.INFO Trusted Signer not found in trust list (1.2.840.113549.1.9.2=CZPRGLAB-FW1.mikenopa.com). [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] 2019/08/05 16:02:20 openxpki.application.DEBUG Execute action enroll_set_mode_onbehalf [pid=17716|sid=dM2F|wftype=certificate_enroll|wfid=13823|sceptid=DAFF4B0A764A65CBA22F03091E13D1C2] ** ** my guess is, that isco ASA is sending csr_subject CN=CZPRGLAB-FW1,OU=IT,O=Mikenopa a.s.,L=Prague,ST=Czechia,C=CZ ok, but signer_subject 1.2.840.113549.1.9.2=CZPRGLAB-FW1.mikenopa.com is not CN, but ISO 1.2.840.113549.1.9.2 which is unstructuredName. any idea, how to override this issue, or is it known bug? workflow in the attachments best regards -- ------------------------------------------------------------------------ Mikenopa <http://bit.ly/mikenopa><http://bit.ly/mikenopa> *Tomas Benda* Research and Development M: +420 724 619 013 | E: [email protected]<mailto:[email protected]> <mailto:[email protected]><mailto:[email protected]> Rohanske nabrezi 671/15 | 186 00 | Prague 8 | Czech Republic www.mikenopa.com<http://www.mikenopa.com> <http://bit.ly/mikenopa><http://bit.ly/mikenopa> Athens - Berlin - Brussels - Budapest - Copenhagen - Istanbul - London - Moscow - Oslo - Paris - Prague - Stockholm - Singapore ------------------------------------------------------------------------ _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
