Hi Oliver,
thanks for your answer. I opened the workflow on the UI and these are
the information I can see:
Error Code
Requester is not in authorized signer list.
Certificate Subject
CN=testclient.lan,OU=Infrastructure,O=MyOrganization,L=MyCity,ST=Hessen,C=DE
SCEP Endpoint
generic
Server Interface
scep
Certificate Profile
TLS/Web Server
Request Mode
onbehalf
Transaction ID
B9E90613A28A3072642C13ADAC28DBFB
Signer is Revoked
No
Signer is Trusted
No
Signer is Authorized
No
Signer Validity ok
Yes
And the workflos is in "FAILURE" state after this:
Workflow Id
21247
<https://cs-pki-brem-p/openxpki/#/openxpki/workflow!load!wf_id!21247>
Type
certificate_enroll
Creator
generic
State
FAILURE
Action
-
Run State
finished
The Technical Log shows:
Timestamp Priority Message
2020-03-12 08:39:07 UTC
INFO
Trusted Signer not found in trust list
([email protected],CN=testclient.lan,OU=Infrastructure,O=MyOrganization,L=MyCity,ST=Hessen,C=DE).
([undef])
2020-03-12 08:39:07 UTC
INFO
Trusted Signer chain - certificate is self signed ([undef])
2020-03-12 08:39:07 UTC
INFO
Rendering subject:
CN=testclient.lan,OU=Infrastructure,O=MyOrganization,L=MyCity,ST=Hessen,C=DE
([undef])
Best regards,
Daniel
Am 12.03.20 um 08:11 schrieb Oliver Welter:
> Hi Daniel,
>
> the "Signer not Trusted" is just an info and not the root cause of the
> FAILURE. Open the workflow on the UI and check for the error message
> there. The default settings should hold the workflow in PENDING for
> manual approval.
>
> Also see
> https://openxpki.readthedocs.io/en/stable/reference/configuration/workflows/scep.html
>
> Oliver
>
> Am 11.03.20 um 13:00 schrieb Daniel Heitepriem:
>> Hi everyone,
>>
>> I recently started playing around with OpenXPKI. Using the Quickstart
>> guide
>> (https://openxpki.readthedocs.io/en/latest/quickstart.html#debian-builds) and
>> the sampleconfig.sh script, I managed to setup an own 'testca' which
>> replaced the 'democa'. Issuing certificates via the web UI is working
>> fine, so now I tried to implement SCEP.
>>
>> Enabling the SCEP service and endpoints was working without any issues
>> (didn't have to adjust any config files for this so far), but I'm stuck
>> at the step where it says "Testing an enrollment" from the quickstart
>> guide. Here are my steps so far:
>>
>> 1. Get the CA-Certificates of 'testca' by issuing "./sscep getca -c
>> tmp/cacert -u http://my-pki-host.lan/scep/scep"; which got me
>> * cacert-0 (SCEP cert signed by 'Test Issuing CA' with content
>> "Subject: CN = my-pki-host.lan:scep-ra")
>> * cacert-1 (Test Issuing CA cert signed by 'Test Root CA')
>> * cacert-2 (Test Root CA cert)
>> 2. Create a new CSR for a testclient "openssl req -new -keyout
>> tmp/scep-test.key -out tmp/scep-test.csr -newkey rsa:2048 -nodes
>> -subj "/C=DE/ST=Hessen/L=MyCity/O=My
>>
>> Organization/OU=Infrastructure/CN=testclient.lan/[email protected]"
>>
>> - No ChallengePassword is provided
>> 3. Enroll the request "sscep enroll -u http://my-pki-host.lan/scep/scep
>> -c tmp/cacert-0 -k tmp/scep-test.key -r tmp/scep-test.csr -c
>> tmp/scep-test.crt -t 10 -n 1
>>
>> Step 3 fails with
>>
>> sscep: pkistatus: FAILURE
>> sscep: finding attribute failInfo
>> sscep: allocating 1 bytes for attribute
>> sscep: reason: Transaction not permitted or supported
>>
>> and in OpenXPKI workflows-Log I can see
>>
>> 2020/03/11 12:49:39 17663 Rendering subject:
>> CN=testclient.lan,DC=organization,DC=com
>> 2020/03/11 12:49:39 17663 Trusted Signer chain - certificate is self
>> signed
>> 2020/03/11 12:49:40 17663 Trusted Signer not found in trust list
>> (E=my@email-address,CN=testclient.lan,OU=Infrastructure,O=My
>> Organization,L=MyCity,ST=Hessen,C=DE).
>>
>> The SCEP certificate (cacert-0) is listed as an alias when querying the
>> tokens of my testca
>>
>> sudo openxpkiadm alias --realm testca
>> === functional token ===
>> scep (scep):
>> Alias : scep-1
>> Identifier: TrifLXXX
>> NotBefore : 2020-03-03 15:15:33
>> NotAfter : 2021-03-03 15:15:33
>>
>> Can somebody shed some light as to how I can create a "Trusted Signer
>> chain" or how to enable anonymous enrollment for testing purposes? I
>> suppose this somehow has to be enabled in
>> "/etc/openxpki/config.d/realm/testca/scep/generic.yaml", right?
>>
>> Thanks and regards,
>> Daniel
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
