Hi Daniel, this tells me that the request was not recognized as "self signed". Can you please open the "Context" view (Button on the right when logged in as operator) and check what you see there as "csr_subject"?
If possible, can you send me either the CSR and the key or the exact line you used to generate the request? You can also try to leave out the eMail in the DN (its deprecated anyway and we dont have this in our tests). Oliver Am 12.03.20 um 09:45 schrieb Daniel Heitepriem: > Hi Oliver, > > thanks for your answer. I opened the workflow on the UI and these are > the information I can see: > > Error Code > Requester is not in authorized signer list. > Certificate Subject > > CN=testclient.lan,OU=Infrastructure,O=MyOrganization,L=MyCity,ST=Hessen,C=DE > > SCEP Endpoint > generic > Server Interface > scep > Certificate Profile > TLS/Web Server > Request Mode > onbehalf > Transaction ID > B9E90613A28A3072642C13ADAC28DBFB > Signer is Revoked > No > Signer is Trusted > No > Signer is Authorized > No > Signer Validity ok > Yes > > And the workflos is in "FAILURE" state after this: > > Workflow Id > 21247 > <https://cs-pki-brem-p/openxpki/#/openxpki/workflow!load!wf_id!21247> > Type > certificate_enroll > Creator > generic > State > FAILURE > Action > - > Run State > finished > > The Technical Log shows: > > Timestamp Priority Message > 2020-03-12 08:39:07 UTC > > INFO > > Trusted Signer not found in trust list > > ([email protected],CN=testclient.lan,OU=Infrastructure,O=MyOrganization,L=MyCity,ST=Hessen,C=DE). > ([undef]) > 2020-03-12 08:39:07 UTC > > INFO > > Trusted Signer chain - certificate is self signed ([undef]) > 2020-03-12 08:39:07 UTC > > INFO > > Rendering subject: > > CN=testclient.lan,OU=Infrastructure,O=MyOrganization,L=MyCity,ST=Hessen,C=DE > ([undef]) > > Best regards, > Daniel > > Am 12.03.20 um 08:11 schrieb Oliver Welter: >> Hi Daniel, >> >> the "Signer not Trusted" is just an info and not the root cause of the >> FAILURE. Open the workflow on the UI and check for the error message >> there. The default settings should hold the workflow in PENDING for >> manual approval. >> >> Also see >> https://openxpki.readthedocs.io/en/stable/reference/configuration/workflows/scep.html >> >> Oliver >> >> Am 11.03.20 um 13:00 schrieb Daniel Heitepriem: >>> Hi everyone, >>> >>> I recently started playing around with OpenXPKI. Using the Quickstart >>> guide >>> (https://openxpki.readthedocs.io/en/latest/quickstart.html#debian-builds) >>> and >>> the sampleconfig.sh script, I managed to setup an own 'testca' which >>> replaced the 'democa'. Issuing certificates via the web UI is working >>> fine, so now I tried to implement SCEP. >>> >>> Enabling the SCEP service and endpoints was working without any issues >>> (didn't have to adjust any config files for this so far), but I'm stuck >>> at the step where it says "Testing an enrollment" from the quickstart >>> guide. Here are my steps so far: >>> >>> 1. Get the CA-Certificates of 'testca' by issuing "./sscep getca -c >>> tmp/cacert -u http://my-pki-host.lan/scep/scep"; which got me >>> * cacert-0 (SCEP cert signed by 'Test Issuing CA' with content >>> "Subject: CN = my-pki-host.lan:scep-ra") >>> * cacert-1 (Test Issuing CA cert signed by 'Test Root CA') >>> * cacert-2 (Test Root CA cert) >>> 2. Create a new CSR for a testclient "openssl req -new -keyout >>> tmp/scep-test.key -out tmp/scep-test.csr -newkey rsa:2048 -nodes >>> -subj "/C=DE/ST=Hessen/L=MyCity/O=My >>> >>> Organization/OU=Infrastructure/CN=testclient.lan/[email protected]" >>> >>> - No ChallengePassword is provided >>> 3. Enroll the request "sscep enroll -u http://my-pki-host.lan/scep/scep >>> -c tmp/cacert-0 -k tmp/scep-test.key -r tmp/scep-test.csr -c >>> tmp/scep-test.crt -t 10 -n 1 >>> >>> Step 3 fails with >>> >>> sscep: pkistatus: FAILURE >>> sscep: finding attribute failInfo >>> sscep: allocating 1 bytes for attribute >>> sscep: reason: Transaction not permitted or supported >>> >>> and in OpenXPKI workflows-Log I can see >>> >>> 2020/03/11 12:49:39 17663 Rendering subject: >>> CN=testclient.lan,DC=organization,DC=com >>> 2020/03/11 12:49:39 17663 Trusted Signer chain - certificate is self >>> signed >>> 2020/03/11 12:49:40 17663 Trusted Signer not found in trust list >>> (E=my@email-address,CN=testclient.lan,OU=Infrastructure,O=My >>> Organization,L=MyCity,ST=Hessen,C=DE). >>> >>> The SCEP certificate (cacert-0) is listed as an alias when querying the >>> tokens of my testca >>> >>> sudo openxpkiadm alias --realm testca >>> === functional token === >>> scep (scep): >>> Alias : scep-1 >>> Identifier: TrifLXXX >>> NotBefore : 2020-03-03 15:15:33 >>> NotAfter : 2021-03-03 15:15:33 >>> >>> Can somebody shed some light as to how I can create a "Trusted Signer >>> chain" or how to enable anonymous enrollment for testing purposes? I >>> suppose this somehow has to be enabled in >>> "/etc/openxpki/config.d/realm/testca/scep/generic.yaml", right? >>> >>> Thanks and regards, >>> Daniel >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
