Hi,
I’ve setup a POC OpenXPKI server to test SCEP with MacOS. I’m running into a
Trusted Signer not found in trust list issue. I’ve gone through this mail list
and found some posts saying that I can remove the authrorized_signer rules, set
allow_anon_enroll: 1, and eligible: initial: 1. I’m still running into this
issue when I try to enroll.
Am I missing something?
Thank you kindly.
catchall.log error:
2020/08/07 14:07:49 openxpki.application.INFO LibSCEP PKIOperation; message
type: PKCSReq [pid=1502|sid=4w4c]
2020/08/07 14:07:49 openxpki.application.INFO SCEP incoming request, id
A18E6708F349D6D1E990851C1A09444ED5C75B16
[pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16]
2020/08/07 14:07:49 openxpki.application.INFO SCEP try to start new workflow
for A18E6708F349D6D1E990851C1A09444ED5C75B16
[pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16]
2020/08/07 14:07:49 openxpki.application.INFO Rendering subject:
CN=test2,DC=Test Deployment,DC=OpenXPKI,DC=org
[pid=1502|sid=4w4c|wftype=certificate_enroll|wfid=7935|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16]
2020/08/07 14:07:49 openxpki.application.INFO Trusted Signer chain -
certificate is self signed
[pid=1502|sid=4w4c|wftype=certificate_enroll|wfid=7935|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16]
2020/08/07 14:07:49 openxpki.application.INFO Trusted Signer not found in trust
list (C=US,CN=MDM SCEP SIGNER B8037F9D-5635-44B4-8A46-A086841BB8DD).
[pid=1502|sid=4w4c|wftype=certificate_enroll|wfid=7935|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16]
2020/08/07 14:07:49 openxpki.application.INFO SCEP started new workflow with id
7935, state FAILURE
[pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16]
2020/08/07 14:07:49 openxpki.application.ERROR SCEP Request failed without
error code set - default to badRequest
[pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16]
generic.yaml:
# By default, all scep endpoints wll use the default token defined
# by the scep token group, if you pass a name here, it is considered
# a group name from the alias table
#token: scep-altra
# A renewal request is only accpeted if the used certificate will
# expire within this period of time.
renewal_period: 000060
# If the request was a replacement, optionally revoke the replaced
# certificate after a grace period
revoke_on_replace:
reason_code: keyCompromise
delay_revocation_time: +000014
workflow:
type: certificate_enroll
param:
# key: name in workflow context, value: parameter from scep wrapper
# server and interface are always set, the mapping below is
# the default set that is used when no map is given
transaction_id: transaction_id
signer_cert: signer_cert
pkcs10: pkcs10
_url_params: url_params
#_pkcs7: pkcs7
authorized_signer:
policy:
# Authentication Options
# Initial requests need ONE authentication.
# Activate Challenge Password and/or HMAC by setting the appropriate
# options below.
# if set requests can be authenticated by an operator
allow_man_authen: 1
# if set, no authentication is required at all and hmac/challenge is
# not evaluated even if it is set/present in the request!
allow_anon_enroll: 1
# Approval
# If not autoapproved, allow opeerator to add approval by hand
allow_man_approv: 1
# if the eligibiliyt check failed the first time
# show a button to run a recheck (Workflow goes to PENDING)
allow_eligibility_recheck: 0
# Approval points requirede (eligibity and operator count as one point each)
# if you set this to "0", all authenticated requests are auto-approved!
approval_points: 1
# The number of active certs with the same subject that are allowed
# to exist at the same time, deducted by one if a renewal is seen
# set to 0 if you dont want to check for duplicates at all
max_active_certs: 1
# option will be removed
# allow_expired_signer: 0
# If an initial enrollment is seen
# all existing certificates with the same subject are revoked
auto_revoke_existing_certs: 1
# allows a "renewal" outside the renewal window, the notafter date
# is aligned to the old certificate. Set revoke_on_replace option
# to revoke the replaced certificate.
# This substitutes the "replace_window" from the OpenXPKI v1 config
allow_replace: 1
response:
# The scep standard is a bit unclear if the root should be in the chain
# or not. We consider it a security risk (trust should be always set
# by hand) but as most clients seem to expect it, we include the root
# by default.
# The getca response contains the certificate of the SCEP server itself
# and of the current active issuer (which can but need not to be the same!)
# You can define weather to have only the certificate itself (endentity),
# the chain without the root (chain) or the chain including the root
# (fullchain).
# Note: The response is cached internally in the datapool so changes
# will not show up immediately - to list the cached items use
# openxpkicli list_data_pool_entries --arg namespace=scep.cache.getca
# You can delete by setting the empty string as value with
# set_data_pool_entry (value="" force=1)
getca:
ra: endentity
issuer: endentity
profile:
cert_profile: tls_server
cert_subject_style: enroll
# Mapping of names to OpenXPKI profiles to be used with the
# Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2)
profile_map:
pc-client: tls_client
# HMAC based authentication
hmac: verysecret
challenge:
value: SecretChallenge
eligible:
initial:
value: 1
renewal:
value: 1
onbehalf:
value: 1
connector:
initial:
class: Connector::Proxy::YAML
# this file must have a key/value list with the key being
# the subject and the value being a true value
# e.g. "pc1234.example.org: 1"
LOCATION: /home/pkiadm/cmdb.yaml
--
Robert Sepulveda
[email protected]
(408) 460-5656
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
