Hi Robert, IIRC the MacOS enrollments are done with an "on behalf" certificate which triggers a different branch in the workflow. Can you check the workflow history for a state named "START INITIAL" or "START ONBEHALF" - if its onbehalf you need to modify the workflow to not use the ONBEHALF branch or change your enrollment logic to not use the onbehalf-signer.
Oliver Am 12.08.20 um 01:20 schrieb Robert Sepulveda: > Hi, > > I’ve setup a POC OpenXPKI server to test SCEP with MacOS. I’m running into a > Trusted Signer not found in trust list issue. I’ve gone through this mail > list and found some posts saying that I can remove the authrorized_signer > rules, set allow_anon_enroll: 1, and eligible: initial: 1. I’m still running > into this issue when I try to enroll. > > Am I missing something? > > Thank you kindly. > > catchall.log error: > > 2020/08/07 14:07:49 openxpki.application.INFO LibSCEP PKIOperation; message > type: PKCSReq [pid=1502|sid=4w4c] > 2020/08/07 14:07:49 openxpki.application.INFO SCEP incoming request, id > A18E6708F349D6D1E990851C1A09444ED5C75B16 > [pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] > 2020/08/07 14:07:49 openxpki.application.INFO SCEP try to start new workflow > for A18E6708F349D6D1E990851C1A09444ED5C75B16 > [pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] > 2020/08/07 14:07:49 openxpki.application.INFO Rendering subject: > CN=test2,DC=Test Deployment,DC=OpenXPKI,DC=org > [pid=1502|sid=4w4c|wftype=certificate_enroll|wfid=7935|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] > 2020/08/07 14:07:49 openxpki.application.INFO Trusted Signer chain - > certificate is self signed > [pid=1502|sid=4w4c|wftype=certificate_enroll|wfid=7935|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] > 2020/08/07 14:07:49 openxpki.application.INFO Trusted Signer not found in > trust list (C=US,CN=MDM SCEP SIGNER B8037F9D-5635-44B4-8A46-A086841BB8DD). > [pid=1502|sid=4w4c|wftype=certificate_enroll|wfid=7935|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] > 2020/08/07 14:07:49 openxpki.application.INFO SCEP started new workflow with > id 7935, state FAILURE > [pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] > 2020/08/07 14:07:49 openxpki.application.ERROR SCEP Request failed without > error code set - default to badRequest > [pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] > > > generic.yaml: > > # By default, all scep endpoints wll use the default token defined > # by the scep token group, if you pass a name here, it is considered > # a group name from the alias table > #token: scep-altra > > # A renewal request is only accpeted if the used certificate will > # expire within this period of time. > renewal_period: 000060 > > # If the request was a replacement, optionally revoke the replaced > # certificate after a grace period > revoke_on_replace: > reason_code: keyCompromise > delay_revocation_time: +000014 > > > workflow: > type: certificate_enroll > param: > # key: name in workflow context, value: parameter from scep wrapper > # server and interface are always set, the mapping below is > # the default set that is used when no map is given > transaction_id: transaction_id > signer_cert: signer_cert > pkcs10: pkcs10 > _url_params: url_params > #_pkcs7: pkcs7 > > authorized_signer: > > policy: > # Authentication Options > # Initial requests need ONE authentication. > # Activate Challenge Password and/or HMAC by setting the appropriate > # options below. > > # if set requests can be authenticated by an operator > allow_man_authen: 1 > > # if set, no authentication is required at all and hmac/challenge is > # not evaluated even if it is set/present in the request! > allow_anon_enroll: 1 > > # Approval > # If not autoapproved, allow opeerator to add approval by hand > allow_man_approv: 1 > > # if the eligibiliyt check failed the first time > # show a button to run a recheck (Workflow goes to PENDING) > allow_eligibility_recheck: 0 > > # Approval points requirede (eligibity and operator count as one point > each) > # if you set this to "0", all authenticated requests are auto-approved! > approval_points: 1 > > # The number of active certs with the same subject that are allowed > # to exist at the same time, deducted by one if a renewal is seen > # set to 0 if you dont want to check for duplicates at all > max_active_certs: 1 > > # option will be removed > # allow_expired_signer: 0 > > # If an initial enrollment is seen > # all existing certificates with the same subject are revoked > auto_revoke_existing_certs: 1 > > # allows a "renewal" outside the renewal window, the notafter date > # is aligned to the old certificate. Set revoke_on_replace option > # to revoke the replaced certificate. > # This substitutes the "replace_window" from the OpenXPKI v1 config > allow_replace: 1 > > response: > # The scep standard is a bit unclear if the root should be in the chain > # or not. We consider it a security risk (trust should be always set > # by hand) but as most clients seem to expect it, we include the root > # by default. > # The getca response contains the certificate of the SCEP server itself > # and of the current active issuer (which can but need not to be the > same!) > # You can define weather to have only the certificate itself (endentity), > # the chain without the root (chain) or the chain including the root > # (fullchain). > # Note: The response is cached internally in the datapool so changes > # will not show up immediately - to list the cached items use > # openxpkicli list_data_pool_entries --arg namespace=scep.cache.getca > # You can delete by setting the empty string as value with > # set_data_pool_entry (value="" force=1) > getca: > ra: endentity > issuer: endentity > > > profile: > cert_profile: tls_server > cert_subject_style: enroll > > # Mapping of names to OpenXPKI profiles to be used with the > # Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2) > profile_map: > pc-client: tls_client > > # HMAC based authentication > hmac: verysecret > > challenge: > value: SecretChallenge > > eligible: > initial: > value: 1 > > renewal: > value: 1 > > onbehalf: > value: 1 > > > connector: > initial: > class: Connector::Proxy::YAML > # this file must have a key/value list with the key being > # the subject and the value being a true value > # e.g. "pc1234.example.org: 1" > LOCATION: /home/pkiadm/cmdb.yaml > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
