Hey Nick, do you have this problem with iOS or macOS?
I spent a lot of time this year trying use SCEP directly between Apple systems and OpenXPKI. There are bugs in macOS 11 and earlier preventing this. Apple fixed all of the bugs I reported in macOS 12. I’ve tested with first beta and can confirm. I was unable to persuade iOS SCEP client to accept CA certificates from OpenXPKI. SCEP client bailed out before even trying to request the certificate. Apple also stated they fixed this problem but currently I don’t have a iOS device to run beta iOS so I can’t test. Michal Moravec Sent from my iPhone On 17. 6. 2021, at 23:50, Nick Dawson <nd+openx...@nickdawson.net> wrote: hey OpenXPKI friends, I've been struggling with SCEP and could use some help. I have SCEP set up using the default config. When I use sscep I can get the capabilities and get the CA certs. sscep downloads 3 certs (the scep cert, the CA cert, and the root cert). I have fullchain set in the config so that seems correct. On Apple devices, I'm attempting to install a profile. On OpenXPKI, the logs show the apple devices trying to get the CA. The server sends the certs. And then the apple devices fail. Specifically, apple devices return: errSecCertificateCannotOperate (which is error: -67817). I've tried capturing the exact url queries from the webserver's access logs. When I paste them into a browser, it downloads a file called "untitled". When I examine untitled with OpenSSL, I can see that it is a pkcs7 bundle of the three certs. Could it be as simple as needed a better filename like untiled.p7 ? And, if so, where would I set that in OpenXPKI's config files? I didnt see anything in scep or enrollment files. Or, might this be a different issue? Does anyone have experience with Apple devices and OpenXPKI's SCEP implementation? Any tips or tricks? thanks! _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
