Re: [OpenXPKI-users] Problem requesting certificate via SCEP with unstructuredAddress attribute

Wed, 15 Mar 2023 14:03:31 -0700 

Hi Daniel,
what version are you now running? We did some changes to the ParsePKCS10 action exactly at the part were we parse the DN to work with DNs that have Plus and Coma characters in the DN values so that sounds like we did overlook some cases here. 


Can you check the workflow context what is inside the 
"cert_subject_parts" hash? It might just be an issue that we do not have 
the OID mapping in the right place and this gets not translated. It 
would help if you can share an excerpt of the context and perhaps also 
the PKCS10 container.


best regards

Oliver

On 15.03.23 16:47, Daniel Hoffend wrote:

Hello


I'm having trouble with requesting certificates using the scep 
interface. Our cisco routers are configured to generate a CSR that 
looks like this:


unstructuredName=hostname.fqdn+unstructuredAddress=10.20.30.40,OU=VPN


This was working fine for quite some time and I've contributed some 
patchs to openxpki to make those attributes works. Now we're facing a 
problem that the scep server doesn't correctly translates those oids 
back to readable names.


Our Enroll Profile Subject is set to:

    subject:

        dn: unstructuredName=[% UNSTRUCTUREDNAME.0 
%]+unstructuredAddress=[% UNSTRUCTUREDADDRESS.0 %],OU=VPN



In the workflow context I see that the request has failed due to an 
invalid subject


    unstructuredName=+unstructuredAddress=,OU=VPN


While the csr_subject correctly states 
1.2.840.......=hostname.fqdn+1.2.840......=10.20.30.40,OU=VPN



To make things more confusing. If we do an manual enrollment on the 
router, upload the correct/same CSR file via WebUI everything gets 
parsed and build correctly. So there must be something strange 
happeing the the SCEP Request parser.



btw. I had the issue with the LibSCEP backend. Then I switch to the 
newer 3.18+ SCEP Server backend, but issue is still present (invalid 
subject with every scep request).


Maybe somebody has an idea.


--
Best regards
Daniel Hoffend


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to