Re: [OpenXPKI-users] Cisco router enrollment issue

Wed, 17 May 2023 11:42:24 -0700 

Hi Damien,
I do not know this Cisco IOS version but from the error message it is clear that the router does either not attach the (self signed) signer certificate or we have some assumptions in our code that prevent OpenXPKI from detecting it properly. If you can provide the PKCS7 envelope I can have a look at this. 

Oliver

On 16.05.23 17:42, M. Damien BILLON wrote:


Hi,


I’m trying to setup a lab with a couple of Cisco routers getting their 
certificates from OpenXPKI using SCEP.


I installed OpenXPKI on an Ubuntu 22.04 server using Docker containers.


I used the provided configuration script to setup the initial 
configuration : “sampleconfig.sh”.



The router gets successfully the CA certificate (cn=OpenXPKI Demo 
Issuing CA 20230515).



But when it tries to fetch its own certificate I get the following 
error message from the SCEP server (scep.log):



2023/05/16 13:41:57 ERR Unable to find signer certificate in enveloped 
message [pid=77|ep=scep]



2023/05/16 13:41:57 ERR Unable to unwrap message (Error running 
command: Unable to find signer certificate in enveloped message at 
/usr/share/perl5/OpenXPKI/Client/Simple.pm line 465.


) [pid=77|ep=scep]

2023/05/16 13:41:57 INF Disconnect client [pid=77|ep=scep]


I tried the same process using SSCEP (using the Quickstart Guide at 
https://openxpki.readthedocs.io/en/latest/quickstart.html).



The request is accepted by OpenXPKI but it stays in a pending state 
(waiting for a manual approval on the WebGUI).



I probably need to figured out what are the conditions to meet in the 
workflow to fully approve a request (challenge password is Ok but 
signer appears to be “Not trusted and Not authorized”).


Any idea why a request from a Cisco router would be refused by OpenXPKI ?

Release information from my configuration:

  * Cisco IOS-XE 17.06.05
  * OpenXPKI v3.24.1

BR,

Damien.



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to