Dear Nick,
My goal openxpki is to test our certificate manager application that can
enroll certs with EST/SCEP and CMP.
I was looking for the simplest way of setting up openxpki so I choose
the 'dockerized' version (https://github.com/openxpki/openxpki-docker.git).
These were the configuration steps performed so far:
git clone https://github.com/openxpki/openxpki-docker.git
cd openxpki-docker
make compose
docker exec -it openxpki_openxpki-server_1 sh -c
/etc/openxpki/contrib/sampleconfig.sh
<http://etc/openxpki/contrib/sampleconfig.sh>
So I haven't manually modified any of scep.yaml or crypto.yaml.
Your question guided me to a so far missed step: now I am trying to
figure out the easiest way to generate the scep key into the running
docker container.
In the quickstart guide
(https://openxpki.readthedocs.io/en/stable/quickstart.html) I found this
instruction:
Are there any other steps necessary to set up server side SCEP within
openxpki-docker?
Regards,
Daniel
2023. 11. 28. 2:20 keltezéssel, Nick Dawson írta:
Here's the key:
*OpenSSL error: Could not read private key*
How did you create the key? What's in your scep.yaml and crypto.yaml?
What does OpenXPKI expect?
On Mon, Nov 27, 2023 at 3:03 PM, Petri Dániel
<petri.dan...@prolan-power.hu> wrote:
Any ideas?
-------- Továbbított üzenet --------
Tárgy: scep enroll failure
Dátum: Thu, 16 Nov 2023 21:32:04 +0100
Feladó: Petri Dániel <petri.dan...@prolan-power.hu>
Címzett: OpenXpki <openxpki-users@lists.sourceforge.net>
Dear Users,
When I try to enroll a cert with sscep, I get
sscep: successfully encrypted payload
sscep: envelope size: 1246 bytes
sscep: creating outer PKCS#7
sscep: PKCS#7 data written successfully
sscep: payload size: 2630 bytes
sscep: connecting to localhost:8080
*sscep: server response status code: 500, MIME header: text/html*
sscep: wrong (or missing) MIME content type
sscep: error while sending message
*sscep getca works, I get 3 ca-cert files.*
openxpki.log shows
2023/11/16 21:23:11 INFO Login successful (user: Anonymous, role:
System) [pid=147|sid=jAHL]
2023/11/16 21:23:11 INFO Login successful (user: Anonymous, role:
System) [pid=148|sid=kQij]
2023/11/16 21:23:11 *ERROR OpenSSL error: Could not read private
key from
/var/tmp/openxpki148QvSRMnBh/EE:3D:CC:AF:82:F6:FF:78:90:D8:76:0E:65:99:CC:DE:B3:A2:AF:6F*
40D7C139227F0000:error:1608010C:STORE
routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:
40D7C139227F0000:error:1C800064:Provider
routines:ossl_cipher_unpadblock:bad
decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124:
40D7C139227F0000:error:11800074:PKCS12
routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal
error:../crypto/pkcs12/p12_decr.c:86:maybe wrong password
pkeyutl: Error initializing context
[pid=148|user=Anonymous|role=System|sid=kQij]
2023/11/16 21:23:11 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__COMMAND__ => pkeyutl -decrypt -inkey
/var/tmp/openxpki148QvSRMnBh/EE:3D:CC:AF:82:F6:FF:78:90:D8:76:0E:65:99:CC:DE:B3:A2:AF:6F
-in /var/tmp/openxpki148HN3vrxqD -out /var/tmp/openxpki148O0umHE5Y
-passin env:pwd, __EXIT_STATUS__ => 256
[pid=148|user=Anonymous|role=System|sid=kQij]
2023/11/16 21:23:11 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::decrypt_digest,
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__
=> pkeyutl -decrypt -inkey
/var/tmp/openxpki148QvSRMnBh/EE:3D:CC:AF:82:F6:FF:78:90:D8:76:0E:65:99:CC:DE:B3:A2:AF:6F
-in /var/tmp/openxpki148HN3vrxqD -out /var/tmp/openxpki148O0umHE5Y
-passin env:pwd, __EXIT_STATUS__ => 256
[pid=148|user=Anonymous|role=System|sid=kQij]
*This is how I set up my local openxpki:*
git clone https://github.com/openxpki/openxpki-docker.git
cd openxpki-docker
make compose
docker exec -it openxpki_openxpki-server_1 sh -c
/etc/openxpki/contrib/sampleconfig.sh
<http://etc/openxpki/contrib/sampleconfig.sh>
config.d/realm.tpl/scep/generic.yaml is the original.
*This is how I executed sscep:*
openssl genrsa -out ${workdir}/client-key.pem 2048
openssl req -new -key ${workdir}/client-key.pem -out
${workdir}/client-csr.pem -config certreq.conf
sscep enroll -u http://localhost:8080/scep/scep \
-v \
-k ${workdir}/client-key.pem -r ${workdir}/client-csr.pem \
-c ${workdir}/ca-certs.pem-0 \
-l ${workdir}/client-cert.pem \
-t 10 -n 1
*certreq.conf content is:*
[ req ]
prompt = no
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_attributes ]
challengePassword=SecretChallenge
[ req_distinguished_name ]
CN=epp1_https
*What is wrong here? What else needs to be set up?*
Regards,
Daniel
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
