Hi,
> I have also tried with this url and I get an invalid subject error:
>
> Error from scep.log:
> 2024/07/26 10:22:27 ERR Request was rejected:
> I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SUBJECT_INVALID [pid=11670|ep=generic]
> 2024/07/26 10:22:27 WAR Client error / malformed request: badRequest
> (internal code: 40006) [pid=11670|ep=generic]
>
> Error from the cli:
> ./sscep: sending certificate request
> ./sscep: valid response from server
> ./sscep: reply transaction id: B423F1066D55B60ACDB313950658A5A1
> ./sscep: pkistatus: FAILURE
> ./sscep: reason: Transaction not permitted or supported
>
> From the ui:
> Error Code...........................................................Subject
> is invalid
I assume you are performing an initial enrollment (i. e. anonymous with a
self-signed request).
The default configuration allows renewal of existing certificates and
"on-behalf" enrollment. Both are accepted and will result in immediate issuance
of a certificate.
Initial enrollment, however, is by default disabled/restricted in order to
avoid shipping an insecure default configuration.
If you actually want to test out initial enrollment with anonymous requests, set
eligible:
initial: 1
in the SCEP endpoint configuration. After a server restart you should be able
to send an initial SCEP request which will have to be authenticated manually on
the RA interface.
Note that allowing anonymous initial requests is usually not a sensible thing
to do and will likely affect the security of your PKI.
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
