Re: [OpenXPKI-users] Enrollment with certmonger via scep

Wed, 25 Sep 2024 09:45:52 -0700 

Hello Hajo,
can you please check the apache logs / scep logs? With a regular enrollment you should never get a html page but a properly crafted SCEP response. There are some issues with the "GetCert" command which might cause this behaviour but as I never used certmonger I have no idea if this applies here. There are some people outside using it (check the mailinglist archives) so it should basically work. 

Oli

On 25.09.24 18:19, Hans-Joachim Passon wrote:

Enrollment via scep

Hello,



I'm trying to get certificates from an OpenXPKI-Instance via 
certmonger and scep.

Finally most steps work but now I'm stuck:

  * certmonger gets information about the ca (getcert add-scep-ca ...)
    - WORKS AS EXPECTED
  * certmonger generates a request and sends it to CA - WORKS AS EXPECTED
  * CA looks up profile - WORKS AS EXPECTED
  * CA calculates eligibility - WORKS AS EXPECTED
  * CA generates workflow for the approval - WORKS AS EXPECTED
  * CA decides not to approve automaticaly because of missing expected
    approval points - WORKS AS EXPECTED
  * raop can see and manage the workflow - WORKS AS EXPECTED
  * CA generates an error
    code I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_APPROVED and the scep
    interface sends out a html page with error code 400


The last step seems like a bug to me. Because of the error, certmonger 
cannot know that certificate approval is pending. Therefore if I try a 
refresh in certmonger it does not poll for the state of the pending 
certificate but tries to submit the request again as an initial request.




Did anyone manage to use certmonger and OpenXPKI/scep with a workflow 
on initial requests that requires manual approval?




I'm using OpenXPKI 3.30.3 and 
certmonger 0.79.14+git20211010-2ubuntu1.1 (this version contains a 
patch that lets certmonger work with openssl 3 and is prt of 
jammy-proposed).



Cheers


Hajo



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to