Bonjour Martin, It fails. I configured OpenXPKI 3.30.3 on Debian 12.7 x64 but it still fails with error. I tried SSCEP on your demo site which is also giving same error: sscep getca -c cacert -u http://demo.openxpki.org/scep/scep openssl req -new -newkey rsa:2048 -nodes -out scep-test.csr -keyout scep-test.key -subj "/C=US/ST=OHIO/L=CA/O=ABC/OU=ABC/CN=ABC.com" sscep enroll -u http://demo.openxpki.org/scep/scep -k scep-test.key -r scep-test.csr -c cacert-0 -l scep-test.crt -t 10 -n 1 -vvv sscep: starting sscep, version 0.10.0sscep: new transactionsscep: transaction id: D41D8CD98F00B204E9800998ECF8427Esscep: hostname: demo.openxpki.orgsscep: directory: scep/scepsscep: port: 80sscep: SCEP_OPERATION_GETCAPSsscep: connecting to demo.openxpki.org:80sscep: server response status code: 200, MIME header: text/plainRenewalPOSTPKIOperationSHA-512SHA-384SHA-256SHA-224SHA-1DES3AESsscep: Read request with transaction id: 14C6367628D7419A1D99D6AA0A307086sscep: generating selfsigned certificatesscep: requesting certificate with serial number 0 and issuer /CN=oxi-ce-demo.rackport.net:scep-rasscep: SCEP_OPERATION_ENROLLsscep: sending certificate requestsscep: request data dump-----BEGIN CERTIFICATE REQUEST-----MIICnDCCAYQCAQAwVzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBE9ISU8xCzAJBgNVBAcMAkNBMQwwCgYDVQQKDANBQkMxDDAKBgNVBAsMA0FCQzEQMA4GA1UEAwwHQUJDLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5tEjfpB0hlZ7ira9tg7uLqCzEEqwiPFhLS5wYJOa1DFVWDYJJUmyN8ttvQN8RgrmFNHL+Nw4OILjsen3+5as93I6tPt9f2xbdo09gfWq3CXusU6EX8jPtoLldWDpuZDUH3NjP2+9b3q3H04VY6urdN4/vHNfh/L7v+4ZppQj34w8UvN3aUuzE3x84PEgcift/wQXpYJmdyBjvNoId83TjZX8UudG2wo8ncVc5Va6Kir52EMph9U5CeEEORYZKEWdW4ySeB+dVvawnW3EZC0i3XK3zEqt0Ndti8Btohr0BNt7mscybePjEKE/pwXH2h854+FC7anzmB7I/9/0ghhJ8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB+TeKEuVVDflUQEosh3x5Vn6nYUIKwxrRLVAqf5wxNXgGsjnF/60NbcpyrYZAFIABcnR+NVDtQB1ukVkThL+ixzDjJ41M0U5tlmGfQMw2ZGsx5QmTZ7qNSWAGfLUf94G1VR/M40h8KZvpEncC87dYT6s4y8lM5x/VAK8cjGR23BTFpcJWyKEzLF/8JEkqu7v5YTS8n3hUT6mIrluZXi8/kdJXxl+ApIJ2dfnr2u4NvUP5wED3k7QctrAB5Tx22BETVDyH7RF9YWjHLACcjbAAptwBWo0CiWbdcUIpYo2PpO7fKT356DsMwPl03h2PKCgl9ouKjCtEfxf0Vuu55msWH-----END CERTIFICATE REQUEST-----sscep: data payload size: 672 bytessscep: successfully encrypted payloadsscep: envelope size: 1294 bytessscep: creating outer PKCS#7sscep: PKCS#7 data written successfullysscep: payload size: 2876 bytessscep: connecting to demo.openxpki.org:80sscep: server response status code: 400, MIME header: application/x-pki-messagesscep: valid response from serversscep: reading outer PKCS#7sscep: PKCS#7 payload size: 2052 bytessscep: PKCS#7 contains 0 bytes of enveloped datasscep: verifying signaturesscep: signature oksscep: reply transaction id: 14C6367628D7419A1D99D6AA0A307086sscep: reply message type is goodsscep: senderNonce in reply: 3B9DED3C6AEAF1E1A4625EAFECA96645sscep: recipientNonce in reply: 0CBBD8DA287277C9BC1018E155DE4BD6sscep: pkistatus: FAILUREsscep: reason: Transaction not permitted or supported
On Monday 4 November 2024 at 01:44:55 pm GMT+5, Martin Bartosch <vc-...@cynops.de> wrote: Scott, > Yes I agree with Martin but we recently checked OpenXPKI for auto enrollment > but the SCEP implementation in OpenXPKI is broken ... It doesn't enroll a > certificate ... > We've tried multiple times the same configuration we're using with previous > versions but it doesn't work. > Can someone look into and comment on this? I just checked using sscep 0.10.0 with our Demo OpenXPKI Instance (OpenXPKI 3.30.3). Works fine. Note that LibSCEP is no longer supported with newer OpenXPKI versions, as we have migrated to a new SCEP implemention in 3.18. You may have to update your configuration accordingly. Cheers Martin
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
