Hello Immanuel,
you very likley used the wrong SCEP adress - the systems comes with a
special kind of autoconfiguration which currently does not properly
handle cases when you use an incomplete config. The default config
provides an endpoint named "generic", so you have to use the URL
http://yourhost/scep/generic in your SCEP command.
Oliver
On 04.02.25 14:53, Immanuel HARTUNG via OpenXPKI-users wrote:
Sorry for posting to GitHub first! I'll copy my text here:
Hello everyone. I followed the quickstart guide to setup the democa on
a debian 12 VM since I wanted to try out the SCEP workflow. I tried
with different SCEP clients, also with sscep as it is described in the
quickstart guide.
I can send getca / getcacaps requests, but the enrollment always fails
with:
./sscep: pkistatus: FAILURE
./sscep: reason: Transaction not permitted or supported
The GUI shows me that the workflow failed with error "Invalid profile".
On the server side, I see this in the catchall log:
2025/02/04 14:11:26 openxpki.auth.INFO Login successful (user:
Anonymous, role: System) [pid=1532|sid=JhsR|pki_realm=democa]
2025/02/04 14:11:26 openxpki.auth.INFO Login successful (user:
Anonymous, role: System) [pid=1534|sid=2jGu|pki_realm=democa]
2025/02/04 14:11:27 openxpki.auth.INFO Login successful (user:
Anonymous, role: System) [pid=1536|sid=nAWV|pki_realm=democa]
2025/02/04 14:11:27 openxpki.application.WARN No policy params set in
LoadPolicy
[pid=1536|user=Anonymous|role=System|sid=nAWV|wftype=certificate_enroll|wfid=15871|pki_realm=democa]
2025/02/04 14:11:27 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR
configuration_error exception thrown from
[OpenXPKI::Server::Workflow::Condition::KeyParams: 40; before:
OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the
profile name or the key_rules directly
[pid=1536|user=Anonymous|role=System|sid=nAWV|wftype=certificate_enroll|wfid=15871|pki_realm=democa]
I don't get what I am supposed to do there. I am creating a CSR with
the challenge password "SecretChallenge". I don't think a specific
subject/common name is needed? The cert_profile is set to tls_server
in /etc/openxpki/config.d/realm.tpl/scep/generic.yaml (I haven't
touched these files so I assume they are all set up from the
sampleconfig.sh).
I hope you can help me out here :)
------------------------------------------------------------------------
Ce message, ainsi que tous les fichiers joints à ce message, peuvent
contenir des informations sensibles et/ ou confidentielles ne devant
pas être divulguées. Si vous n'êtes pas le destinataire de ce message
(ou que vous recevez ce message par erreur), nous vous remercions de
le notifier immédiatement à son expéditeur, et de détruire ce message.
Toute copie, divulgation, modification, utilisation ou diffusion, non
autorisée, directe ou indirecte, de tout ou partie de ce message, est
strictement interdite.
This e-mail, and any document attached hereby, may contain
confidential and/or privileged information. If you are not the
intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any
unauthorized, direct or indirect, copying, disclosure, distribution or
other use of the material or parts thereof is strictly forbidden.
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
