Thanks Oliver, that made it work! I still had an I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SUBJECT_INVALID error after that, but I fixed that by using a common name that looks like a hostname (not entirely sure what the rules here are).
It also looks like openxpki does not accept the message type RenewalReq, so I had to retry with PKCSReq instead for the renewal. Maybe this is useful for someone else as well. Thanks again, I appreciate the quick help. ________________________________ Von: Oliver Welter <m...@oliwel.de> Gesendet: Mittwoch, 5. Februar 2025 09:16 An: openxpki-users@lists.sourceforge.net <openxpki-users@lists.sourceforge.net> Betreff: Re: [OpenXPKI-users] Getting SCEP to run with the sample config Sie erhalten nicht häufig E-Mails von m...@oliwel.de. Erfahren Sie, warum dies wichtig ist<https://aka.ms/LearnAboutSenderIdentification> Hello Immanuel, you very likley used the wrong SCEP adress - the systems comes with a special kind of autoconfiguration which currently does not properly handle cases when you use an incomplete config. The default config provides an endpoint named "generic", so you have to use the URL http://yourhost/scep/generic in your SCEP command. Oliver On 04.02.25 14:53, Immanuel HARTUNG via OpenXPKI-users wrote: Sorry for posting to GitHub first! I'll copy my text here: Hello everyone. I followed the quickstart guide to setup the democa on a debian 12 VM since I wanted to try out the SCEP workflow. I tried with different SCEP clients, also with sscep as it is described in the quickstart guide. I can send getca / getcacaps requests, but the enrollment always fails with: ./sscep: pkistatus: FAILURE ./sscep: reason: Transaction not permitted or supported The GUI shows me that the workflow failed with error "Invalid profile". On the server side, I see this in the catchall log: 2025/02/04 14:11:26 openxpki.auth.INFO Login successful (user: Anonymous, role: System) [pid=1532|sid=JhsR|pki_realm=democa] 2025/02/04 14:11:26 openxpki.auth.INFO Login successful (user: Anonymous, role: System) [pid=1534|sid=2jGu|pki_realm=democa] 2025/02/04 14:11:27 openxpki.auth.INFO Login successful (user: Anonymous, role: System) [pid=1536|sid=nAWV|pki_realm=democa] 2025/02/04 14:11:27 openxpki.application.WARN No policy params set in LoadPolicy [pid=1536|user=Anonymous|role=System|sid=nAWV|wftype=certificate_enroll|wfid=15871|pki_realm=democa] 2025/02/04 14:11:27 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR configuration_error exception thrown from [OpenXPKI::Server::Workflow::Condition::KeyParams: 40; before: OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the profile name or the key_rules directly [pid=1536|user=Anonymous|role=System|sid=nAWV|wftype=certificate_enroll|wfid=15871|pki_realm=democa] I don't get what I am supposed to do there. I am creating a CSR with the challenge password "SecretChallenge". I don't think a specific subject/common name is needed? The cert_profile is set to tls_server in /etc/openxpki/config.d/realm.tpl/scep/generic.yaml (I haven't touched these files so I assume they are all set up from the sampleconfig.sh). I hope you can help me out here :) ________________________________ Ce message, ainsi que tous les fichiers joints à ce message, peuvent contenir des informations sensibles et/ ou confidentielles ne devant pas être divulguées. Si vous n'êtes pas le destinataire de ce message (ou que vous recevez ce message par erreur), nous vous remercions de le notifier immédiatement à son expéditeur, et de détruire ce message. Toute copie, divulgation, modification, utilisation ou diffusion, non autorisée, directe ou indirecte, de tout ou partie de ce message, est strictement interdite. This e-mail, and any document attached hereby, may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized, direct or indirect, copying, disclosure, distribution or other use of the material or parts thereof is strictly forbidden. _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ________________________________ Ce message, ainsi que tous les fichiers joints à ce message, peuvent contenir des informations sensibles et/ ou confidentielles ne devant pas être divulguées. Si vous n'êtes pas le destinataire de ce message (ou que vous recevez ce message par erreur), nous vous remercions de le notifier immédiatement à son expéditeur, et de détruire ce message. Toute copie, divulgation, modification, utilisation ou diffusion, non autorisée, directe ou indirecte, de tout ou partie de ce message, est strictement interdite. This e-mail, and any document attached hereby, may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized, direct or indirect, copying, disclosure, distribution or other use of the material or parts thereof is strictly forbidden.
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
