Hi Oliver, I think the invalid subject was just me using "XX" as country earlier.
I am writing my own SCEP client, which is why I am testing against different SCEP servers. I noticed (a bit too late ...) that many came around before the official RFC existed, so most are probably implementing some sort of draft. It's sometimes not so clear how to accomodate to all of them :( But I am happy I got it working with openxpki now. Another question I have regarding this: most SCEP clients have a cert fingerprint configured that they trust. I'd expect this to be the fingerprint of the root cert (since I can then verify the whole chain against the root). It seems like macOS does it like this. However, apparently openxpki only later added the "include_root" parameter and previously did not send the root cert. Which fingerprint would you say clients should have configured then, just the one from the issuing CA cert? Isn't it possible that a client then blindly trusts an issuing cert, but the chain from that cert to the root is actually not valid? ________________________________ Von: Oliver Welter <m...@oliwel.de> Gesendet: Mittwoch, 5. Februar 2025 19:47 An: openxpki-users@lists.sourceforge.net <openxpki-users@lists.sourceforge.net> Betreff: Re: [OpenXPKI-users] Getting SCEP to run with the sample config Sie erhalten nicht häufig E-Mails von m...@oliwel.de. Erfahren Sie, warum dies wichtig ist<https://aka.ms/LearnAboutSenderIdentification> Hi Immanuel, the subject is create from the CN in the csr but there are no special restrictions on this - so as long as you have a CN set it should work, the assembly of the certificate is controlled by the profile definition so if you need something else you just need to change the configs. The RenewalReq type was added "recently" to SCEP and as we did not yet see any customers using this in the wild it was not implemented but if this now comes along we will add support for it in one of the next releases. Might you tell us what client you are using? For reference for future readers - we have updated the default configuration to better reflect such problems and put a README to the config repo that explains the basic parts: https://github.com/openxpki/openxpki-config/blob/community/scep/README.md best regards Oliver On 05.02.25 15:57, Immanuel HARTUNG via OpenXPKI-users wrote: Thanks Oliver, that made it work! I still had an I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SUBJECT_INVALID error after that, but I fixed that by using a common name that looks like a hostname (not entirely sure what the rules here are). It also looks like openxpki does not accept the message type RenewalReq, so I had to retry with PKCSReq instead for the renewal. Maybe this is useful for someone else as well. Thanks again, I appreciate the quick help. ________________________________ Von: Oliver Welter <m...@oliwel.de><mailto:m...@oliwel.de> Gesendet: Mittwoch, 5. Februar 2025 09:16 An: openxpki-users@lists.sourceforge.net<mailto:openxpki-users@lists.sourceforge.net> <openxpki-users@lists.sourceforge.net><mailto:openxpki-users@lists.sourceforge.net> Betreff: Re: [OpenXPKI-users] Getting SCEP to run with the sample config Sie erhalten nicht häufig E-Mails von m...@oliwel.de<mailto:m...@oliwel.de>. Erfahren Sie, warum dies wichtig ist<https://aka.ms/LearnAboutSenderIdentification> Hello Immanuel, you very likley used the wrong SCEP adress - the systems comes with a special kind of autoconfiguration which currently does not properly handle cases when you use an incomplete config. The default config provides an endpoint named "generic", so you have to use the URL http://yourhost/scep/generic in your SCEP command. Oliver On 04.02.25 14:53, Immanuel HARTUNG via OpenXPKI-users wrote: Sorry for posting to GitHub first! I'll copy my text here: Hello everyone. I followed the quickstart guide to setup the democa on a debian 12 VM since I wanted to try out the SCEP workflow. I tried with different SCEP clients, also with sscep as it is described in the quickstart guide. I can send getca / getcacaps requests, but the enrollment always fails with: ./sscep: pkistatus: FAILURE ./sscep: reason: Transaction not permitted or supported The GUI shows me that the workflow failed with error "Invalid profile". On the server side, I see this in the catchall log: 2025/02/04 14:11:26 openxpki.auth.INFO Login successful (user: Anonymous, role: System) [pid=1532|sid=JhsR|pki_realm=democa] 2025/02/04 14:11:26 openxpki.auth.INFO Login successful (user: Anonymous, role: System) [pid=1534|sid=2jGu|pki_realm=democa] 2025/02/04 14:11:27 openxpki.auth.INFO Login successful (user: Anonymous, role: System) [pid=1536|sid=nAWV|pki_realm=democa] 2025/02/04 14:11:27 openxpki.application.WARN No policy params set in LoadPolicy [pid=1536|user=Anonymous|role=System|sid=nAWV|wftype=certificate_enroll|wfid=15871|pki_realm=democa] 2025/02/04 14:11:27 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR configuration_error exception thrown from [OpenXPKI::Server::Workflow::Condition::KeyParams: 40; before: OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the profile name or the key_rules directly [pid=1536|user=Anonymous|role=System|sid=nAWV|wftype=certificate_enroll|wfid=15871|pki_realm=democa] I don't get what I am supposed to do there. I am creating a CSR with the challenge password "SecretChallenge". I don't think a specific subject/common name is needed? The cert_profile is set to tls_server in /etc/openxpki/config.d/realm.tpl/scep/generic.yaml (I haven't touched these files so I assume they are all set up from the sampleconfig.sh). I hope you can help me out here :) ________________________________ Ce message, ainsi que tous les fichiers joints à ce message, peuvent contenir des informations sensibles et/ ou confidentielles ne devant pas être divulguées. Si vous n'êtes pas le destinataire de ce message (ou que vous recevez ce message par erreur), nous vous remercions de le notifier immédiatement à son expéditeur, et de détruire ce message. Toute copie, divulgation, modification, utilisation ou diffusion, non autorisée, directe ou indirecte, de tout ou partie de ce message, est strictement interdite. This e-mail, and any document attached hereby, may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized, direct or indirect, copying, disclosure, distribution or other use of the material or parts thereof is strictly forbidden. _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ________________________________ Ce message, ainsi que tous les fichiers joints à ce message, peuvent contenir des informations sensibles et/ ou confidentielles ne devant pas être divulguées. Si vous n'êtes pas le destinataire de ce message (ou que vous recevez ce message par erreur), nous vous remercions de le notifier immédiatement à son expéditeur, et de détruire ce message. Toute copie, divulgation, modification, utilisation ou diffusion, non autorisée, directe ou indirecte, de tout ou partie de ce message, est strictement interdite. This e-mail, and any document attached hereby, may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized, direct or indirect, copying, disclosure, distribution or other use of the material or parts thereof is strictly forbidden. _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ________________________________ Ce message, ainsi que tous les fichiers joints à ce message, peuvent contenir des informations sensibles et/ ou confidentielles ne devant pas être divulguées. Si vous n'êtes pas le destinataire de ce message (ou que vous recevez ce message par erreur), nous vous remercions de le notifier immédiatement à son expéditeur, et de détruire ce message. Toute copie, divulgation, modification, utilisation ou diffusion, non autorisée, directe ou indirecte, de tout ou partie de ce message, est strictement interdite. This e-mail, and any document attached hereby, may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized, direct or indirect, copying, disclosure, distribution or other use of the material or parts thereof is strictly forbidden.
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
