Re: [OpenXPKI-users] SCEP enrollment - Operator approval workflow not working

Tue, 29 Jul 2025 17:04:44 -0700 

Updating:
I just tried v.38 of the docker compose and openxpki-config, and it worked well, even being able to resume enrollment. 


I tried using the scep/generic.yaml from v3.8 in v3.32 and had the same 
results as v.3.32 - FAIL


I tried downgrading some versions for a quick test:


openxpki v3.24(v3.8 git checkout) + config v3.24 WORKS ( container 
images were versioned by me )



So, up to now, v3.8 and v3.24, SCEP works with default sampleconfig.



Is there a recommended version of OpenXPKI at the moment? It looks like 
there's lots of changes from v3.8 to v3.32 ...  some 
refactoring/improvements ?




On 29/07/2025 18:35, Mauricio Silveira via OpenXPKI-users wrote:


Hi there.



After much digging into the web, docs, etc, I guess I managed to go 
forward in getting OpenXPKI working... ( tough task )...


I'm now stuck at SCEP testing.


I'm using the Docker images ( v3.32 ), everything seems fine ( I even 
managed to get oxi client working with the key )...



But SCEP enrollment only works when I set approval_points: 0 in 
scep/generic.yaml ( I'm able to request and renew ), but when 
approval_points is set to 1, and perform operator approval ( rob test 
account ) , it simply doesn't work.



With approval_points: 0

mauricio@localhost:/tmp/sscep$ ./sscep enroll 
-uhttp://192.168.11.11:8080/scep/generic -k sceptmp/scep-test.key -r 
sceptmp/scep-test.csr -c sceptmp/cacert-0 -l sceptmp/scep-test.crt -t 20 -T100 
-n 10
./sscep: sending certificate request
./sscep: valid response from server
./sscep: reply transaction id: 03D56226186C56BE8BB3D5978A0AE009
./sscep: pkistatus: SUCCESS


With approval_points: 1

mauricio@localhost:/tmp/sscep$ ./sscep enroll 
-uhttp://192.168.11.11:8080/scep/generic -k sceptmp/scep-test.key -r 
sceptmp/scep-test.csr -c sceptmp/cacert-0 -l sceptmp/scep-test.crt -t 20 -T100 
-n 10
./sscep: sending certificate request
./sscep: valid response from server
./sscep: reply transaction id: 778E2DFF5E20DCC07539E9C293D09192
./sscep: pkistatus: PENDING
./sscep: requesting certificate (#1)
./sscep: valid response from server
./sscep: reply transaction id: 778E2DFF5E20DCC07539E9C293D09192
./sscep: pkistatus: FAILURE
./sscep: reason: No certificate could be identified matching



LOGS from server container:

With approval_points: 0

==> openxpki.log <==
2025/07/29 17:21:08 INFO Login successful (user: Anonymous, role: System) 
[pid=630|sid=TOiz]
2025/07/29 17:21:08 INFO Login successful (user: Anonymous, role: System) 
[pid=631|sid=rhNq]
==> catchall.log <==
2025/07/29 17:21:08 openxpki.auth.INFO Login successful (user: Anonymous, role: 
System) [pid=630|sid=TOiz]
2025/07/29 17:21:08 openxpki.auth.INFO Login successful (user: Anonymous, role: 
System) [pid=631|sid=rhNq]
2025/07/29 17:21:09 openxpki.application.INFO Rendering subject: 
CN=device-seat-02,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=631|sid=rhNq]
2025/07/29 17:21:09 openxpki.application.INFO Trusted Signer chain - 
certificate is self signed [pid=631|sid=rhNq]
2025/07/29 17:21:09 openxpki.application.INFO Trusted Signer not found in trust 
list (CN=device-seat-02). [pid=631|sid=rhNq]
2025/07/29 17:21:09 openxpki.application.INFO Eligibility check for 
scep.generic.eligible.initial failed [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.application.INFO persisted csr for 
CN=device-seat-02,DC=Test Deployment,DC=OpenXPKI,DC=org with csr_serial 3583 
[pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.application.INFO start cert issue for serial 3583, 
workflow 8191 [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.application.INFO Certificate 
CN=device-seat-02,DC=Test Deployment,DC=OpenXPKI,DC=org 
(66109798994132440681422) issued by ca-signer-1 [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.audit.cakey.INFO certificate 
signedHASH(0x5b46adbbdee8) [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.audit.entity.INFO certificate 
issuedHASH(0x5b46adbbe938) [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.application.INFO Certificate metadata 'entity': 
append (set) 'device-seat-02' [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.application.INFO Trigger notification message 
enroll_cert_issued [pid=631|sid=rhNq]
==> workflows.log <==
2025/07/29 17:21:09 8191 Rendering subject: CN=device-seat-02,DC=Test 
Deployment,DC=OpenXPKI,DC=org
2025/07/29 17:21:09 8191 Trusted Signer chain - certificate is self signed
2025/07/29 17:21:09 8191 Trusted Signer not found in trust list 
(CN=device-seat-02).
2025/07/29 17:21:09 8191 Eligibility check for scep.generic.eligible.initial 
failed
2025/07/29 17:21:10 8191 persisted csr for CN=device-seat-02,DC=Test 
Deployment,DC=OpenXPKI,DC=org with csr_serial 3583
2025/07/29 17:21:10 8191 start cert issue for serial 3583, workflow 8191
2025/07/29 17:21:10 8191 Certificate CN=device-seat-02,DC=Test 
Deployment,DC=OpenXPKI,DC=org (66109798994132440681422) issued by ca-signer-1
2025/07/29 17:21:10 8191 Certificate metadata 'entity': append (set) 
'device-seat-02'
2025/07/29 17:21:10 8191 Trigger notification message enroll_cert_issued
==> audit.log <==
2025/07/29 17:21:10 openxpki.audit.cakey.INFO certificate 
signed|cakey=E8:85:99:80:A1:40:02:6F:08:D3:75:C1:4A:F5:22:F1:49:16:65:88|certid=YDJUnKvpJPAlnGak39_Evrbtrag|key=7A:BD:78:3B:76:9D:3C:8B:89:07:B7:03:47:3A:E7:01:7A:7B:72:D7|pki_realm=democa
 [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.audit.entity.INFO certificate 
issued|certid=YDJUnKvpJPAlnGak39_Evrbtrag|key=7A:BD:78:3B:76:9D:3C:8B:89:07:B7:03:47:3A:E7:01:7A:7B:72:D7|pki_realm=democa
 [pid=631|sid=rhNq]



With approval_points: 1

#After starting sscep enroll

==> openxpki.log <==
2025/07/29 18:11:22 INFO Login successful (user: Anonymous, role: System) 
[pid=572|sid=X+nx]
2025/07/29 18:11:22 INFO Login successful (user: Anonymous, role: System) 
[pid=573|sid=J2kQ]
==> catchall.log <==
2025/07/29 18:11:22 openxpki.auth.INFO Login successful (user: Anonymous, role: 
System) [pid=572|sid=X+nx]
2025/07/29 18:11:22 openxpki.auth.INFO Login successful (user: Anonymous, role: 
System) [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO Rendering subject: 
CN=device-seat-12,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO Trusted Signer chain - 
certificate is self signed [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO Trusted Signer not found in trust 
list (unstructuredName=pkiclient,CN=device-seat-12,DC=Test 
Deployment,DC=OpenXPKI,DC=org). [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO validate challenge using compare 
validated [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO Eligibility check for 
scep.generic.eligible.initial failed [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO Trigger notification message 
enroll_approval_pending [pid=573|sid=J2kQ]
==> workflows.log <==
2025/07/29 18:11:23 14591 Rendering subject: CN=device-seat-12,DC=Test 
Deployment,DC=OpenXPKI,DC=org
2025/07/29 18:11:23 14591 Trusted Signer chain - certificate is self signed
2025/07/29 18:11:23 14591 Trusted Signer not found in trust list 
(unstructuredName=pkiclient,CN=device-seat-12,DC=Test 
Deployment,DC=OpenXPKI,DC=org).
2025/07/29 18:11:23 14591 validate challenge using compare validated
2025/07/29 18:11:23 14591 Eligibility check for scep.generic.eligible.initial 
failed
2025/07/29 18:11:23 14591 Trigger notification message enroll_approval_pending


#AFTER OPERATOR APPROVAL:

==> workflows.log <==

2025/07/29 18:11:34 14591 Unsigned approval for workflow 14591 by user rob, 
role RA Operator
2025/07/29 18:11:34 14591 Approval points for workflow #14591: 1
2025/07/29 18:11:34 14591 persisted csr for CN=device-seat-12,DC=Test 
Deployment,DC=OpenXPKI,DC=org with csr_serial 7423
2025/07/29 18:11:34 14591 start cert issue for serial 7423, workflow 14591
2025/07/29 18:11:35 14591 Certificate CN=device-seat-12,DC=Test 
Deployment,DC=OpenXPKI,DC=org (136932346016803674230380) issued by ca-signer-1
2025/07/29 18:11:35 14591 Certificate metadata 'entity': append (set) 
'device-seat-12'
2025/07/29 18:11:35 14591 Trigger notification message enroll_cert_issued
==> catchall.log <==
2025/07/29 18:11:34 openxpki.application.INFO Unsigned approval for workflow 
14591 by user rob, role RA Operator [pid=586|sid=W+s1]
2025/07/29 18:11:34 openxpki.audit.approval.INFO operator approval 
givenHASH(0x5e36a9f73b38) [pid=586|sid=W+s1]
2025/07/29 18:11:34 openxpki.application.INFO Approval points for workflow 
#14591: 1 [pid=586|sid=W+s1]
2025/07/29 18:11:34 openxpki.application.INFO persisted csr for 
CN=device-seat-12,DC=Test Deployment,DC=OpenXPKI,DC=org with csr_serial 7423 
[pid=586|sid=W+s1]
2025/07/29 18:11:34 openxpki.application.INFO start cert issue for serial 7423, 
workflow 14591 [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.application.INFO Certificate 
CN=device-seat-12,DC=Test Deployment,DC=OpenXPKI,DC=org 
(136932346016803674230380) issued by ca-signer-1 [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.audit.cakey.INFO certificate 
signedHASH(0x5e36aa595c20) [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.audit.entity.INFO certificate 
issuedHASH(0x5e36aa430570) [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.application.INFO Certificate metadata 'entity': 
append (set) 'device-seat-12' [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.application.INFO Trigger notification message 
enroll_cert_issued [pid=586|sid=W+s1]
2025/07/29 18:11:44 openxpki.auth.INFO Login successful (user: Anonymous, role: 
System) [pid=606|sid=tHA5]
==> audit.log <==
2025/07/29 18:11:34 openxpki.audit.approval.INFO operator approval 
given|role=RA Operator|user=rob|wfid=14591 [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.audit.cakey.INFO certificate 
signed|cakey=E8:85:99:80:A1:40:02:6F:08:D3:75:C1:4A:F5:22:F1:49:16:65:88|certid=TJQd6d7e7UYeBXXL8ts7iIQyqHw|key=00:37:48:7B:DD:03:57:AC:30:B0:69:A7:58:16:E6:80:3F:4F:3D:EF|pki_realm=democa
 [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.audit.entity.INFO certificate 
issued|certid=TJQd6d7e7UYeBXXL8ts7iIQyqHw|key=00:37:48:7B:DD:03:57:AC:30:B0:69:A7:58:16:E6:80:3F:4F:3D:EF|pki_realm=democa
 [pid=586|sid=W+s1]
==> openxpki.log <==
2025/07/29 18:11:44 INFO Login successful (user: Anonymous, role: System) 
[pid=606|sid=tHA5]





So... what am I possibly missing? Is there any way to enable more 
verbosity in the server container ?



Thanks!




_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to