Hi Christina, I see, good to know. Thanks for the help.
Best, Hayg On Mon, Apr 11, 2016 at 7:05 PM, Christina Fu <[email protected]> wrote: > Hi Hayg, > Good to hear. To answer your previous question, caRouterCert.cfg is the > default sscep enrollment profile. You can see the authentication by > default using flatfile: > auth.instance_id=flatFileAuth > Earlier, I misunderstood you for removing that and rendering a manual > approval. > > Christina > > > On 04/11/2016 05:14 AM, [email protected] wrote: > > Hi Christina, > > I got this to work with sscep. It seems the IP in my flatfile was wrong. I > think the main issue is the lack of a clear error message. > > Thanks for your help, > Hayg > > On Mon, Apr 11, 2016 at 10:54 AM, <[email protected]> > [email protected] <[email protected]> wrote: > >> Hi Christina, >> >> Thank you for your help. >> >> I think using SCEP there is no enrollment profile that I touch? I thought >> setting up the flatfile.txt with the relevant values and modifying the >> config to enable SCEP was all that I needed to do. My intention was for it >> to be *automatically* approved because of the IP/password being present >> in flatfile.txt >> >> Does that help? Sorry if I'm misunderstanding your questions. >> >> Thanks, >> Hayg >> >> On Fri, Apr 8, 2016 at 9:58 PM, Christina Fu < <[email protected]> >> [email protected]> wrote: >> >>> Hi Hayg, >>> >>> I am running Fedora 22 so I'm not sure if there is any difference at all. >>> >>> I would like to understand your issue(s) better. >>> When you said that your request failed because it was "getting >>> deferred", does that mean you have it in the enrollment profile for manual >>> approval? In other words, it was your intention to have the request >>> manually approved by the CA agents? >>> You realize that if you require manual agent approval, there is no >>> option for sscep to "fetch" the already issued cert right? >>> >>> Or, did you not intend to have the request deferred and failed? In >>> which case, you want to know why it failed? If so, do you have relevant >>> debug log to give us some clue? >>> >>> Did I misunderstand your issue? >>> >>> Christina >>> >>> >>> On 04/05/2016 02:57 AM, <[email protected]>[email protected] >>> wrote: >>> >>> Hello everyone, >>> >>> I've been trying to enroll with dogtag via SSCEP for the last few days >>> to no avail and I've reached the end of my rope, so I'm reaching out for >>> your help (which I very much would appreciate). >>> >>> I am running Ubuntu and my dogtag versions are: >>> hayg@hayg:~$ dpkg -l | grep dogtag >>> >>>> ii dogtag-pki 10.2.6-1 >>>> all Dogtag Public Key Infrastructure (PKI) Suite >>>> ii dogtag-pki-console-theme 10.2.6-1 >>>> all Certificate System - PKI Console User Interface >>>> ii dogtag-pki-server-theme 10.2.6-1 >>>> all Certificate System - PKI Server User Interface >>> >>> >>> My SSCEP: >>> [~/sscep]$ cat VERSION >>> >>> >>>> 0.6.1 >>> >>> >>> My flatfile.txt: >>> hayg@hayg:~$ sudo cat /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt >>> >>>> #UID:172.16.24.238 >>>> #PWD:1212 >>>> UID:10.129.25.186 >>>> PWD:secret >>> >>> (I restarted my pki-tomcatd service just in case, to make sure it took >>> effect) >>> >>> On the SSCEP side I'm doing: ./sscep enroll -l cert.pem -r local.csr -k >>> local.key -c astourian.crt -u ' >>> <http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe%27> >>> http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe' >>> >>> This fails because the request is getting deferred and I have fail on >>> defer set to true, per the docs. >>> >>> The request actually shows up in 'List Certificates' when I go to the >>> web UI, but when I try to approve it, I get: >>> >>>> The Certificate System has encountered an unrecoverable error. >>>> Error Message: >>>> >>>> *java.lang.NullPointerException *Please contact your local >>>> administrator for assistance. >>> >>> When I try to resume the enrollment by adding the -R flag to sscep it >>> fails with the following error in the logs: >>> >>>> CRSEnrollment: No certificate has been found >>> >>> >>> My CSR: >>> [~/sscep]$ openssl req -in local.csr -noout -text >>> >>>> Certificate Request: >>>> Data: >>>> Version: 0 (0x0) >>>> Subject: CN=10.129.25.186 >>>> Subject Public Key Info: >>>> Public Key Algorithm: rsaEncryption >>>> Public-Key: (1024 bit) >>>> Modulus: >>>> 00:ab:f4:b7:55:bd:26:51:b7:65:b9:51:4e:08:31: >>>> 83:ef:d6:b7:97:cc:cb:82:4b:a6:3f:be:ac:1c:9a: >>>> f5:1e:0d:56:7c:6a:be:d3:49:17:b6:ba:42:05:eb: >>>> 6c:e2:ff:2b:0f:64:d5:ae:e8:5b:6c:f8:df:74:ef: >>>> 1f:a1:94:50:4c:35:90:bc:02:2b:2a:e3:80:b6:e1: >>>> 75:a0:34:4d:74:0b:47:2c:f5:2d:87:2a:72:4a:93: >>>> 5b:76:a8:cc:96:56:0b:de:62:69:1e:37:30:eb:49: >>>> 4a:0a:8c:55:c4:0e:a7:9d:95:88:2d:ed:15:19:c6: >>>> 19:93:02:84:40:09:40:44:b1 >>>> Exponent: 65537 (0x10001) >>>> Attributes: >>>> challengePassword :secret >>>> Requested Extensions: >>>> X509v3 Subject Alternative Name: critical >>>> IP Address:10.129.25.186 >>>> Signature Algorithm: sha1WithRSAEncryption >>>> 7e:85:96:60:54:ed:c7:fd:d4:9d:b9:48:4c:d6:5a:2d:b1:62: >>>> 8f:26:58:04:da:f2:6d:cf:c7:59:dc:b5:b2:a9:69:8d:e0:df: >>>> 4d:26:7b:51:3e:d5:f4:90:21:d9:20:69:6f:6f:e1:58:28:90: >>>> 05:a7:38:1b:04:05:e6:84:03:78:95:90:d6:da:0c:56:c1:e9: >>>> 16:d4:01:15:c5:5e:06:3f:44:48:6e:e5:dd:f6:dc:62:0a:f9: >>>> af:e7:c5:3d:0a:86:b1:99:40:90:ff:30:02:92:91:fb:dd:50: >>>> f0:df:bf:73:96:6f:04:3e:73:66:02:86:66:a0:00:fa:a7:58: >>>> ea:ae >>> >>> >>> As you can see, the password is "secret" and the CN is the UID from >>> flatfile.txt. >>> >>> I welcome you all to try enrolling with my server. I can then try >>> approving and see if it works. >>> >>> Again, I very much appreciate all of your help. Please excuse my wall of >>> text x_x >>> >>> Thanks, >>> Hayg >>> >>> >>> _______________________________________________ >>> Pki-devel mailing >>> [email protected]https://www.redhat.com/mailman/listinfo/pki-devel >>> >>> >>> >> > >
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
