Re: [Openca-Users] SCEP error during cert enrollment

Sun, 26 Jun 2005 04:55:14 -0700 

Michael Kopp wrote:
> Maybe somebody has a hint for me, or can tell me how I can debug this issue
> further 
>
what operations are u doing with the certificates
on the ca/ra side - changes in dn and so on...

some devices have special requirements for this
so the request from cisco devices have combined attributes
(with "+" in the editform) - you should move them to the left most
entries, best on top of the others - like the entries for fqdn and ip,
mainly this should be: unstructuredAddress and unstructuredName

and for cisco devices you have to add some special sans (dns and ip)
which have the same values as the (unstructered) request attributes in
the dn area, so cisco requests have to manipulated usaly


but the sscep error looks, like something isn't working like expected
sometimes its a bit confusing which cert is for ra and ca at the
scep-client configuration... so maybe you should try for the sscep
client to change the certs used für encryption and ca parameters in the
config file, usaly this can be a source for errors

so mainly it should be configuration and attribute problems, since we
have working installations - but unfortunalty sometimes its a bit
tricky... to get the first setup running

at the dev-list is a posting from martin bartosch with a modified
scep-script, but this isn't working in all environments 100% too, but it
has better debugging options and more options for configurating the
scep-interface then the standard scep-interface available in the code
and it automates some of the requried request changes for cisco
equipment (but like mentioned it isn't tested a 100% too)


greetings
dalini


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to