Hi, I set up the...
scep.SERVER.policy.allow_anon_enroll: 1 ...and it doesn't seem to make any difference. Still get the same error response. For the step immediately before the scep-enroll (generating the key, etc), apart from the challenge secret specified in the online doc, is there anything special that I should be entering in as all the other fields I am prompted for? Regarding the security concern, this is a test server setup for proof of concept. Regards, Darcy Darcy Watkins :: Senior Staff Engineer, Firmware SIERRA WIRELESS Direct +1 604 233 7989 :: Fax +1 604 231 1109 :: Main +1 604 231 1100 13811 Wireless Way :: Richmond, BC Canada V6V 3A4 [P2] [email protected] :: www.sierrawireless.com -----Original Message----- From: Martin Bartosch <[email protected]> Sent: October-27-18 7:19 AM To: [email protected] Subject: Re: [OpenXPKI-users] FW: SCEP server setup Hi, > I followed the instructions at > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2Flatest%2Fquickstart.html&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C52b35ec265754accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636762467632140131&sdata=i2wTz0W7mt1IMR9%2FX68WCcU6jO%2FkQSvcI6obEZuIpx8%3D&reserved=0 > to setup a test server configuration and can log in, etc. I built an sscep > client to test the SCEP service. Everything appears to work OK up to the > last stage. > > For the last stage, > > sscep enroll -u > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcarmd-er-n00000.sierrawireless.local%2Fscep%2Fscep&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C52b35ec265754accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636762467632140131&sdata=2bXvvrvmiTf3oWXUuNsXnyOzH%2BmSTH2PO0KfYBD1woI%3D&reserved=0 > \ > -k tmp/scep-test.key -r tmp/scep-test.csr \ > -c tmp/cacert-0 \ > -l tmp/scep-test.crt \ > -t 10 -n 1 > > I get the following error: > > sscep: sending certificate request > > sscep: valid response from server > > sscep: reply transaction id: 1C80739573B63A52747F2A777BCF6112 > > sscep: pkistatus: FAILURE > > sscep: reason: Transaction not permitted or supported > The command you use tries to perform an anonymous initial enrollment against the SCEP server. The OpenXPKI team believes that certificate enrollment should be both authenticated and authorized, hence anonymous SCEP initial enrollment is disabled by default. If you wish to allow this, set scep.SERVER.policy.allow_anon_enroll: 1 in your configuration. You should consider the security implications for production deployments. Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C52b35ec265754accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636762467632140131&sdata=7ocXP0UGDtkWRkCDlOW8FYCTU6i87KCWK4OwParflCE%3D&reserved=0 _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
