Hi everyone,
I recently started playing around with OpenXPKI. Using the Quickstart
guide
(https://openxpki.readthedocs.io/en/latest/quickstart.html#debian-builds)
and the sampleconfig.sh script, I managed to setup an own 'testca' which
replaced the 'democa'. Issuing certificates via the web UI is working
fine, so now I tried to implement SCEP.
Enabling the SCEP service and endpoints was working without any issues
(didn't have to adjust any config files for this so far), but I'm stuck
at the step where it says "Testing an enrollment" from the quickstart
guide. Here are my steps so far:
1. Get the CA-Certificates of 'testca' by issuing "./sscep getca -c
tmp/cacert -u http://my-pki-host.lan/scep/scep"; which got me
* cacert-0 (SCEP cert signed by 'Test Issuing CA' with content
"Subject: CN = my-pki-host.lan:scep-ra")
* cacert-1 (Test Issuing CA cert signed by 'Test Root CA')
* cacert-2 (Test Root CA cert)
2. Create a new CSR for a testclient "openssl req -new -keyout
tmp/scep-test.key -out tmp/scep-test.csr -newkey rsa:2048 -nodes
-subj "/C=DE/ST=Hessen/L=MyCity/O=My
Organization/OU=Infrastructure/CN=testclient.lan/[email protected]"
- No ChallengePassword is provided
3. Enroll the request "sscep enroll -u http://my-pki-host.lan/scep/scep
-c tmp/cacert-0 -k tmp/scep-test.key -r tmp/scep-test.csr -c
tmp/scep-test.crt -t 10 -n 1
Step 3 fails with
sscep: pkistatus: FAILURE
sscep: finding attribute failInfo
sscep: allocating 1 bytes for attribute
sscep: reason: Transaction not permitted or supported
and in OpenXPKI workflows-Log I can see
2020/03/11 12:49:39 17663 Rendering subject:
CN=testclient.lan,DC=organization,DC=com
2020/03/11 12:49:39 17663 Trusted Signer chain - certificate is self
signed
2020/03/11 12:49:40 17663 Trusted Signer not found in trust list
(E=my@email-address,CN=testclient.lan,OU=Infrastructure,O=My
Organization,L=MyCity,ST=Hessen,C=DE).
The SCEP certificate (cacert-0) is listed as an alias when querying the
tokens of my testca
sudo openxpkiadm alias --realm testca
=== functional token ===
scep (scep):
Alias : scep-1
Identifier: TrifLXXX
NotBefore : 2020-03-03 15:15:33
NotAfter : 2021-03-03 15:15:33
Can somebody shed some light as to how I can create a "Trusted Signer
chain" or how to enable anonymous enrollment for testing purposes? I
suppose this somehow has to be enabled in
"/etc/openxpki/config.d/realm/testca/scep/generic.yaml", right?
Thanks and regards,
Daniel
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
