Hi Oliver, as soon as I leave out the eMail I can approve the request and issue the certificate in the web UI. The SCEP client is waiting for the issued certificate and is requesting the certificate after the specified waiting time. Please find attached the CSR and the key. Both were generated using this exact line
openssl req -new -keyout tmpscep/certs/scep-test.key -out
tmpscep/certs/scep-test.csr -newkey rsa:4096 -nodes -subj
"/C=DE/ST=Hessen/L=MyCity/O=My
Company/OU=Infrastructure/CN=testclient01"
Unfortunately it then runs into another error
sscep enroll -u http://cs-pki-brem-p.pribas/scep/scep -k
tmpscep/certs/scep-test.key -r tmpscep/certs/scep-test.csr -c
tmpscep/ca/cacert-0 -l tmpscep/certs/scep-test.crt -t 20
sscep: sending certificate request
sscep: valid response from server
sscep: reply transaction id: 3959846ABECC7FD216EF652271A90158
sscep: pkistatus: PENDING
sscep: requesting certificate (#1)
sscep: error while sending message
The corresponding catchall.log:
2020/03/12 13:35:49 openxpki.application.INFO LibSCEP PKIOperation;
message type: PKCSReq [pid=1226|sid=UJVG]
2020/03/12 13:35:49 openxpki.application.INFO SCEP incoming request,
id 3959846ABECC7FD216EF652271A90158
[pid=1226|sid=UJVG|sceptid=3959846ABECC7FD216EF652271A90158]
2020/03/12 13:35:49 openxpki.application.INFO SCEP try to start new
workflow for 3959846ABECC7FD216EF652271A90158
[pid=1226|sid=UJVG|sceptid=3959846ABECC7FD216EF652271A90158]
2020/03/12 13:35:50 openxpki.application.INFO Rendering subject:
CN=testclient01,OU=Infrastructure,O=My
Company,L=MyCity,ST=Hessen,C=DE
[pid=1226|sid=UJVG|wftype=certificate_enroll|wfid=23551|sceptid=3959846ABECC7FD216EF652271A90158]
2020/03/12 13:35:50 openxpki.application.INFO Trusted Signer chain -
certificate is self signed
[pid=1226|sid=UJVG|wftype=certificate_enroll|wfid=23551|sceptid=3959846ABECC7FD216EF652271A90158]
2020/03/12 13:35:50 openxpki.application.INFO Trusted Signer not
found in trust list (CN=testclient01,OU=Infrastructure,O=My
Company,L=MyCity,ST=Hessen,C=DE).
[pid=1226|sid=UJVG|wftype=certificate_enroll|wfid=23551|sceptid=3959846ABECC7FD216EF652271A90158]
2020/03/12 13:35:51 openxpki.application.WARN challenge password is
empty
[pid=1226|sid=UJVG|wftype=certificate_enroll|wfid=23551|sceptid=3959846ABECC7FD216EF652271A90158]
2020/03/12 13:35:51 openxpki.application.INFO SCEP started new
workflow with id 23551, state MANUAL_AUTHORIZATION
[pid=1226|sid=UJVG|sceptid=3959846ABECC7FD216EF652271A90158]
2020/03/12 13:35:51 openxpki.application.INFO SCEP 23551 in state
MANUAL_AUTHORIZATION, send pending reply
[pid=1226|sid=UJVG|sceptid=3959846ABECC7FD216EF652271A90158]
2020/03/12 13:35:59 openxpki.application.INFO Eligibility check for
scep.generic.eligible.initial failed
[pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
2020/03/12 13:35:59 openxpki.application.INFO Trigger notification
message enroll_approval_pending
[pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
2020/03/12 13:36:01 openxpki.application.INFO Unsigned approval for
workflow 23551 by user dheitepriem, role RA Operator
[pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
2020/03/12 13:36:01 openxpki.audit.approval.INFO operator approval
givenHASH(0x563924305330)
[pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
2020/03/12 13:36:01 openxpki.application.INFO Approval points for
workflow 23551: 1
[pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
2020/03/12 13:36:01 openxpki.application.INFO persisted csr for
CN=testclient01,OU=Infrastructure,O=My
Company,L=MyCity,ST=Hessen,C=DE with csr_serial 3839
[pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
2020/03/12 13:36:01 openxpki.application.INFO start cert issue for
serial 3839, workflow 23551
[pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
2020/03/12 13:36:02 openxpki.application.INFO Certificate
CN=testclient01,OU=Infrastructure,O=My
Company,L=MyCity,ST=Hessen,C=DE (70830397426985961206368) issued by
ca-signer-1 [pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
2020/03/12 13:36:02 openxpki.audit.cakey.INFO certificate
signedHASH(0x5639244a5e68)
[pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
2020/03/12 13:36:02 openxpki.audit.entity.INFO certificate
issuedHASH(0x563923ff0a50)
[pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
2020/03/12 13:36:02 openxpki.application.INFO Trigger notification
message enroll_cert_issued
[pid=1192|sid=2Ht6|wftype=certificate_enroll|wfid=23551]
Certificate is issued correctly but when SCEP requests the cert, the
error occurs:
2020/03/12 13:36:11 openxpki.system.ERROR
message_static_functions.c:282: Unreadable Issuer and Subject data
in encrypted content
LibSCEP.xs:1197: scep_unwrap failed
139782233915840:error:0D0680A8:asn1 encoding
routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
139782233915840:error:0D07803A:asn1 encoding
routines:asn1_item_embed_d2i:nested asn1
error:../crypto/asn1/tasn_dec.c:290:Type=PKCS7_ISSUER_AND_SUBJECT
[pid=1231|sid=otUb]
2020/03/12 13:36:11 openxpki.system.ERROR
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ =>
message_static_functions.c:282: Unreadable Issuer and Subject data
in encrypted content
LibSCEP.xs:1197: scep_unwrap failed
139782233915840:error:0D0680A8:asn1 encoding
routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
139782233915840:error:0D07803A:asn1 encoding
routines:asn1_item_embed_d2i:nested asn1
error:../crypto/asn1/tasn_dec.c:290:Type=PKCS7_ISSUER_AND_SUBJECT
[pid=1231|sid=otUb]
2020/03/12 13:36:11 openxpki.system.ERROR Error executing SCEP
command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ => OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap,
__ERRVAL__ => message_static_functions.c:282: Unreadable Issuer and
Subject data in encrypted content
LibSCEP.xs:1197: scep_unwrap failed
139782233915840:error:0D0680A8:asn1 encoding
routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
139782233915840:error:0D07803A:asn1 encoding
routines:asn1_item_embed_d2i:nested asn1
error:../crypto/asn1/tasn_dec.c:290:Type=PKCS7_ISSUER_AND_SUBJECT
[pid=1231|sid=otUb]
When I run the SCEP-client with debug enabled, I can see that it
receives the status code "500" from Apache which would fit to the error
in catchall.log
Regards,
Daniel
Am 12.03.20 um 13:13 schrieb Oliver Welter:
> Hi Daniel,
>
> this tells me that the request was not recognized as "self signed". Can
> you please open the "Context" view (Button on the right when logged in
> as operator) and check what you see there as "csr_subject"?
>
> If possible, can you send me either the CSR and the key or the exact
> line you used to generate the request? You can also try to leave out the
> eMail in the DN (its deprecated anyway and we dont have this in our tests).
>
> Oliver
>
> Am 12.03.20 um 09:45 schrieb Daniel Heitepriem:
>> Hi Oliver,
>>
>> thanks for your answer. I opened the workflow on the UI and these are
>> the information I can see:
>>
>> Error Code
>> Requester is not in authorized signer list.
>> Certificate Subject
>>
>> CN=testclient.lan,OU=Infrastructure,O=MyOrganization,L=MyCity,ST=Hessen,C=DE
>>
>> SCEP Endpoint
>> generic
>> Server Interface
>> scep
>> Certificate Profile
>> TLS/Web Server
>> Request Mode
>> onbehalf
>> Transaction ID
>> B9E90613A28A3072642C13ADAC28DBFB
>> Signer is Revoked
>> No
>> Signer is Trusted
>> No
>> Signer is Authorized
>> No
>> Signer Validity ok
>> Yes
>>
>> And the workflos is in "FAILURE" state after this:
>>
>> Workflow Id
>> 21247
>> <https://cs-pki-brem-p/openxpki/#/openxpki/workflow!load!wf_id!21247>
>> Type
>> certificate_enroll
>> Creator
>> generic
>> State
>> FAILURE
>> Action
>> -
>> Run State
>> finished
>>
>> The Technical Log shows:
>>
>> Timestamp Priority Message
>> 2020-03-12 08:39:07 UTC
>>
>> INFO
>>
>> Trusted Signer not found in trust list
>>
>> ([email protected],CN=testclient.lan,OU=Infrastructure,O=MyOrganization,L=MyCity,ST=Hessen,C=DE).
>> ([undef])
>> 2020-03-12 08:39:07 UTC
>>
>> INFO
>>
>> Trusted Signer chain - certificate is self signed ([undef])
>> 2020-03-12 08:39:07 UTC
>>
>> INFO
>>
>> Rendering subject:
>>
>> CN=testclient.lan,OU=Infrastructure,O=MyOrganization,L=MyCity,ST=Hessen,C=DE
>> ([undef])
>>
>> Best regards,
>> Daniel
>>
>> Am 12.03.20 um 08:11 schrieb Oliver Welter:
>>> Hi Daniel,
>>>
>>> the "Signer not Trusted" is just an info and not the root cause of the
>>> FAILURE. Open the workflow on the UI and check for the error message
>>> there. The default settings should hold the workflow in PENDING for
>>> manual approval.
>>>
>>> Also see
>>> https://openxpki.readthedocs.io/en/stable/reference/configuration/workflows/scep.html
>>>
>>> Oliver
>>>
>>> Am 11.03.20 um 13:00 schrieb Daniel Heitepriem:
>>>> Hi everyone,
>>>>
>>>> I recently started playing around with OpenXPKI. Using the Quickstart
>>>> guide
>>>> (https://openxpki.readthedocs.io/en/latest/quickstart.html#debian-builds)
>>>> and
>>>> the sampleconfig.sh script, I managed to setup an own 'testca' which
>>>> replaced the 'democa'. Issuing certificates via the web UI is working
>>>> fine, so now I tried to implement SCEP.
>>>>
>>>> Enabling the SCEP service and endpoints was working without any issues
>>>> (didn't have to adjust any config files for this so far), but I'm stuck
>>>> at the step where it says "Testing an enrollment" from the quickstart
>>>> guide. Here are my steps so far:
>>>>
>>>> 1. Get the CA-Certificates of 'testca' by issuing "./sscep getca -c
>>>> tmp/cacert -u http://my-pki-host.lan/scep/scep"; which got me
>>>> * cacert-0 (SCEP cert signed by 'Test Issuing CA' with content
>>>> "Subject: CN = my-pki-host.lan:scep-ra")
>>>> * cacert-1 (Test Issuing CA cert signed by 'Test Root CA')
>>>> * cacert-2 (Test Root CA cert)
>>>> 2. Create a new CSR for a testclient "openssl req -new -keyout
>>>> tmp/scep-test.key -out tmp/scep-test.csr -newkey rsa:2048 -nodes
>>>> -subj "/C=DE/ST=Hessen/L=MyCity/O=My
>>>>
>>>> Organization/OU=Infrastructure/CN=testclient.lan/[email protected]"
>>>>
>>>> - No ChallengePassword is provided
>>>> 3. Enroll the request "sscep enroll -u http://my-pki-host.lan/scep/scep
>>>> -c tmp/cacert-0 -k tmp/scep-test.key -r tmp/scep-test.csr -c
>>>> tmp/scep-test.crt -t 10 -n 1
>>>>
>>>> Step 3 fails with
>>>>
>>>> sscep: pkistatus: FAILURE
>>>> sscep: finding attribute failInfo
>>>> sscep: allocating 1 bytes for attribute
>>>> sscep: reason: Transaction not permitted or supported
>>>>
>>>> and in OpenXPKI workflows-Log I can see
>>>>
>>>> 2020/03/11 12:49:39 17663 Rendering subject:
>>>> CN=testclient.lan,DC=organization,DC=com
>>>> 2020/03/11 12:49:39 17663 Trusted Signer chain - certificate is self
>>>> signed
>>>> 2020/03/11 12:49:40 17663 Trusted Signer not found in trust list
>>>> (E=my@email-address,CN=testclient.lan,OU=Infrastructure,O=My
>>>> Organization,L=MyCity,ST=Hessen,C=DE).
>>>>
>>>> The SCEP certificate (cacert-0) is listed as an alias when querying the
>>>> tokens of my testca
>>>>
>>>> sudo openxpkiadm alias --realm testca
>>>> === functional token ===
>>>> scep (scep):
>>>> Alias : scep-1
>>>> Identifier: TrifLXXX
>>>> NotBefore : 2020-03-03 15:15:33
>>>> NotAfter : 2021-03-03 15:15:33
>>>>
>>>> Can somebody shed some light as to how I can create a "Trusted Signer
>>>> chain" or how to enable anonymous enrollment for testing purposes? I
>>>> suppose this somehow has to be enabled in
>>>> "/etc/openxpki/config.d/realm/testca/scep/generic.yaml", right?
>>>>
>>>> Thanks and regards,
>>>> Daniel
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenXPKI-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>>>
>>>
>>> _______________________________________________
>>> OpenXPKI-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Mit freundlichen Gruessen / Best regards
Daniel Heitepriem
System Administrator
pribas airline solutions GmbH
Valterweg 24-25
D-65817 Eppstein-Bremthal
GERMANY
+49 6198 57146-400
[email protected]
https://airline.pribas.com
Corporate Headquarters: Eppstein-Bremthal Managing Director: Arnulf Pribas
Registration: Amtsgericht Königstein HRB9775 Tax ID: DE317061632
________________________________________________________________________
This e-mail is confidential. Information in this e-mail is intended for
the exclusive use of the individual or entity named above and may
constitute information that is privileged or confidential or otherwise
protected from disclosure. The information in this e-mail may be read,
published, copied and/or forwarded only by the individual or entity
named above. Dissemination, distribution, forwarding or copying of this
e-mail by anyone other than the intended recipient is prohibited. If you
have received this e-mail in error, please notify us immediately by
telephone or e-mail and completely delete or destroy any and all
disseminated, distributed, forwarded electronic or other copies of the
original message and any attachments.
scep-test.csr
Description: application/pkcs10
scep-test.key
Description: application/iwork-keynote-sffkey
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
