Hi Oliver, Thank you for your quick response. I commented out set_mode_onbehalf under SIGNED_REQUEST in the workflow located at /etc/openxpki/config.d/realm.tpl/workflow/def/certificate_enroll.yaml and now OpenXPKI issues a certificate. I’m running into another issue that I think has to do with (but not sure) the fact that the certificate profile used to generate the certificate doesn’t conform to Apple’s requirements. https://support.apple.com/en-us/HT210176
Hopefully, setting the right info in the profile does the trick. Thank you again. -- Robert > On Aug 11, 2020, at 10:23 PM, Oliver Welter <[email protected]> wrote: > > Hi Robert, > > IIRC the MacOS enrollments are done with an "on behalf" certificate > which triggers a different branch in the workflow. Can you check the > workflow history for a state named "START INITIAL" or "START ONBEHALF" - > if its onbehalf you need to modify the workflow to not use the ONBEHALF > branch or change your enrollment logic to not use the onbehalf-signer. > > Oliver > > Am 12.08.20 um 01:20 schrieb Robert Sepulveda: >> Hi, >> >> I’ve setup a POC OpenXPKI server to test SCEP with MacOS. I’m running into a >> Trusted Signer not found in trust list issue. I’ve gone through this mail >> list and found some posts saying that I can remove the authrorized_signer >> rules, set allow_anon_enroll: 1, and eligible: initial: 1. I’m still >> running into this issue when I try to enroll. >> >> Am I missing something? >> >> Thank you kindly. >> >> catchall.log error: >> >> 2020/08/07 14:07:49 openxpki.application.INFO LibSCEP PKIOperation; message >> type: PKCSReq [pid=1502|sid=4w4c] >> 2020/08/07 14:07:49 openxpki.application.INFO SCEP incoming request, id >> A18E6708F349D6D1E990851C1A09444ED5C75B16 >> [pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] >> 2020/08/07 14:07:49 openxpki.application.INFO SCEP try to start new workflow >> for A18E6708F349D6D1E990851C1A09444ED5C75B16 >> [pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] >> 2020/08/07 14:07:49 openxpki.application.INFO Rendering subject: >> CN=test2,DC=Test Deployment,DC=OpenXPKI,DC=org >> [pid=1502|sid=4w4c|wftype=certificate_enroll|wfid=7935|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] >> 2020/08/07 14:07:49 openxpki.application.INFO Trusted Signer chain - >> certificate is self signed >> [pid=1502|sid=4w4c|wftype=certificate_enroll|wfid=7935|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] >> 2020/08/07 14:07:49 openxpki.application.INFO Trusted Signer not found in >> trust list (C=US,CN=MDM SCEP SIGNER B8037F9D-5635-44B4-8A46-A086841BB8DD). >> [pid=1502|sid=4w4c|wftype=certificate_enroll|wfid=7935|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] >> 2020/08/07 14:07:49 openxpki.application.INFO SCEP started new workflow with >> id 7935, state FAILURE >> [pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] >> 2020/08/07 14:07:49 openxpki.application.ERROR SCEP Request failed without >> error code set - default to badRequest >> [pid=1502|sid=4w4c|sceptid=A18E6708F349D6D1E990851C1A09444ED5C75B16] >> >> >> generic.yaml: >> >> # By default, all scep endpoints wll use the default token defined >> # by the scep token group, if you pass a name here, it is considered >> # a group name from the alias table >> #token: scep-altra >> >> # A renewal request is only accpeted if the used certificate will >> # expire within this period of time. >> renewal_period: 000060 >> >> # If the request was a replacement, optionally revoke the replaced >> # certificate after a grace period >> revoke_on_replace: >> reason_code: keyCompromise >> delay_revocation_time: +000014 >> >> >> workflow: >> type: certificate_enroll >> param: >> # key: name in workflow context, value: parameter from scep wrapper >> # server and interface are always set, the mapping below is >> # the default set that is used when no map is given >> transaction_id: transaction_id >> signer_cert: signer_cert >> pkcs10: pkcs10 >> _url_params: url_params >> #_pkcs7: pkcs7 >> >> authorized_signer: >> >> policy: >> # Authentication Options >> # Initial requests need ONE authentication. >> # Activate Challenge Password and/or HMAC by setting the appropriate >> # options below. >> >> # if set requests can be authenticated by an operator >> allow_man_authen: 1 >> >> # if set, no authentication is required at all and hmac/challenge is >> # not evaluated even if it is set/present in the request! >> allow_anon_enroll: 1 >> >> # Approval >> # If not autoapproved, allow opeerator to add approval by hand >> allow_man_approv: 1 >> >> # if the eligibiliyt check failed the first time >> # show a button to run a recheck (Workflow goes to PENDING) >> allow_eligibility_recheck: 0 >> >> # Approval points requirede (eligibity and operator count as one point >> each) >> # if you set this to "0", all authenticated requests are auto-approved! >> approval_points: 1 >> >> # The number of active certs with the same subject that are allowed >> # to exist at the same time, deducted by one if a renewal is seen >> # set to 0 if you dont want to check for duplicates at all >> max_active_certs: 1 >> >> # option will be removed >> # allow_expired_signer: 0 >> >> # If an initial enrollment is seen >> # all existing certificates with the same subject are revoked >> auto_revoke_existing_certs: 1 >> >> # allows a "renewal" outside the renewal window, the notafter date >> # is aligned to the old certificate. Set revoke_on_replace option >> # to revoke the replaced certificate. >> # This substitutes the "replace_window" from the OpenXPKI v1 config >> allow_replace: 1 >> >> response: >> # The scep standard is a bit unclear if the root should be in the chain >> # or not. We consider it a security risk (trust should be always set >> # by hand) but as most clients seem to expect it, we include the root >> # by default. >> # The getca response contains the certificate of the SCEP server itself >> # and of the current active issuer (which can but need not to be the >> same!) >> # You can define weather to have only the certificate itself (endentity), >> # the chain without the root (chain) or the chain including the root >> # (fullchain). >> # Note: The response is cached internally in the datapool so changes >> # will not show up immediately - to list the cached items use >> # openxpkicli list_data_pool_entries --arg namespace=scep.cache.getca >> # You can delete by setting the empty string as value with >> # set_data_pool_entry (value="" force=1) >> getca: >> ra: endentity >> issuer: endentity >> >> >> profile: >> cert_profile: tls_server >> cert_subject_style: enroll >> >> # Mapping of names to OpenXPKI profiles to be used with the >> # Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2) >> profile_map: >> pc-client: tls_client >> >> # HMAC based authentication >> hmac: verysecret >> >> challenge: >> value: SecretChallenge >> >> eligible: >> initial: >> value: 1 >> >> renewal: >> value: 1 >> >> onbehalf: >> value: 1 >> >> >> connector: >> initial: >> class: Connector::Proxy::YAML >> # this file must have a key/value list with the key being >> # the subject and the value being a true value >> # e.g. "pc1234.example.org: 1" >> LOCATION: /home/pkiadm/cmdb.yaml >> > > > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
