Hi,
After digging for days, i have found out that SCEP does not support EC
keys, and changing the cert to a RSA based helped allot. However, not I am
stuck at a workflow problem and I dont
have a clue where to start.
Could someone point me in the right direction?
root@internal-ca02:/etc/openxpki/scep# cat default.conf
[global]
log_config = /etc/openxpki/scep/log.conf
log_facility = client.scep
service=LibSCEP
socket=/var/openxpki/openxpki.socket
realm=netic
iprange=0.0.0.0/0
servername=generic
encryption_algorithm=3DES
hash_algorithm=SHA256
root@internal-ca02:/etc/openxpki/config.d/realm/netic/scep# cat generic.yaml
# By default, all scep endpoints wll use the default token defined
# by the scep token group, if you pass a name here, it is considered
# a group name from the alias table
#token: scep-altra
# A renewal request is only accpeted if the used certificate will
# expire within this period of time.
renewal_period: 000060
# If the request was a replacement, optionally revoke the replaced
# certificate after a grace period
revoke_on_replace:
reason_code: keyCompromise
delay_revocation_time: +000014
workflow:
type: certificate_enroll
param:
# key: name in workflow context, value: parameter from scep wrapper
# server and interface are always set, the mapping below is
# the default set that is used when no map is given
transaction_id: transaction_id
signer_cert: signer_cert
pkcs10: pkcs10
_url_params: url_params
#_pkcs7: pkcs7
authorized_signer:
rule1:
# Full DN
subject: CN=.+:pkiclient,.*
# rule2:
# Full DN
# profile: netic_server
# realm: netic
# subject: CN=my.scep.enroller.com:generic,.*
policy:
# Authentication Options
# Initial requests need ONE authentication.
# Activate Challenge Password and/or HMAC by setting the appropriate
# options below.
# if set requests can be authenticated by an operator
allow_man_authen: 1
# if set, no authentication is required at all and hmac/challenge is
# not evaluated even if it is set/present in the request!
allow_anon_enroll: 1
# Approval
# If not autoapproved, allow opeerator to add approval by hand
allow_man_approv: 1
# if the eligibiliyt check failed the first time
# show a button to run a recheck (Workflow goes to PENDING)
allow_eligibility_recheck: 1
# Approval points requirede (eligibity and operator count as one point
each)
# if you set this to "0", all authenticated requests are auto-approved!
approval_points: 1
# The number of active certs with the same subject that are allowed
# to exist at the same time, deducted by one if a renewal is seen
# set to 0 if you dont want to check for duplicates at all
max_active_certs: 1
# option will be removed
# allow_expired_signer: 0
# If an initial enrollment is seen
# all existing certificates with the same subject are revoked
auto_revoke_existing_certs: 1
# allows a "renewal" outside the renewal window, the notafter date
# is aligned to the old certificate. Set revoke_on_replace option
# to revoke the replaced certificate.
# This substitutes the "replace_window" from the OpenXPKI v1 config
allow_replace: 1
response:
# The scep standard is a bit unclear if the root should be in the chain
# or not. We consider it a security risk (trust should be always set
# by hand) but as most clients seem to expect it, we include the root
# by default.
# The getca response contains the certificate of the SCEP server itself
# and of the current active issuer (which can but need not to be the
same!)
# You can define weather to have only the certificate itself
(endentity),
# the chain without the root (chain) or the chain including the root
# (fullchain).
# Note: The response is cached internally in the datapool so changes
# will not show up immediately - to list the cached items use
# openxpkicli list_data_pool_entries --arg namespace=scep.cache.getca
# You can delete by setting the empty string as value with
# set_data_pool_entry (value="" force=1)
getca:
ra: fullchain
issuer: fullchain
profile:
cert_profile: netic_server
cert_subject_style: enroll
# Mapping of names to OpenXPKI profiles to be used with the
# Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2)
profile_map:
pc-client: netic_user
# HMAC based authentication
hmac: Netic!
challenge:
value: Netic!
eligible:
initial:
value@: connector:scep.generic.connector.initial
args: '[% context.cert_subject_parts.CN.0 %]'
expect:
- Build
- New
renewal:
value: 1
onbehalf:
value: 1
connector:
initial:
class: Connector::Proxy::YAML
# this file must have a key/value list with the key being
# the subject and the value being a true value
# e.g. "pc1234.example.org: 1"
LOCATION: /etc/openxpki/cmdb.yaml
scep.log:
2021/01/29 12:34:50 INF Incoming request from 192.168.96.1 with GetCACaps
[pid=81]
2021/01/29 12:34:50 DEB Response send [pid=81]
2021/01/29 12:34:50 INF Incoming request from 192.168.96.1 with
PKIOperation [pid=81]
2021/01/29 12:34:50 ERR SCEP response is empty [pid=81]
catch-all.log:
2021/01/29 13:35:17 openxpki.application.INFO LibSCEP PKIOperation; message
type: PKCSReq [pid=57|sid=PYVL]
2021/01/29 13:35:17 openxpki.application.INFO SCEP incoming request, id
60107490989072451039833240777151525638461989712167481202488830552887682520023
[pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023]
2021/01/29 13:35:17 openxpki.system.ERROR
I18N_OPENXPKI_SERVICE_LIBSCEP_COMMAND_PKIOPERATION_PARALLEL_REQUESTS_DETECTED;
__DPSTATE__ => creating, __SERVER__ => generic, __TRANSACTION_ID__ =>
60107490989072451039833240777151525638461989712167481202488830552887682520023
[pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023]
2021/01/29 13:35:17 openxpki.system.ERROR Error executing SCEP command
'PKIOperation':
I18N_OPENXPKI_SERVICE_LIBSCEP_COMMAND_PKIOPERATION_PARALLEL_REQUESTS_DETECTED;
__DPSTATE__ => creating, __SERVER__ => generic, __TRANSACTION_ID__ =>
60107490989072451039833240777151525638461989712167481202488830552887682520023
[pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023]
Med venlig hilsen / Best regards
*Netic A/S*
Per Abildgaard Toft
Senior Consultant
Mail [email protected]
Telefon +45 7777 0861
Web http://netic.dk
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
