Hello,
we're trying to enroll with SCEP a newly created certificate, using a Cryptlb
based client, on an openXpki server on the default realm called "democa". We
expect to have an initial enrolment but instead of it regarding the workflow we
reach state "START_RENEWAL" after "SIGNED_REQUEST". In the workflow the CSR is
not considered as self-signed, leading to this issue.
The newly created certificate has a new transaction_id and a new DN and common
name.
What possible reason could lead to this issue ?
Thanks.
Workflow Context :
cert_profile tls_server
cert_subject CN=20210506-C-220638,DC=Test Deployment,DC=OpenXPKI,DC=org
cert_subject_parts
C
FR
CN
20210506-C-220638
O
MYORGANISATION
OU
MYUNIT
cert_subject_style enroll
creator generic
csr_digest_alg sha256
csr_key_alg rsa
csr_key_params
key_length
4096
csr_subject CN=20210506-C-220638,OU=MYUNIT,O=MYORGANISATION,C=FR
csr_subject_key_identifier
A4:50:D7:F8:BA:A5:1D:EB:3B:C6:9D:AB:EB:9C:00:12:8A:DA:81:D0
error_code Renewal request is for certificate from foreign realm!
interface scep
p_allow_anon_enroll 0
p_allow_eligibility_recheck 1
p_allow_man_approv 1
p_allow_man_authen 0
p_allow_replace 1
p_approval_points 0
p_auto_revoke_existing_certs 1
p_max_active_certs 1
pkcs10
-----BEGIN CERTIFICATE REQUEST-----
MIIEuTCCAqECAQAwUzELMAkGA1UEBhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FU
SU9OMQ8wDQYDVQQLEwZNWVVOSVQxGjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvFMd313lzD1i+A5u2l7i
9oLQnZXhG6usD2tYJq1NcuUE++YTxQ+PDbb2EPfcClEc7/Xyurn+TMPeU7opPdxP
3IQx23H1Y4UbIzv0k8WJckCj1zwnSgQllJzXefAImezJTSlV9IAo8UB9uXTxbbzu
CipYD+GcbDMKN1Wjjn6ngtjIdmYgnsc1x/UBUsmb7rrtWcI7dMEgrw7hkJThw+EW
XwL7l1TnVPUVTFxkIvrOzCatWA/HUNCeiE5XeERYwyZ6WwkpVv+ufO3tMVxhsu5r
TzxxAr1Xk1P7/9izAYzJ4CwRI2UuTqo5nOXNHdqcQpcJWqHwpYfCqwtlPZdOyx6a
fuEnvQW7V8P/PQ2ttbJ9CGk4sWB7Y2GHAEPCb1gxKl9rEHAh3b/uNvXHaBo09F6G
JCDQqZpVVAxcZkHSuf9BMJzU3A8mkxdONWDd6q4VYvMN+5eSJHEgT5r15nEStmUD
e/UFGW/2WouYxONASVFbljm6JjsOX49p6zhh4Fq0vZM1YETbIqhYCN3CPibgYXQn
nBKHCnCInLi0pM3fqIE+HAFSI8/0Rbp38kbfNCkjyVGyjBED4MUVJeIlemgop0Jk
pFFtv2JZjIbagjm8OqJ4UnRtCELinGnQeWCyya4gX5KnWZUEEojNQmUJKVO34eHF
L7MQvfrZK50f875rbwTuEEcCAwEAAaAhMB8GCSqGSIb3DQEJBzESExB4eHh4WFhY
WHh4eHhYWFhYMA0GCSqGSIb3DQEBCwUAA4ICAQCLorLSJgWwsXD50uWlUtyHdcSY
nDygUe6l9gb53tuvsrMpqTcPOUcTFUJys4OtQ8gcN0HPfhO/O6LUoNx9kYpJc4Xd
iaRscx+u2FetQbpwsO8D1JZeMfvBz3R7Znpu8mZm/aggX8ZRE184/Cok9kJIcGbI
4dhJ2Qw6/H3rjnn+0PenqHXH97WuVYpmJDHJuHvX4YWY4X4LF46sMObT3+JoBYNR
c7EKVRyoYGltcoOEVjQLSi86992V5R5Ddd3x1pfLcMOnK8lGLUxIZhfqY6IWPiRo
tyINtQn1egS6Jwohns5qU5YLEsZcfdzywwDc/cvP/7n2qpzrYxv9zXd0P91OVS3P
Pr+rE794N8kQmS4y671aoq/UCwAFMbP5YS4zmhfjA0iKJvTYSOGp8RjofKjUC7IZ
2mYC1YgDo4uudzyCquJlHSAVV85K+qV4urjtIT7vFgNcduQbtK44+pU0zc7QQY+r
EWacWNMeOORbH9FUrfQ3svoFNY962glfSbAi8ssYkOfFjgW8yKDj1DRc5BpIPwr1
ZhegqYZLDvYDNEPmcmh0fQXHL6x4MT75S6k/zZqPhJrBq+ESL6aRq29nHUat+Z5N
+XhEcNCh/66rDV3bKNoudMbTFyQir4GXEErKaVzXH/WxRlkSuz6j3l+Kz3uZ7wOo
ztPnfK1IJ95lb9Frfw==
-----END CERTIFICATE REQUEST-----
req_attributes challengePassword
xxxxXXXXxxxxXXXX
request_mode renewal
server generic
signer_authorized 0
signer_cert
-----BEGIN CERTIFICATE-----
MIIFZzCCA0+gAwIBAgIIakzaLfQ1P5wwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UE
BhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FUSU9OMQ8wDQYDVQQLEwZNWVVOSVQx
GjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4MB4XDTIxMDUwNjIwMDYwMFoXDTIx
MDUwNzIwMDYwMFowUzELMAkGA1UEBhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FU
SU9OMQ8wDQYDVQQLEwZNWVVOSVQxGjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvFMd313lzD1i+A5u2l7i
9oLQnZXhG6usD2tYJq1NcuUE++YTxQ+PDbb2EPfcClEc7/Xyurn+TMPeU7opPdxP
3IQx23H1Y4UbIzv0k8WJckCj1zwnSgQllJzXefAImezJTSlV9IAo8UB9uXTxbbzu
CipYD+GcbDMKN1Wjjn6ngtjIdmYgnsc1x/UBUsmb7rrtWcI7dMEgrw7hkJThw+EW
XwL7l1TnVPUVTFxkIvrOzCatWA/HUNCeiE5XeERYwyZ6WwkpVv+ufO3tMVxhsu5r
TzxxAr1Xk1P7/9izAYzJ4CwRI2UuTqo5nOXNHdqcQpcJWqHwpYfCqwtlPZdOyx6a
fuEnvQW7V8P/PQ2ttbJ9CGk4sWB7Y2GHAEPCb1gxKl9rEHAh3b/uNvXHaBo09F6G
JCDQqZpVVAxcZkHSuf9BMJzU3A8mkxdONWDd6q4VYvMN+5eSJHEgT5r15nEStmUD
e/UFGW/2WouYxONASVFbljm6JjsOX49p6zhh4Fq0vZM1YETbIqhYCN3CPibgYXQn
nBKHCnCInLi0pM3fqIE+HAFSI8/0Rbp38kbfNCkjyVGyjBED4MUVJeIlemgop0Jk
pFFtv2JZjIbagjm8OqJ4UnRtCELinGnQeWCyya4gX5KnWZUEEojNQmUJKVO34eHF
L7MQvfrZK50f875rbwTuEEcCAwEAAaM/MD0wHQYDVR0OBBYEFGCik4Dx9ViTWUuA
yhPuUNpPfIBvMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3
DQEBCwUAA4ICAQCUP4YDL3y3RpSU4HBU3OmsqcEYWr6jzvA95ZIHsGX08fp+GJi4
GJdkOBQmli6kY2OZ5H7t/7cLqGtwIlmflfEM4bcdOdhxUqRpiIkzmJeEUBYINJLk
WTjBV1RVtwGY2zdqSiLmLBcAZZXCdD8BiGpObKRnBO++UOsz9JLvGUF7SG24tScE
OPBpFDgqH0O9JfJgcK2+/6EZFzPyBnqnEWOhuSkw2ErH05hJdsBDh2QGe0X321FU
vAhm/nEiFsiO0r8zHrNYDsgYbpMblCYfhTJON67SYxMf3okv4WP+DU62hmJ9Iq9p
wcka2C4D3RoU7rff+9CpssvWY5mSlfWQwASd+iKNuKndtGHWqScQDyK2Gbkr7uIA
GTdGImA61TQpn5Bv9Zvq+SO6C1qQJSAgsP0jfS6iYRJNeMlBIFmmgDNMSRUbC7ny
4Z1I1rnzkwqZQ7NeHFp+ZRR0r0FZbMGFlZ/YzsbkjUSD8j1jRbWdTHKcsVAiXWsh
fQA014vSAyjVBkteFKNT0uDPCYgEc+oWt2DctaPw/yZcwz1iiP1Be82q70kAIKsj
vTuNEIvxE/9I1uCSfvdVDAs+leRFrF0IQfvk3r1k77kU2BiriQmEYegziQJUhIfY
fuUB62a9TPUtdJp1YQzSkEuZl/3AIaAPFLn1ZtHLGC6nJTDcPHUqfO42sQ==
-----END CERTIFICATE-----
signer_in_current_realm 0
signer_revoked 0
signer_subject CN=20210506-C-220638,OU=MYUNIT,O=MYORGANISATION,C=FR
signer_subject_key_identifier
60:A2:93:80:F1:F5:58:93:59:4B:80:CA:13:EE:50:DA:4F:7C:80:6F
signer_trusted 0
signer_validity_ok 1
sources
_url_params
api
cert_subject_alt_name
PROFILE
cert_subject_parts
PKCS10
interface
api
pkcs10
api
req_attributes
PKCS10
req_extensions
PKCS10
server
api
signer_cert
api
transaction_id
api
transaction_id 8a0b3dcb6ee61c88e7fe9d49063181bb
url_remote_addr 192.168.100.50
workflow_id 51199
Workflow history :
Execution time State Action
Description User Node
2021-05-06 19:56:08 INITIAL
enroll_initialize EXECUTE generic
openxpki-debian
2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_0
global_map_url_params AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_1
enroll_set_transaction_id AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_2
enroll_set_workflow_attributes AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_3
global_load_policy AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_4
global_set_profile AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 INITIAL_ENROLL_INITIALIZE_5
enroll_parse_pkcs10 AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 PARSED
global_noop AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 PROFILE_SET
enroll_render_subject AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 PROFILE_SET_ENROLL_RENDER_SUBJECT_0
enroll_set_workflow_attributes AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 READY_TO_PROCESS
global_check_authorized_signer AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 SIGNED_REQUEST
enroll_set_mode_renewal AUTORUN generic
openxpki-debian
2021-05-06 19:56:08 START_RENEWAL
global_set_error_not_in_current_realm AUTORUN generic
openxpki-debian
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
