Hello Eddy, as I already said last week https://sourceforge.net/p/openxpki/mailman/message/37269596/ - to be recognized as an "initial enrollment" the request must be self-signed - at least in our world this means that the public key used in the CSR must also be used to sign the SCEP envelope.
As you can see here, this is not the case csr_subject_key_identifier A4:50:D7:F8:BA:A5:1D:EB:3B:C6:9D:AB:EB:9C:00:12:8A:DA:81:D0 signer_subject_key_identifier 60:A2:93:80:F1:F5:58:93:59:4B:80:CA:13:EE:50:DA:4F:7C:80:6F The complete enrollment workflow is described here https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html If you want to change this detection logic you can rework the conditions in the workflow, you find this here https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/workflow/def/certificate_enroll.yaml#L30 The better way would be IMHO to try to fix this in your SCEP client. best regards Oliver Am 06.05.21 um 22:27 schrieb Eddy BODIN via OpenXPKI-users: > > Hello, > > we're trying to enroll with SCEP a newly created certificate, using a > Cryptlb based client, on an openXpki server on the default realm > called "democa". We expect to have an initial enrolment but instead of > it regarding the workflow we reach state "START_RENEWAL" after > "SIGNED_REQUEST". In the workflow the CSR is not considered as > self-signed, leading to this issue. > > The newly created certificate has a new transaction_id and a new DN > and common name. > > What possible reason could lead to this issue ? > > > > Thanks. > > > > > > *_Workflow Context :_* > > > > cert_profile tls_server > > cert_subject CN=20210506-C-220638,DC=Test > Deployment,DC=OpenXPKI,DC=org > > cert_subject_parts > > C > > FR > > CN > > 20210506-C-220638 > > O > > MYORGANISATION > > OU > > MYUNIT > > cert_subject_style enroll > > creator generic > > csr_digest_alg sha256 > > csr_key_alg rsa > > csr_key_params > > key_length > > 4096 > > csr_subject CN=20210506-C-220638,OU=MYUNIT,O=MYORGANISATION,C=FR > > csr_subject_key_identifier > A4:50:D7:F8:BA:A5:1D:EB:3B:C6:9D:AB:EB:9C:00:12:8A:DA:81:D0 > > error_code Renewal request is for certificate from foreign realm! > > interface scep > > p_allow_anon_enroll 0 > > p_allow_eligibility_recheck 1 > > p_allow_man_approv 1 > > p_allow_man_authen 0 > > p_allow_replace 1 > > p_approval_points 0 > > p_auto_revoke_existing_certs 1 > > p_max_active_certs 1 > > pkcs10 > > -----BEGIN CERTIFICATE REQUEST----- > > MIIEuTCCAqECAQAwUzELMAkGA1UEBhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FU > > SU9OMQ8wDQYDVQQLEwZNWVVOSVQxGjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4 > > MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvFMd313lzD1i+A5u2l7i > > 9oLQnZXhG6usD2tYJq1NcuUE++YTxQ+PDbb2EPfcClEc7/Xyurn+TMPeU7opPdxP > > 3IQx23H1Y4UbIzv0k8WJckCj1zwnSgQllJzXefAImezJTSlV9IAo8UB9uXTxbbzu > > CipYD+GcbDMKN1Wjjn6ngtjIdmYgnsc1x/UBUsmb7rrtWcI7dMEgrw7hkJThw+EW > > XwL7l1TnVPUVTFxkIvrOzCatWA/HUNCeiE5XeERYwyZ6WwkpVv+ufO3tMVxhsu5r > > TzxxAr1Xk1P7/9izAYzJ4CwRI2UuTqo5nOXNHdqcQpcJWqHwpYfCqwtlPZdOyx6a > > fuEnvQW7V8P/PQ2ttbJ9CGk4sWB7Y2GHAEPCb1gxKl9rEHAh3b/uNvXHaBo09F6G > > JCDQqZpVVAxcZkHSuf9BMJzU3A8mkxdONWDd6q4VYvMN+5eSJHEgT5r15nEStmUD > > e/UFGW/2WouYxONASVFbljm6JjsOX49p6zhh4Fq0vZM1YETbIqhYCN3CPibgYXQn > > nBKHCnCInLi0pM3fqIE+HAFSI8/0Rbp38kbfNCkjyVGyjBED4MUVJeIlemgop0Jk > > pFFtv2JZjIbagjm8OqJ4UnRtCELinGnQeWCyya4gX5KnWZUEEojNQmUJKVO34eHF > > L7MQvfrZK50f875rbwTuEEcCAwEAAaAhMB8GCSqGSIb3DQEJBzESExB4eHh4WFhY > > WHh4eHhYWFhYMA0GCSqGSIb3DQEBCwUAA4ICAQCLorLSJgWwsXD50uWlUtyHdcSY > > nDygUe6l9gb53tuvsrMpqTcPOUcTFUJys4OtQ8gcN0HPfhO/O6LUoNx9kYpJc4Xd > > iaRscx+u2FetQbpwsO8D1JZeMfvBz3R7Znpu8mZm/aggX8ZRE184/Cok9kJIcGbI > > 4dhJ2Qw6/H3rjnn+0PenqHXH97WuVYpmJDHJuHvX4YWY4X4LF46sMObT3+JoBYNR > > c7EKVRyoYGltcoOEVjQLSi86992V5R5Ddd3x1pfLcMOnK8lGLUxIZhfqY6IWPiRo > > tyINtQn1egS6Jwohns5qU5YLEsZcfdzywwDc/cvP/7n2qpzrYxv9zXd0P91OVS3P > > Pr+rE794N8kQmS4y671aoq/UCwAFMbP5YS4zmhfjA0iKJvTYSOGp8RjofKjUC7IZ > > 2mYC1YgDo4uudzyCquJlHSAVV85K+qV4urjtIT7vFgNcduQbtK44+pU0zc7QQY+r > > EWacWNMeOORbH9FUrfQ3svoFNY962glfSbAi8ssYkOfFjgW8yKDj1DRc5BpIPwr1 > > ZhegqYZLDvYDNEPmcmh0fQXHL6x4MT75S6k/zZqPhJrBq+ESL6aRq29nHUat+Z5N > > +XhEcNCh/66rDV3bKNoudMbTFyQir4GXEErKaVzXH/WxRlkSuz6j3l+Kz3uZ7wOo > > ztPnfK1IJ95lb9Frfw== > > -----END CERTIFICATE REQUEST----- > > > > req_attributes challengePassword > > xxxxXXXXxxxxXXXX > > request_mode renewal > > server generic > > signer_authorized 0 > > signer_cert > > -----BEGIN CERTIFICATE----- > > MIIFZzCCA0+gAwIBAgIIakzaLfQ1P5wwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UE > > BhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FUSU9OMQ8wDQYDVQQLEwZNWVVOSVQx > > GjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4MB4XDTIxMDUwNjIwMDYwMFoXDTIx > > MDUwNzIwMDYwMFowUzELMAkGA1UEBhMCRlIxFzAVBgNVBAoTDk1ZT1JHQU5JU0FU > > SU9OMQ8wDQYDVQQLEwZNWVVOSVQxGjAYBgNVBAMTETIwMjEwNTA2LUMtMjIwNjM4 > > MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvFMd313lzD1i+A5u2l7i > > 9oLQnZXhG6usD2tYJq1NcuUE++YTxQ+PDbb2EPfcClEc7/Xyurn+TMPeU7opPdxP > > 3IQx23H1Y4UbIzv0k8WJckCj1zwnSgQllJzXefAImezJTSlV9IAo8UB9uXTxbbzu > > CipYD+GcbDMKN1Wjjn6ngtjIdmYgnsc1x/UBUsmb7rrtWcI7dMEgrw7hkJThw+EW > > XwL7l1TnVPUVTFxkIvrOzCatWA/HUNCeiE5XeERYwyZ6WwkpVv+ufO3tMVxhsu5r > > TzxxAr1Xk1P7/9izAYzJ4CwRI2UuTqo5nOXNHdqcQpcJWqHwpYfCqwtlPZdOyx6a > > fuEnvQW7V8P/PQ2ttbJ9CGk4sWB7Y2GHAEPCb1gxKl9rEHAh3b/uNvXHaBo09F6G > > JCDQqZpVVAxcZkHSuf9BMJzU3A8mkxdONWDd6q4VYvMN+5eSJHEgT5r15nEStmUD > > e/UFGW/2WouYxONASVFbljm6JjsOX49p6zhh4Fq0vZM1YETbIqhYCN3CPibgYXQn > > nBKHCnCInLi0pM3fqIE+HAFSI8/0Rbp38kbfNCkjyVGyjBED4MUVJeIlemgop0Jk > > pFFtv2JZjIbagjm8OqJ4UnRtCELinGnQeWCyya4gX5KnWZUEEojNQmUJKVO34eHF > > L7MQvfrZK50f875rbwTuEEcCAwEAAaM/MD0wHQYDVR0OBBYEFGCik4Dx9ViTWUuA > > yhPuUNpPfIBvMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3 > > DQEBCwUAA4ICAQCUP4YDL3y3RpSU4HBU3OmsqcEYWr6jzvA95ZIHsGX08fp+GJi4 > > GJdkOBQmli6kY2OZ5H7t/7cLqGtwIlmflfEM4bcdOdhxUqRpiIkzmJeEUBYINJLk > > WTjBV1RVtwGY2zdqSiLmLBcAZZXCdD8BiGpObKRnBO++UOsz9JLvGUF7SG24tScE > > OPBpFDgqH0O9JfJgcK2+/6EZFzPyBnqnEWOhuSkw2ErH05hJdsBDh2QGe0X321FU > > vAhm/nEiFsiO0r8zHrNYDsgYbpMblCYfhTJON67SYxMf3okv4WP+DU62hmJ9Iq9p > > wcka2C4D3RoU7rff+9CpssvWY5mSlfWQwASd+iKNuKndtGHWqScQDyK2Gbkr7uIA > > GTdGImA61TQpn5Bv9Zvq+SO6C1qQJSAgsP0jfS6iYRJNeMlBIFmmgDNMSRUbC7ny > > 4Z1I1rnzkwqZQ7NeHFp+ZRR0r0FZbMGFlZ/YzsbkjUSD8j1jRbWdTHKcsVAiXWsh > > fQA014vSAyjVBkteFKNT0uDPCYgEc+oWt2DctaPw/yZcwz1iiP1Be82q70kAIKsj > > vTuNEIvxE/9I1uCSfvdVDAs+leRFrF0IQfvk3r1k77kU2BiriQmEYegziQJUhIfY > > fuUB62a9TPUtdJp1YQzSkEuZl/3AIaAPFLn1ZtHLGC6nJTDcPHUqfO42sQ== > > -----END CERTIFICATE----- > > > > signer_in_current_realm 0 > > signer_revoked 0 > > signer_subject CN=20210506-C-220638,OU=MYUNIT,O=MYORGANISATION,C=FR > > signer_subject_key_identifier > 60:A2:93:80:F1:F5:58:93:59:4B:80:CA:13:EE:50:DA:4F:7C:80:6F > > signer_trusted 0 > > signer_validity_ok 1 > > sources > > _url_params > > api > > cert_subject_alt_name > > PROFILE > > cert_subject_parts > > PKCS10 > > interface > > api > > pkcs10 > > api > > req_attributes > > PKCS10 > > req_extensions > > PKCS10 > > server > > api > > signer_cert > > api > > transaction_id > > api > > transaction_id 8a0b3dcb6ee61c88e7fe9d49063181bb > > url_remote_addr 192.168.100.50 > > workflow_id 51199 > > > > *_Workflow history :_* > > > > Execution time > State > Action Description > User Node > > 2021-05-06 19:56:08 > INITIAL > enroll_initialize EXECUTE > generic openxpki-debian > > 2021-05-06 19:56:08 > INITIAL_ENROLL_INITIALIZE_0 > global_map_url_params AUTORUN > generic openxpki-debian > > 2021-05-06 19:56:08 > INITIAL_ENROLL_INITIALIZE_1 > enroll_set_transaction_id AUTORUN > generic openxpki-debian > > 2021-05-06 19:56:08 > INITIAL_ENROLL_INITIALIZE_2 > enroll_set_workflow_attributes AUTORUN > generic openxpki-debian > > 2021-05-06 19:56:08 > INITIAL_ENROLL_INITIALIZE_3 > global_load_policy AUTORUN > generic openxpki-debian > > 2021-05-06 19:56:08 > INITIAL_ENROLL_INITIALIZE_4 > global_set_profile AUTORUN > generic openxpki-debian > > 2021-05-06 19:56:08 > INITIAL_ENROLL_INITIALIZE_5 > enroll_parse_pkcs10 AUTORUN generic > openxpki-debian > > 2021-05-06 19:56:08 > PARSED > global_noop AUTORUN > generic openxpki-debian > > 2021-05-06 19:56:08 > PROFILE_SET > enroll_render_subject AUTORUN > generic openxpki-debian > > 2021-05-06 19:56:08 > PROFILE_SET_ENROLL_RENDER_SUBJECT_0 > enroll_set_workflow_attributes AUTORUN > generic openxpki-debian > > 2021-05-06 19:56:08 > READY_TO_PROCESS > global_check_authorized_signer AUTORUN > generic openxpki-debian > > 2021-05-06 19:56:08 > SIGNED_REQUEST > enroll_set_mode_renewal AUTORUN > generic openxpki-debian > > 2021-05-06 19:56:08 > START_RENEWAL > global_set_error_not_in_current_realm AUTORUN > generic openxpki-debian > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
