[OpenXPKI-users] Certmonger does not retrieve certificate after approval from openxpki server

Fri, 20 Sep 2024 08:32:59 -0700 

Hello everyone,
I´m currently trying to setup an automated certificate process with SCEP. For 
this I´m using certmonger (version 0.79.17) on Debian Bookworm as client and 
OpenXPKI as CA. I deployed OpenXPKI with the latest docker and used the 
provided sample config (change added as described in mail 
https://sourceforge.net/p/openxpki/mailman/message/37607223/). So far, I 
successfully send a request to the server which is waiting for manual approval. 
But certmonger doesn´t retrieve the certificate after approval.
The configuration of certmonger is as following:
Adding new CA in certmonger:
root@vbox:~/cert-storage# getcert add-scep-ca -c openxpki-docker -u 
http://192.168.178.103:8080/scep/generic
New CA "openxpki-docker" added.
root@vbox:~/cert-storage# getcert list-cas
...
CA 'openxpki-docker':
               is-default: no
               ca-type: EXTERNAL
               helper-location: /usr/lib/certmonger/scep-submit -u 
http://192.168.178.103:8080/scep/generic
               SCEP CA certificate thumbprint (MD5): ECEA4F44 874BCC22 91A6DEFB 
8282C80F
               SCEP CA certificate thumbprint (SHA1): 8FAF290A 7583C3D2 
063C80C1 3E34D1F0 1E8F730A
Request certificate:
root@vbox:~/cert-storage# getcert request -I docker-cert -c openxpki-docker -N 
cn=example.com -k /root/cert-storage/docker-cert-key.pem -f 
/root/cert-storage/docker-cert.pem -L SecretChallenge -v
New signing request "docker-cert" added.
root@vbox:~/cert-storage# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'docker-cert':
               status: CA_UNREACHABLE
               ca-error: Error: failed to verify signature on server response. 
error:1080007A:PKCS7 routines::no content
               stuck: no
               key pair storage: 
type=FILE,location='/root/cert-storage/docker-cert-key.pem'
               certificate: 
type=FILE,location='/root/cert-storage/docker-cert.pem'
               signing request thumbprint (MD5): FAACEAF1 5332FCAB F406285E 
F44BE192
               signing request thumbprint (SHA1): 4024DD5C ACC40F26 7066B473 
9963FCD0 CD798DBA
               CA: openxpki-docker
               issuer:
               subject:
               issued: unknown
               expires: unknown
               pre-save command:
               post-save command:
               track: yes
               auto-renew: yes
Unfortunately, I am stuck at this point. Do I miss any important configuration 
on the server, so the response can be read by certmonger? Is it possible to 
auto-approve the request?
Thank you very much for your help in advance!

Best regards,
Fabian


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to