Hi Mark,
openssl req -new -keyout test.key -out test.crt -x509 -subj "/CN=Testcert"
-passout pass:12345
-----
cat test.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIfHv1x8Fyk/0CAggA
...
-----END ENCRYPTED PRIVATE KEY-----
oxi token add --realm democa --key test.key --cert test.crt --type scep
---
alias: ratoken-3
key_name: 33:DC:56:A8:E8:F1:3E:9E:59:FB:A9:47:3E:E2:6A:D6:07:FD:AD:F2
Works here without any problems - I am happy to analyse the issue but
then you need to have a look into the log files as already requested.
Oliver
On 29.08.25 13:27, Mark via OpenXPKI-users wrote:
Hi Mark,
Thank you for your quick response. I did not realise that sampleconfig
automatically adds a SCEP certificate. If I had taken the time to view
the script before submitting this request I would have seen the SCEP
entry for scep.crt and scep.key. I plan to continue testing SCEP with
the script-generated certificates, keeping everything as simple as
possible.
The 'Enabling the SCEP service' section of the 'Quickstart guide' on
'https://openxpki.readthedocs.io' mentions the token import command. I
failed to realise that this is already done for you if you run the
sampleconfig script.
Out of interest, I selected an RSA key when I manually-generated the
TLS/Web Server certificate that I originally planned to use and I also
selected the 'do not encrypt' option. After exporting the PKCS12 file,
I uploaded it to my debian system then dumped all the information
using 'openssl pkcs12 -info *.p12', entering the private key password
when prompted. The private key was enclosed in :
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
but I'm unsure how to test if it's readable or not.
I intend to focus on getting SCEP working now, but can do more testing
if that helps. It would be ice to know if the issue I encountered was
specific to the private key, or something else.
Mark
On Friday 29 August 2025 at 05:30:45 BST, Oliver Welter
<[email protected]> wrote:
Hi Mark,
first of all - sampleconfig already sets up the cli connection and
also adds a SCEP certificate, does this work for you?
What format is your SCEP key? Currently only RSA is supported and I
had some issues in the past with encrypted key - so if you can perhaps
share the command you used to generate this it might help tracking
this down. You might try to import only the cert without the key (will
not work afterwards but sheds some light on the root cause).
Please check the logs of the server after trying the import - the
"unable to decode message" sounds like something in the server throws
an exception.
Oliver
On 28.08.25 18:00, Mark via OpenXPKI-users wrote:
I have built OpenXPKI Community Edition v3.32.8 on Debian 12.11 using
the demo configuration (sampleconfig.sh). It is running and issuing
certificates from externally-generated CSRs.
I wish to enable the SCEP Server so, following the instructions in the
Quickstart guide, I have generated a 'TLS/Web Server' certificate in
the 'Open Source Trustcenter', then exported the certificate and
private key then placed in scep.crt and scep.key. I created a key pair
for the client using the 'oxi cli create' and placed these in the
'~/.oxi/client.key' and 'config.d/system/cli.yaml' files, taking care
that the yaml syntax is valid. When I try and register the scep token
with the 'oki token add --real democa --type scep --cert scep.crt
--key scep.key' command, I am getting an 'Unable to decode' message.
Can you provide some guidance on how to fix this issue ( I have
attempted several times already ).
_______________________________________________
OpenXPKI-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
