Hi Oliver,
Thank you for the information. I ended up reinstalling OpenXPKI using the
instructions in the Quickstart guide. Just as I did previously, I installed the
demo configuration with sampleconfig.sh and then I tested SCEP. I initially
tested SCEP with the sscep tool. Then I tested SCEP with scep client I'm
working with in my lab and that worked fine too.
Then I used 'oxi token add...' to import a new certificate and key to be used
for SCEP RA, that I generated from the OpenXPKI gui and that worked too. This
time, there were no errors when using the 'oxi token add..' command so I'm
happy that SCEP is working fine now. Thank you for your assistance. Please
consider the issue resolved.
Mark
On Sunday 31 August 2025 at 19:28:32 BST, Oliver Welter <[email protected]>
wrote:
Hi Mark, openssl req -new -keyout test.key -out test.crt -x509 -subj
"/CN=Testcert" -passout pass:12345
-----
cat test.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIfHv1x8Fyk/0CAggA
...
-----END ENCRYPTED PRIVATE KEY-----
oxi token add --realm democa --key test.key --cert test.crt --type scep
---
alias: ratoken-3
key_name: 33:DC:56:A8:E8:F1:3E:9E:59:FB:A9:47:3E:E2:6A:D6:07:FD:AD:F2
Works here without any problems - I am happy to analyse the issue but then you
need to have a look into the log files as already requested.
Oliver
On 29.08.25 13:27, Mark via OpenXPKI-users wrote:
Hi Mark,
Thank you for your quick response. I did not realise that sampleconfig
automatically adds a SCEP certificate. If I had taken the time to view the
script before submitting this request I would have seen the SCEP entry for
scep.crt and scep.key. I plan to continue testing SCEP with the
script-generated certificates, keeping everything as simple as possible.
The 'Enabling the SCEP service' section of the 'Quickstart guide' on
'https://openxpki.readthedocs.io' mentions the token import command. I failed
to realise that this is already done for you if you run the sampleconfig
script.
Out of interest, I selected an RSA key when I manually-generated the TLS/Web
Server certificate that I originally planned to use and I also selected the 'do
not encrypt' option. After exporting the PKCS12 file, I uploaded it to my
debian system then dumped all the information using 'openssl pkcs12 -info
*.p12', entering the private key password when prompted. The private key was
enclosed in :
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
but I'm unsure how to test if it's readable or not.
I intend to focus on getting SCEP working now, but can do more testing if that
helps. It would be ice to know if the issue I encountered was specific to the
private key, or something else.
Mark
On Friday 29 August 2025 at 05:30:45 BST, Oliver Welter <[email protected]>
wrote:
Hi Mark,
first of all - sampleconfig already sets up the cli connection and also adds a
SCEP certificate, does this work for you?
What format is your SCEP key? Currently only RSA is supported and I had some
issues in the past with encrypted key - so if you can perhaps share the command
you used to generate this it might help tracking this down. You might try to
import only the cert without the key (will not work afterwards but sheds some
light on the root cause).
Please check the logs of the server after trying the import - the "unable to
decode message" sounds like something in the server throws an exception.
Oliver
On 28.08.25 18:00, Mark via OpenXPKI-users wrote:
I have built OpenXPKI Community Edition v3.32.8 on Debian 12.11 using the
demo configuration (sampleconfig.sh). It is running and issuing certificates
from externally-generated CSRs.
I wish to enable the SCEP Server so, following the instructions in the
Quickstart guide, I have generated a 'TLS/Web Server' certificate in the 'Open
Source Trustcenter', then exported the certificate and private key then placed
in scep.crt and scep.key. I created a key pair for the client using the 'oxi
cli create' and placed these in the '~/.oxi/client.key' and
'config.d/system/cli.yaml' files, taking care that the yaml syntax is valid.
When I try and register the scep token with the 'oki token add --real democa
--type scep --cert scep.crt --key scep.key' command, I am getting an 'Unable to
decode' message. Can you provide some guidance on how to fix this issue ( I
have attempted several times already ).
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
