Hi Hayg,
Good to hear.  To answer your previous question, caRouterCert.cfg is the default sscep enrollment profile.  You can see the authentication by default using flatfile:
auth.instance_id=flatFileAuth
Earlier, I misunderstood you for removing that and rendering a manual approval.

Christina

On 04/11/2016 05:14 AM, haygastourian@gmail.com wrote:
Hi Christina,

I got this to work with sscep. It seems the IP in my flatfile was wrong. I think the main issue is the lack of a clear error message.

Thanks for your help,
Hayg

On Mon, Apr 11, 2016 at 10:54 AM, haygastourian@gmail.com <haygastourian@gmail.com> wrote:
Hi Christina,

Thank you for your help.

I think using SCEP there is no enrollment profile that I touch? I thought setting up the flatfile.txt with the relevant values and modifying the config to enable SCEP was all that I needed to do. My intention was for it to be automatically approved because of the IP/password being present in flatfile.txt

Does that help? Sorry if I'm misunderstanding your questions.

Thanks,
Hayg

On Fri, Apr 8, 2016 at 9:58 PM, Christina Fu <cfu@redhat.com> wrote:
Hi Hayg,

I am running Fedora 22 so I'm not sure if there is any difference at all.

I would like to understand your issue(s) better.
When you said that your request failed because it was "getting deferred", does that mean you have it in the enrollment profile for manual approval?  In other words, it was your intention to have the request manually approved by the CA agents?
You realize that if you require manual agent approval, there is no option for sscep to "fetch" the already issued cert right?

Or, did you not intend to have the request deferred and failed?  In which case, you want to know why it failed?  If so, do you have relevant debug log to give us some clue?

Did I misunderstand your issue?

Christina


On 04/05/2016 02:57 AM, haygastourian@gmail.com wrote:
Hello everyone,

I've been trying to enroll with dogtag via SSCEP for the last few days to no avail and I've reached the end of my rope, so I'm reaching out for your help (which I very much would appreciate).

I am running Ubuntu and my dogtag versions are:
hayg@hayg:~$ dpkg -l | grep dogtag
ii  dogtag-pki                               10.2.6-1                        all          Dogtag Public Key Infrastructure (PKI) Suite
ii  dogtag-pki-console-theme                 10.2.6-1                        all          Certificate System - PKI Console User Interface
ii  dogtag-pki-server-theme                  10.2.6-1                        all          Certificate System - PKI Server User Interface
 
My SSCEP:
[~/sscep]$ cat VERSION                                                                                                                    
0.6.1

My flatfile.txt:
hayg@hayg:~$ sudo cat /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
#UID:172.16.24.238
#PWD:1212
UID:10.129.25.186
PWD:secret
(I restarted my pki-tomcatd service just in case, to make sure it took effect)

On the SSCEP side I'm doing: ./sscep enroll -l cert.pem -r local.csr -k local.key -c astourian.crt -u 'http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe'

This fails because the request is getting deferred and I have fail on defer set to true, per the docs.

The request actually shows up in 'List Certificates' when I go to the web UI, but when I try to approve it, I get:

The Certificate System has encountered an unrecoverable error.
Error Message:
java.lang.NullPointerException
Please contact your local administrator for assistance.

When I try to resume the enrollment by adding the -R flag to sscep it fails with the following error in the logs:

CRSEnrollment: No certificate has been found

My CSR:
[~/sscep]$ openssl req -in local.csr -noout -text 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=10.129.25.186
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ab:f4:b7:55:bd:26:51:b7:65:b9:51:4e:08:31:
                    83:ef:d6:b7:97:cc:cb:82:4b:a6:3f:be:ac:1c:9a:
                    f5:1e:0d:56:7c:6a:be:d3:49:17:b6:ba:42:05:eb:
                    6c:e2:ff:2b:0f:64:d5:ae:e8:5b:6c:f8:df:74:ef:
                    1f:a1:94:50:4c:35:90:bc:02:2b:2a:e3:80:b6:e1:
                    75:a0:34:4d:74:0b:47:2c:f5:2d:87:2a:72:4a:93:
                    5b:76:a8:cc:96:56:0b:de:62:69:1e:37:30:eb:49:
                    4a:0a:8c:55:c4:0e:a7:9d:95:88:2d:ed:15:19:c6:
                    19:93:02:84:40:09:40:44:b1
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :secret
        Requested Extensions:
            X509v3 Subject Alternative Name: critical
                IP Address:10.129.25.186
    Signature Algorithm: sha1WithRSAEncryption
         7e:85:96:60:54:ed:c7:fd:d4:9d:b9:48:4c:d6:5a:2d:b1:62:
         8f:26:58:04:da:f2:6d:cf:c7:59:dc:b5:b2:a9:69:8d:e0:df:
         4d:26:7b:51:3e:d5:f4:90:21:d9:20:69:6f:6f:e1:58:28:90:
         05:a7:38:1b:04:05:e6:84:03:78:95:90:d6:da:0c:56:c1:e9:
         16:d4:01:15:c5:5e:06:3f:44:48:6e:e5:dd:f6:dc:62:0a:f9:
         af:e7:c5:3d:0a:86:b1:99:40:90:ff:30:02:92:91:fb:dd:50:
         f0:df:bf:73:96:6f:04:3e:73:66:02:86:66:a0:00:fa:a7:58:
         ea:ae 

As you can see, the password is "secret" and the CN is the UID from flatfile.txt.

I welcome you all to try enrolling with my server. I can then try approving and see if it works.

Again, I very much appreciate all of your help. Please excuse my wall of text x_x

Thanks,
Hayg


_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel