On Thu, 2009-04-23 at 21:19 -0400, Fortunato wrote:
Solved.
The /var/lib/rhpki-ca/conf/flatfile.txt needed to be configured. (At least that section
of the manual makes sense now.)
And, mkrequest has to be run before the enroll request with the UID and PWD options,
otherwise /var/log/rhpki-ca/debug complains about duplicate requests.
--
All this still begs the question, "How to use the RA to do this?" - but
I'll leave that question alone for now.
from the docs for RA ..
SCEP Enrollment
In a SCEP enrollment scenario, you use the EE interface to
submit a request in order to retrieve a one-time PIN. The RA
agent is notified of the request and, after validating the
requestor, approves it. Approving the request generates a PIN.
The manager gives this PIN to the router installer. On the
router, the installer enters the URL to the RA and provides the
one-time PIN. The enrollment can then be initiated.
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu...
Thanks all. And now I'm off to try this on IPv6...
-----Original Message-----
>From: Marc Sauton <msauton(a)redhat.com>
>Sent: Apr 23, 2009 8:43 PM
>To: Fortunato <fortunato.montresor(a)earthlink.net>
>Cc: pki-users(a)redhat.com
>Subject: Re: [Pki-users] SSCEP enroll using CA
>
>Marc Sauton wrote:
>> Fortunato wrote:
>>> I'm making lots of progress, but there seems to be a lack (or at
>>> least its unclear to me still) in the way to configure SCEP
>>> enrollment on the CA.
>>>
>>> All the manual references use the RA thru:
>>>
>>> http://<fqdn>:12888/ee/scep/index.cgi
>>> to configure SCEP.
>>>
>>> But in order to get the CA cert and do a SCEP enroll, most examples use:
>>>
>>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>>
>>> Is there something similar to the RA on the CA web gui to create the
>>> SCEP requests?
>>>
>>> Lastly, I'm trying to use sscep as follows:
>>>
>>> # ./sscep getca -c ca.crt -u
>>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>> ...
>>> ./sscep: CA certificate written as ca.crt
>>>
>>> # ./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u
>>> http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>>>
>>> But all that is returned is:
>>> ./sscep: sending certificate request
>>> ./sscep: valid response from server
>>> ./sscep: pkistatus: FAILURE
>>> ./sscep: reason: Transaction not permitted or supported
>>>
>>> Any helpful logs would be appreciated, but my guess is that I'm
>>> overlooking a web gui somewhere off port 9080. Is there something in
>>> the CA or RA that could help identify a more specific FAILURE reason?
>>>
>>>
>> Try to get a look at your /var/log/rhpki-ca/debug file, and check
>> /var/lib/rhpki-ca/conf/flatfile.txt
>> should be in the form of:
>> UID:x.x.x.x
>> PWD:password
>> See:
>>
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu...
>>
>In some tests, I think I used mkrequest, and then something like below,
>with more verbose output:
>sscep enroll -v -d -k /var/tmp/local.key -r /var/tmp/local.csr -l
>/var/tmp/local.crt -t 15 -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>-c /var/tmp/ms-cs73-2.crt | tee /var/tmp/sscep.enroll.ca.test2local.txt
>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/pki-users
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan -- ckannan(a)redhat.com
Quality Engineering --
http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~