I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow for router identity certificates obtained by Cisco Routers via SCEP to be auto-renewing.  I have found that the one-time pin model doesnít work for auto-renewal.  I was pointed to the RedHat document below that discusses using directory-based auth in Section 8.2.1, but Iím having issues with getting it to work.


Iím not certain what to put in the dnpattern attribute and there are no examples I can find and am wondering if it is the reason attempts show uid and credentials as null from the router Ė details of the setup later on in this email.

From my CS.conf (RouterAuth is then referenced in the caRouterCert.cfg instead of flatfile):


Iíve created a hierarchy outside of dogtag for doing router auth: 

Test User Account (I am not sure what objectClass to use, so I found one with uid and password as options and used that):
dn: uid=,ou=RouterID,dc=auth,dc=sample,dc=com
objectClass: inetUser
userPassword: testpass

Router config.  For flatfile auth it ends up using the wan IP and the password and password in the identity section, however for LDAP auth I donít know what things would map to:

crypto ca identity SAMPLE
enrollment url
revocation-check none
fqdn emilyvpn.sample.com
serial-number none
ip-address none
hash sha256
password testpass
rsakeypair  MEVO 2048
auto-enroll 75
crl optional

crypto ca authenticate SAMPLE


When I try and get a cert from the Cisco Router I get output like the following in the debug file that lists both UID and credential as null:

[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory.getConn(): num avail conns now 4
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure - Authentication credential for uid is null.
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation response:

Thanks for any assistance,