Re: [Pki-users] error -12271 trying to ESC connect to TPS

If I do not have a certificate in my cert-store issued by the RedHat CA (ESC running on windows-XP) the browser (IE) indicates "The page cannot be displayed" The server is a "straight" RadHat 7.3 PKI installation with latest FireFox installed. Could FireFox have changed come of the original RedHat 7.3 SSL libraries? Ebbe -----Original Message----- From: Jack Magne [mailto:jmagne@redhat.com] Sent: Tuesday, November 25, 2008 11:25 AM To: Ebbe Hansen Cc: pki-users(a)redhat.com Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS Ebbe: When you go to the URL with the browser, does it ask you for a cert? This is unusual, I will have to check around for you. thanks, jack Ebbe Hansen wrote: > Jack, > > In my configuration the URL actually is: > https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi > > After clicking the "Test URL" button on the ESC (Smart Card Manager) I > observe the error: > > "Could not establish an encrypted connection bacause your certfcite > was > rejected by > Redhat4.spyrus.com. Error Code: -12271" > > > When accessting the TPS with a browser I receive the following > display: > <?xml version="1.0" encoding="UTF-8" ?> > - <ServiceInfo> > <IssuerName>Spyrus, Inc.</IssuerName> > - <Services> > > > <Operation>https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi</Opera > tion> > <UI>https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi</UI> > > > <EnrolledTokenBrowserURL>http://www.spyrus.com</EnrolledTokenBrowserURL> > <EnrolledTokenURL /> > <TokenType>userKey</TokenType> > </Services> > </ServiceInfo> > > > Ebbe > > -----Original Message----- > From: Jack Magne [mailto:jmagne@redhat.com] > Sent: Monday, November 24, 2008 6:30 PM > To: Ebbe Hansen > Cc: pki-users(a)redhat.com > Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS > > Ebbe: > > Try this as your phone home URL. > > https://smartcardserver.example.com:7888/cgi-bin/home.cgi > > Also , you can try this with a browser and it should simply print out > a > simple XML file for you. > > I will take a look at the doc and see how it can be improved. > > Ebbe Hansen wrote: > > >> Jack, >> >> I am trying to setup the initial "phone home" configuration with the >> intent to Format a blank token. >> The ESC User guide (and the ESC) is indicating the initial Phone Hole >> connection must be secured using https (e.g. >> "https://smartcardserver.example.com:7888"). >> >> When connecting to the Admin services for all other PKI components >> >> > (CA, > > >> DRM, TKS and TPS) a client certificate is required to gain access. >> The >> error message I observe when trying to connect with the ESC indicates >> >> > a > > >> client certificate is also expected in this case - but I haven't >> found >> anything in the ESC Guide that documents this? >> >> Ebbe >> >> >> -----Original Message----- >> From: Jack Magne [mailto:jmagne@redhat.com] >> Sent: Monday, November 24, 2008 9:54 AM >> To: Ebbe Hansen >> Cc: pki-users(a)redhat.com >> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS >> >> Ebbe: >> >> Could you state exactly what operation you are trying to do with ESC >> with respect to TPS. >> Are you performing the "phone home" step or actually attempting an >> enrollment? >> The default case should not require client auth which appears to be >> >> > the > > >> case with your error. >> >> thanks, >> jack >> >> Ebbe Hansen wrote: >> >> >> >>> I am not successful connecting the ESC (Smart Card Manager) client >>> to >>> >>> > > >>> the TPS. I have configured TPS and ESC as documented in ESC Guide. >>> >>> The error message says: "Could not establish an encrypted connection >>> >>> because your certificate was rejected. Error -12271". >>> >>> Looks like the ESC needs a user certificate and key to establish SSL >>> >>> connection. >>> >>> Not sure how the ESC can be configured to access a dedicated user >>> certificate & key? Can ESC detect and possibly use the TPS Admin >>> cert/key if running on same platform? >>> >>> Ehansen @ SPYRUS Corp. >>> >>> >>> >>> >>> ------------------------------------------------------------------------ > > >> >> >> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users(a)redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >>> >>> >> >> >>