7:51 p.m.
I would like to configure my DCS's SCEP operation for manual approval, in
which the router uses SCEP to submit the request and the CA agent will
manually approve the request and to modify the request (if needed).
Does anybody has any idea how to configure the DCS CA?
I am thinking to clone the caRouterCert profile. I am not sure what to
specify to enable agent to approve the incoming request.
Am I in the right direction?
Thanks,
Erwin
11:38 a.m.
On 05/20/10 17:51, Erwin Himawan wrote:
I would like to configure my DCS's SCEP operation for manual
approval,
in which the router uses SCEP to submit the request and the CA agent
will manually approve the request and to modify the request (if needed).
Does anybody has any idea how to configure the DCS CA?
I am thinking to clone the caRouterCert profile. I am not sure what
to specify to enable agent to approve the incoming request.
Am I in the right direction?
You could try to modify caRouterCert profile by replacing
auth.instance_id=raCertAuth
with
auth.instance_id=
Adding new profile requires extending profile list in CS.cfg.
Thanks,
Erwin
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
1:48 p.m.
Andrew,
Thanks for your suggestion. I change the value of auth.instance_id in the
caRouterCert profile to be "empty" (i.e. no value) per your suggestion.
I could verify through the debug file that the CA accepts this empty value
when I run my SCEP test again.
The snippet of the debug file:
Found profile=caRouterCert
Retrieving Authenticator
no Authenticator Found >> this log suggests that the changes takes into
effect
Despite that no Authenticator is Found, the CA does not put the request in
the agent queue.
The CA issues the SCEP client a certificate.
Now, when I check this particular requests through the CA-agent web
interface; i.e. (List Request, Request Type: Show All Request, Request
Status: Show All Request), I noticed that the request was completed.
Although the CA marks this request as completed, this request does not show
its associated issued certificate, despite of the fact that the SCEP client
is issued a certificate. When I further explore this "completed request",
this is what I got:
Request:
Status: complete
Type: enrollment
Subject Public Key:
Algorithm: undefined
Public Key: undefined
Issued Cert:
Error: certificate not issued
Any idea why the CA behaves this way? Is it expected?
Thanks,
Erwin
On Fri, May 21, 2010 at 11:38 AM, Andrew Wnuk <awnuk(a)redhat.com> wrote:
On 05/20/10 17:51, Erwin Himawan wrote:
I would like to configure my DCS's SCEP operation for manual approval, in
which the router uses SCEP to submit the request and the CA agent will
manually approve the request and to modify the request (if needed).
Does anybody has any idea how to configure the DCS CA?
I am thinking to clone the caRouterCert profile. I am not sure what to
specify to enable agent to approve the incoming request.
Am I in the right direction?
You could try to modify caRouterCert profile by replacing
auth.instance_id=raCertAuth
with
auth.instance_id=
Adding new profile requires extending profile list in CS.cfg.
Thanks,
Erwin
_______________________________________________
Pki-users mailing
listPki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
5:49 p.m.
Erwin,
Could you open a bug including all details?
Thank you,
Andrew
On 05/21/10 11:48, Erwin Himawan wrote:
Andrew,
Thanks for your suggestion. I change the value of auth.instance_id in
the caRouterCert profile to be "empty" (i.e. no value) per your
suggestion.
I could verify through the debug file that the CA accepts this empty
value when I run my SCEP test again.
The snippet of the debug file:
Found profile=caRouterCert
Retrieving Authenticator
no Authenticator Found >> this log suggests that the changes takes
into effect
Despite that no Authenticator is Found, the CA does not put the
request in the agent queue.
The CA issues the SCEP client a certificate.
Now, when I check this particular requests through the CA-agent web
interface; i.e. (List Request, Request Type: Show All Request, Request
Status: Show All Request), I noticed that the request was completed.
Although the CA marks this request as completed, this request does not
show its associated issued certificate, despite of the fact that the
SCEP client is issued a certificate. When I further explore this
"completed request", this is what I got:
Request:
Status: complete
Type: enrollment
Subject Public Key:
Algorithm: undefined
Public Key: undefined
Issued Cert:
Error: certificate not issued
Any idea why the CA behaves this way? Is it expected?
Thanks,
Erwin
On Fri, May 21, 2010 at 11:38 AM, Andrew Wnuk <awnuk(a)redhat.com
<mailto:awnuk@redhat.com>> wrote:
On 05/20/10 17:51, Erwin Himawan wrote:
> I would like to configure my DCS's SCEP operation for manual
> approval, in which the router uses SCEP to submit the request and
> the CA agent will manually approve the request and to modify the
> request (if needed).
>
> Does anybody has any idea how to configure the DCS CA?
>
> I am thinking to clone the caRouterCert profile. I am not sure
> what to specify to enable agent to approve the incoming request.
> Am I in the right direction?
You could try to modify caRouterCert profile by replacing
auth.instance_id=raCertAuth
with
auth.instance_id=
Adding new profile requires extending profile list in CS.cfg.
>
> Thanks,
> Erwin
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
5328
days inactive
5328
days old
3 comments
2 participants
participants (2)
-
Andrew Wnuk -
Erwin Himawan