Hi, I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow for router identity certificates obtained by Cisco Routers via SCEP to be auto-renewing. I have found that the one-time pin model doesn’t work for auto-renewal. I was pointed to the RedHat document below that discusses using directory-based auth in Section 8.2.1, but I’m having issues with getting it to work. https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... I’m not certain what to put in the dnpattern attribute and there are no examples I can find and am wondering if it is the reason attempts show uid and credentials as null from the router – details of the setup later on in this email. * dnpattern. Specifies a string representing a subject name pattern to formulate from the directory attributes and entry DN. ------------------------------------------ auths.instance.RouterAuth.pluginName=UidPwdDirAuth auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com auths.instance.RouterAuth.ldap.ldapconn.host=localhost auths.instance.RouterAuth.ldap.ldapconn.port=389 auths.instance.RouterAuth.ldap.ldapconn.secureConn=false ------------------------------------------ I’ve created a hierarchy outside of dogtag for doing router auth: ou=RouterID,dc=auth,dc=sample,dc=com ------------------------------------------ Test User Account (I am not sure what objectClass to use, so I found one with uid and password as options and used that): dn: uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com uid: 172.18.240.11 objectClass: inetUser userPassword: testpass ------------------------------------------ Router config. For flatfile auth it ends up using the wan IP and the password and password in the identity section, however for LDAP auth I don’t know what things would map to: crypto ca identity SAMPLE enrollment url http://172.21.4.239:8080/ca/cgi-bin revocation-check none fqdn emilyvpn.sample.com serial-number none ip-address none hash sha256 password testpass rsakeypair MEVO 2048 auto-enroll 75 crl optional exit crypto ca authenticate SAMPLE ------------------------------------------ When I try and get a cert from the Cisco Router I get output like the following in the debug file that lists both UID and credential as null: [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory.getConn(): num avail conns now 4 [24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null [24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4 [24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure - Authentication credential for uid is null. [24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation response: Thanks for any assistance, -Emily