7:40 p.m.
I am not successful connecting the ESC (Smart Card Manager) client to
the TPS. I have configured TPS and ESC as documented in ESC Guide.
The error message says: "Could not establish an encrypted connection
because your certificate was rejected. Error -12271".
Looks like the ESC needs a user certificate and key to establish SSL
connection.
Not sure how the ESC can be configured to access a dedicated user
certificate & key? Can ESC detect and possibly use the TPS Admin
cert/key if running on same platform?
Ehansen @ SPYRUS Corp.
11:54 a.m.
Ebbe:
Could you state exactly what operation you are trying to do with ESC
with respect to TPS.
Are you performing the "phone home" step or actually attempting an
enrollment?
The default case should not require client auth which appears to be the
case with your error.
thanks,
jack
Ebbe Hansen wrote:
I am not successful connecting the ESC (Smart Card Manager) client to
the TPS. I have configured TPS and ESC as documented in ESC Guide.
The error message says: “Could not establish an encrypted connection
because your certificate was rejected. Error -12271”.
Looks like the ESC needs a user certificate and key to establish SSL
connection.
Not sure how the ESC can be configured to access a dedicated user
certificate & key? Can ESC detect and possibly use the TPS Admin
cert/key if running on same platform?
Ehansen @ SPYRUS Corp.
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
7:44 p.m.
Jack,
I am trying to setup the initial "phone home" configuration with the
intent to Format a blank token.
The ESC User guide (and the ESC) is indicating the initial Phone Hole
connection must be secured using https (e.g.
"https://smartcardserver.example.com:7888").
When connecting to the Admin services for all other PKI components (CA,
DRM, TKS and TPS) a client certificate is required to gain access. The
error message I observe when trying to connect with the ESC indicates a
client certificate is also expected in this case - but I haven't found
anything in the ESC Guide that documents this?
Ebbe
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Monday, November 24, 2008 9:54 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
Ebbe:
Could you state exactly what operation you are trying to do with ESC
with respect to TPS.
Are you performing the "phone home" step or actually attempting an
enrollment?
The default case should not require client auth which appears to be the
case with your error.
thanks,
jack
Ebbe Hansen wrote:
I am not successful connecting the ESC (Smart Card Manager) client to
the TPS. I have configured TPS and ESC as documented in ESC Guide.
The error message says: "Could not establish an encrypted connection
because your certificate was rejected. Error -12271".
Looks like the ESC needs a user certificate and key to establish SSL
connection.
Not sure how the ESC can be configured to access a dedicated user
certificate & key? Can ESC detect and possibly use the TPS Admin
cert/key if running on same platform?
Ehansen @ SPYRUS Corp.
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
8:29 p.m.
Ebbe:
Try this as your phone home URL.
https://smartcardserver.example.com:7888/cgi-bin/home.cgi
Also , you can try this with a browser and it should simply print out a
simple XML file for you.
I will take a look at the doc and see how it can be improved.
Ebbe Hansen wrote:
Jack,
I am trying to setup the initial "phone home" configuration with the
intent to Format a blank token.
The ESC User guide (and the ESC) is indicating the initial Phone Hole
connection must be secured using https (e.g.
"https://smartcardserver.example.com:7888").
When connecting to the Admin services for all other PKI components (CA,
DRM, TKS and TPS) a client certificate is required to gain access. The
error message I observe when trying to connect with the ESC indicates a
client certificate is also expected in this case - but I haven't found
anything in the ESC Guide that documents this?
Ebbe
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Monday, November 24, 2008 9:54 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
Ebbe:
Could you state exactly what operation you are trying to do with ESC
with respect to TPS.
Are you performing the "phone home" step or actually attempting an
enrollment?
The default case should not require client auth which appears to be the
case with your error.
thanks,
jack
Ebbe Hansen wrote:
> I am not successful connecting the ESC (Smart Card Manager) client to
> the TPS. I have configured TPS and ESC as documented in ESC Guide.
>
> The error message says: "Could not establish an encrypted connection
> because your certificate was rejected. Error -12271".
>
> Looks like the ESC needs a user certificate and key to establish SSL
> connection.
>
> Not sure how the ESC can be configured to access a dedicated user
> certificate & key? Can ESC detect and possibly use the TPS Admin
> cert/key if running on same platform?
>
> Ehansen @ SPYRUS Corp.
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
11:46 a.m.
Jack,
In my configuration the URL actually is:
https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi
After clicking the "Test URL" button on the ESC (Smart Card Manager) I
observe the error:
"Could not establish an encrypted connection bacause your certfcite was
rejected by
Redhat4.spyrus.com. Error Code: -12271"
When accessting the TPS with a browser I receive the following display:
<?xml version="1.0" encoding="UTF-8" ?>
- <ServiceInfo>
<IssuerName>Spyrus, Inc.</IssuerName>
- <Services>
<Operation>https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi</Opera
tion>
<UI>https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi</UI>
<EnrolledTokenBrowserURL>http://www.spyrus.com</EnrolledTokenBrowserURL>
<EnrolledTokenURL />
<TokenType>userKey</TokenType>
</Services>
</ServiceInfo>
Ebbe
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Monday, November 24, 2008 6:30 PM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
Ebbe:
Try this as your phone home URL.
https://smartcardserver.example.com:7888/cgi-bin/home.cgi
Also , you can try this with a browser and it should simply print out a
simple XML file for you.
I will take a look at the doc and see how it can be improved.
Ebbe Hansen wrote:
Jack,
I am trying to setup the initial "phone home" configuration with the
intent to Format a blank token.
The ESC User guide (and the ESC) is indicating the initial Phone Hole
connection must be secured using https (e.g.
"https://smartcardserver.example.com:7888").
When connecting to the Admin services for all other PKI components
(CA,
DRM, TKS and TPS) a client certificate is required to gain access.
The
error message I observe when trying to connect with the ESC indicates
a
client certificate is also expected in this case - but I haven't
found
anything in the ESC Guide that documents this?
Ebbe
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Monday, November 24, 2008 9:54 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
Ebbe:
Could you state exactly what operation you are trying to do with ESC
with respect to TPS.
Are you performing the "phone home" step or actually attempting an
enrollment?
The default case should not require client auth which appears to be
the
case with your error.
thanks,
jack
Ebbe Hansen wrote:
> I am not successful connecting the ESC (Smart Card Manager) client to
> the TPS. I have configured TPS and ESC as documented in ESC
Guide.
>
> The error message says: "Could not establish an encrypted connection
> because your certificate was rejected. Error -12271".
>
> Looks like the ESC needs a user certificate and key to establish SSL
> connection.
>
> Not sure how the ESC can be configured to access a dedicated user
> certificate & key? Can ESC detect and possibly use the TPS Admin
> cert/key if running on same platform?
>
> Ehansen @ SPYRUS Corp.
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
1:24 p.m.
Ebbe:
When you go to the URL with the browser, does it ask you for a cert?
This is unusual, I will have to check around for you.
thanks,
jack
Ebbe Hansen wrote:
Jack,
In my configuration the URL actually is:
https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi
After clicking the "Test URL" button on the ESC (Smart Card Manager) I
observe the error:
"Could not establish an encrypted connection bacause your certfcite was
rejected by
Redhat4.spyrus.com. Error Code: -12271"
When accessting the TPS with a browser I receive the following display:
<?xml version="1.0" encoding="UTF-8" ?>
- <ServiceInfo>
<IssuerName>Spyrus, Inc.</IssuerName>
- <Services>
<Operation>https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi</Opera
tion>
<UI>https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi</UI>
<EnrolledTokenBrowserURL>http://www.spyrus.com</EnrolledTokenBrowserURL>
<EnrolledTokenURL />
<TokenType>userKey</TokenType>
</Services>
</ServiceInfo>
Ebbe
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Monday, November 24, 2008 6:30 PM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
Ebbe:
Try this as your phone home URL.
https://smartcardserver.example.com:7888/cgi-bin/home.cgi
Also , you can try this with a browser and it should simply print out a
simple XML file for you.
I will take a look at the doc and see how it can be improved.
Ebbe Hansen wrote:
> Jack,
>
> I am trying to setup the initial "phone home" configuration with the
> intent to Format a blank token.
> The ESC User guide (and the ESC) is indicating the initial Phone Hole
> connection must be secured using https (e.g.
> "https://smartcardserver.example.com:7888").
>
> When connecting to the Admin services for all other PKI components
>
(CA,
> DRM, TKS and TPS) a client certificate is required to gain access. The
> error message I observe when trying to connect with the ESC indicates
>
a
> client certificate is also expected in this case - but I haven't found
> anything in the ESC Guide that documents this?
>
> Ebbe
>
>
> -----Original Message-----
> From: Jack Magne [mailto:jmagne@redhat.com]
> Sent: Monday, November 24, 2008 9:54 AM
> To: Ebbe Hansen
> Cc: pki-users(a)redhat.com
> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
>
> Ebbe:
>
> Could you state exactly what operation you are trying to do with ESC
> with respect to TPS.
> Are you performing the "phone home" step or actually attempting an
> enrollment?
> The default case should not require client auth which appears to be
>
the
> case with your error.
>
> thanks,
> jack
>
> Ebbe Hansen wrote:
>
>
>> I am not successful connecting the ESC (Smart Card Manager) client to
>>
>> the TPS. I have configured TPS and ESC as documented in ESC Guide.
>>
>> The error message says: "Could not establish an encrypted connection
>> because your certificate was rejected. Error -12271".
>>
>> Looks like the ESC needs a user certificate and key to establish SSL
>> connection.
>>
>> Not sure how the ESC can be configured to access a dedicated user
>> certificate & key? Can ESC detect and possibly use the TPS Admin
>> cert/key if running on same platform?
>>
>> Ehansen @ SPYRUS Corp.
>>
>>
>>
>>
------------------------------------------------------------------------
>
>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>
>
1:32 p.m.
If I do not have a certificate in my cert-store issued by the RedHat CA
(ESC running on windows-XP) the browser (IE) indicates "The page cannot
be displayed"
The server is a "straight" RadHat 7.3 PKI installation with latest
FireFox installed. Could FireFox have changed come of the original
RedHat 7.3 SSL libraries?
Ebbe
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Tuesday, November 25, 2008 11:25 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
Ebbe:
When you go to the URL with the browser, does it ask you for a cert?
This is unusual, I will have to check around for you.
thanks,
jack
Ebbe Hansen wrote:
Jack,
In my configuration the URL actually is:
https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi
After clicking the "Test URL" button on the ESC (Smart Card Manager) I
observe the error:
"Could not establish an encrypted connection bacause your certfcite
was
rejected by
Redhat4.spyrus.com. Error Code: -12271"
When accessting the TPS with a browser I receive the following
display:
<?xml version="1.0" encoding="UTF-8" ?>
- <ServiceInfo>
<IssuerName>Spyrus, Inc.</IssuerName>
- <Services>
<Operation>https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi</Opera
tion>
<UI>https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi</UI>
<EnrolledTokenBrowserURL>http://www.spyrus.com</EnrolledTokenBrowserURL>
<EnrolledTokenURL />
<TokenType>userKey</TokenType>
</Services>
</ServiceInfo>
Ebbe
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Monday, November 24, 2008 6:30 PM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
Ebbe:
Try this as your phone home URL.
https://smartcardserver.example.com:7888/cgi-bin/home.cgi
Also , you can try this with a browser and it should simply print out
a
simple XML file for you.
I will take a look at the doc and see how it can be improved.
Ebbe Hansen wrote:
> Jack,
>
> I am trying to setup the initial "phone home" configuration with the
> intent to Format a blank token.
> The ESC User guide (and the ESC) is indicating the initial Phone Hole
> connection must be secured using https (e.g.
> "https://smartcardserver.example.com:7888").
>
> When connecting to the Admin services for all other PKI components
>
(CA,
> DRM, TKS and TPS) a client certificate is required to gain access.
The
> error message I observe when trying to connect with the ESC
indicates
>
a
> client certificate is also expected in this case - but I haven't
found
> anything in the ESC Guide that documents this?
>
> Ebbe
>
>
> -----Original Message-----
> From: Jack Magne [mailto:jmagne@redhat.com]
> Sent: Monday, November 24, 2008 9:54 AM
> To: Ebbe Hansen
> Cc: pki-users(a)redhat.com
> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
>
> Ebbe:
>
> Could you state exactly what operation you are trying to do with ESC
> with respect to TPS.
> Are you performing the "phone home" step or actually attempting an
> enrollment?
> The default case should not require client auth which appears to be
>
the
> case with your error.
>
> thanks,
> jack
>
> Ebbe Hansen wrote:
>
>
>> I am not successful connecting the ESC (Smart Card Manager) client
to
>>
>> the TPS. I have configured TPS and ESC as documented in ESC Guide.
>>
>> The error message says: "Could not establish an encrypted connection
>> because your certificate was rejected. Error -12271".
>>
>> Looks like the ESC needs a user certificate and key to establish SSL
>> connection.
>>
>> Not sure how the ESC can be configured to access a dedicated user
>> certificate & key? Can ESC detect and possibly use the TPS Admin
>> cert/key if running on same platform?
>>
>> Ehansen @ SPYRUS Corp.
>>
>>
>>
>>
------------------------------------------------------------------------
>
>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>
>
4:23 p.m.
Ebbe:
I will continue to investigate to see if we have a bug.
When you are asked for the phone home URL, try the non secure version.
Something like:
http://host:7888/cgin-bin/home/index.cgi
This should keep you testing.
thanks,
jack
Ebbe Hansen wrote:
If I do not have a certificate in my cert-store issued by the RedHat
CA
(ESC running on windows-XP) the browser (IE) indicates "The page cannot
be displayed"
The server is a "straight" RadHat 7.3 PKI installation with latest
FireFox installed. Could FireFox have changed come of the original
RedHat 7.3 SSL libraries?
Ebbe
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Tuesday, November 25, 2008 11:25 AM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
Ebbe:
When you go to the URL with the browser, does it ask you for a cert?
This is unusual, I will have to check around for you.
thanks,
jack
Ebbe Hansen wrote:
> Jack,
>
> In my configuration the URL actually is:
> https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi
>
> After clicking the "Test URL" button on the ESC (Smart Card Manager) I
> observe the error:
>
> "Could not establish an encrypted connection bacause your certfcite
>
was
> rejected by
> Redhat4.spyrus.com. Error Code: -12271"
>
>
> When accessting the TPS with a browser I receive the following
>
display:
> <?xml version="1.0" encoding="UTF-8" ?>
> - <ServiceInfo>
> <IssuerName>Spyrus, Inc.</IssuerName>
> - <Services>
>
>
>
<Operation>https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi</Opera
> tion>
> <UI>https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi</UI>
>
>
>
<EnrolledTokenBrowserURL>http://www.spyrus.com</EnrolledTokenBrowserURL>
> <EnrolledTokenURL />
> <TokenType>userKey</TokenType>
> </Services>
> </ServiceInfo>
>
>
> Ebbe
>
> -----Original Message-----
> From: Jack Magne [mailto:jmagne@redhat.com]
> Sent: Monday, November 24, 2008 6:30 PM
> To: Ebbe Hansen
> Cc: pki-users(a)redhat.com
> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
>
> Ebbe:
>
> Try this as your phone home URL.
>
> https://smartcardserver.example.com:7888/cgi-bin/home.cgi
>
> Also , you can try this with a browser and it should simply print out
>
a
> simple XML file for you.
>
> I will take a look at the doc and see how it can be improved.
>
> Ebbe Hansen wrote:
>
>
>> Jack,
>>
>> I am trying to setup the initial "phone home" configuration with the
>> intent to Format a blank token.
>> The ESC User guide (and the ESC) is indicating the initial Phone Hole
>> connection must be secured using https (e.g.
>> "https://smartcardserver.example.com:7888").
>>
>> When connecting to the Admin services for all other PKI components
>>
>>
> (CA,
>
>
>> DRM, TKS and TPS) a client certificate is required to gain access.
>>
The
>> error message I observe when trying to connect with the ESC indicates
>>
>>
> a
>
>
>> client certificate is also expected in this case - but I haven't
>>
found
>> anything in the ESC Guide that documents this?
>>
>> Ebbe
>>
>>
>> -----Original Message-----
>> From: Jack Magne [mailto:jmagne@redhat.com]
>> Sent: Monday, November 24, 2008 9:54 AM
>> To: Ebbe Hansen
>> Cc: pki-users(a)redhat.com
>> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
>>
>> Ebbe:
>>
>> Could you state exactly what operation you are trying to do with ESC
>> with respect to TPS.
>> Are you performing the "phone home" step or actually attempting an
>> enrollment?
>> The default case should not require client auth which appears to be
>>
>>
> the
>
>
>> case with your error.
>>
>> thanks,
>> jack
>>
>> Ebbe Hansen wrote:
>>
>>
>>
>>> I am not successful connecting the ESC (Smart Card Manager) client
>>>
to
>>>
>>>
>
>
>>> the TPS. I have configured TPS and ESC as documented in ESC Guide.
>>>
>>> The error message says: "Could not establish an encrypted connection
>>>
>>> because your certificate was rejected. Error -12271".
>>>
>>> Looks like the ESC needs a user certificate and key to establish SSL
>>>
>>> connection.
>>>
>>> Not sure how the ESC can be configured to access a dedicated user
>>> certificate & key? Can ESC detect and possibly use the TPS Admin
>>> cert/key if running on same platform?
>>>
>>> Ehansen @ SPYRUS Corp.
>>>
>>>
>>>
>>>
>>>
------------------------------------------------------------------------
>
>
>>
>>
>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>>
>>>
>>
>>
>>
5879
days inactive
5882
days old
7 comments
2 participants
participants (2)
-
Ebbe Hansen -
Jack Magne