search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
358 stars 134 forks source link

Dogtag 10.12 Seemingly Returning Incorrect pkiStatus to sscep 0.9.1 When Certificate Request is Awaiting Approval #4198

Open abotelho-cbn opened 1 year ago

abotelho-cbn commented 1 year ago 
[LIVE] abotelho@abotelho:~/dogtag> sscep getca -u http://ca1.example.com:8080/ca/cgi-bin/pkiclient.exe -c ca.crt -v -d -F sha256
sscep: starting sscep, version 0.9.1
sscep: new transaction
sscep: transaction id: SSCEP transactionId
sscep: hostname: ca1.example.com
sscep: directory: ca/cgi-bin/pkiclient.exe
sscep: port: 8080
sscep: SCEP_OPERATION_GETCAPS
sscep: scep request:
GET /ca/cgi-bin/pkiclient.exe?operation=GetCACaps HTTP/1.1
Host: ca1.example.com:8080
Connection: close

sscep: server response status code: 200, MIME header: text/plain
sscep: scep caps bitmask: 0x02a2
sscep: SCEP_OPERATION_GETCA
sscep: scep request:
GET /ca/cgi-bin/pkiclient.exe?operation=GetCACert&message=CAIdentifier HTTP/1.1
Host: ca1.example.com:8080
Connection: close

sscep: server response status code: 200, MIME header: application/x-x509-ca-cert
sscep: valid response from server
sscep: SHA256 fingerprint: 2C:D2:4C:03:BE:70:BD:9C:24:92:81:AF:E7:E6:C2:7B:CE:10:96:52:32:D6:37:56:63:E4:21:C8:51:30:8B:90
sscep: CA certificate written as ca.crt
[LIVE] abotelho@abotelho:~/dogtag> ./mkrequest -dns abotelho3.example.com sha256
Generating RSA private key, 1024 bit long modulus (2 primes)
.............+++++
..+++++
e is 65537 (0x010001)
[LIVE] abotelho@abotelho:~/dogtag> sscep enroll -t10 -u http://ca1.example.com:8080/ca/scep/caServerCert/pkiclient.exe -c ca.crt -k local.key -r local.csr -l local.crt -E 3des -S sha256 -v -d
sscep: starting sscep, version 0.9.1
sscep: new transaction
sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E
sscep: hostname: ca1.example.com
sscep: directory: ca/scep/caServerCert/pkiclient.exe
sscep: port: 8080
sscep: SCEP_OPERATION_GETCAPS
sscep: scep request:
GET /ca/scep/caServerCert/pkiclient.exe?operation=GetCACaps HTTP/1.1
Host: ca1.example.com:8080
Connection: close

sscep: server response status code: 200, MIME header: text/plain
sscep: scep caps bitmask: 0x02a2
sscep:  Read request with transaction id: 3A15982CCDE8B07780FFABB5085613A0
sscep: generating selfsigned certificate
sscep: SCEP_OPERATION_ENROLL
sscep: sending certificate request
sscep: creating inner PKCS#7
sscep: inner PKCS#7 in mem BIO 
sscep: request data dump 
-----BEGIN CERTIFICATE REQUEST-----
MIIBrTCCARYCAQAwIDEeMBwGA1UEAwwVYWJvdGVsaG8zLmV4YW1wbGUuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7/jHjC3krgc/KPgmnft2P62KkPfzP
AhhhW4nRj3Z3yTl9rYU61We6PaA6jiyj4gqCvG3F0O78LlZ0UTJv+SbDLuvH83g2
2VJhMjWwJLlDRx2e5VDvqKU/x3IC45wMhMb/Y2SXGusLhjV/LPVWxLYAHrK2WbSV
wKEGFd34ojz67wIDAQABoE0wFQYJKoZIhvcNAQkHMQgMBnNoYTI1NjA0BgkqhkiG
9w0BCQ4xJzAlMCMGA1UdEQEB/wQZMBeCFWFib3RlbGhvMy5leGFtcGxlLmNvbTAN
BgkqhkiG9w0BAQsFAAOBgQCdWHkbrmSNBtpK7jEfIQAHxUH5JjA6ICzPs9cPC+to
DgSQlYjQj+A4nqBmNA56P10qMI7DYCnTVPR+lJBbfTUGWto2Fuc6izQvWX46h4kj
P7mjaFN5kCQqNwNBSwmbe4aUaeWD2PFQzEKx/Gfb773JPWpIKK/bilwvKW9GEvs8
mQ==
-----END CERTIFICATE REQUEST-----
sscep: data payload size: 433 bytes

 sscep: hexdump request payload
308201ad308201160201003020311e301c06035504030c1561626f74656c686f332e6578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100bbfe31e30b792b81cfca3e09a77edd8feb62a43dfccf0218615b89d18f7677c9397dad853ad567ba3da03a8e2ca3e20a82bc6dc5d0eefc2e567451326ff926c32eebc7f37836d952613235b024b943471d9ee550efa8a53fc77202e39c0c84c6ff6364971aeb0b86357f2cf556c4b6001eb2b659b495c0a10615ddf8a23cfaef0203010001a04d301506092a864886f70d01090731080c06736861323536303406092a864886f70d01090e3127302530230603551d110101ff04193017821561626f74656c686f332e6578616d706c652e636f6d300d06092a864886f70d01010b0500038181009d58791bae648d06da4aee311f210007c541f926303a202ccfb3d70f0beb680e04909588d08fe0389ea066340e7a3f5d2a308ec36029d354f47e94905b7d35065ada3616e73a8b342f597e3a8789233fb9a368537990242a3703414b099b7b869469e583d8f150cc42b1fc67dbefbdc93d6a4828afdb8a5c2f296f4612fb3c99
 sscep: hexdump payload 433 
sscep: successfully encrypted payload
sscep: envelope size: 861 bytes
sscep: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIIDWQYJKoZIhvcNAQcDoIIDSjCCA0YCAQAxggFeMIIBWgIBADBCMDsxCzAJBgNV
BAYTAkRNMREwDwYDVQQKDAhkb21pbmljYTEZMBcGA1UEAwwQRG9taW5pY2FRQUNB
MjAyMAIDD0JBMA0GCSqGSIb3DQEBAQUABIIBAHwNmqJahvkV8yr7cfWQNjdA/BQq
5EJPPhj4yQltpDmFhde0Br9el85+siJG76w/utOlLwGuZbuGArVwJ/1TFceIV00A
YgH00MWqUyAaOtweUYlW1FLCXWSfekwS9HK5f8FaQUUCbnUav52MwnamgzD7zUpX
kGHF3sAP5iyKReNl2I9a6fwiNZKdkgp2DwlhDtRYKmuQGq0RzQ7wgkKmxbPUoFsu
0cFie0X6ErxIHB0E2vmK+IlpOd+yW6UOkmX11OdkG4MVGDjTXQy9v5F/+HiUCrU7
4FLq8xHsSupfwB9AePWGc842mIeESFlmcEV3y+eK0KouJZqogvq+ijk66ekwggHd
BgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECO3B1I25iSgjgIIBuJ4zwMkyWwpn2FQ3
H67h4ZoCCl3iGhAJKLkveC+pIOme2ugzZEnClXs1NYhKuTYfPFzLqCSvjMXSCKzq
XMF1kOZh1kdjQfG1PFHDg6h7MFSkTuriEFEqS5bQyUsPGjejHD3idqaezgjtBcTv
r21yNUQatKxdZ3Ap34A57XSlBZCpLzpyzX18mFsu6jBP+xp9TLgCjBefKvDa2sfQ
rwGaNY0K1+OYnr475eYxnG7390bLShgW8mAgiT9hzl9WfeBCHYPgSpb+QQZcnZFH
I7fKU5I4gqMrPO9D+SV6l0v2OpVMqw9mACE0QpoabCA9wm62pmIp9wxByvmOAKIB
xpuKCArRPDs+UF+bForsjkolE0OjnGuct9ne1rtxob+/XTPkGVuj84xeN/h8Jm52
obOqXPayM7F3j3SBzucKE0qSohGxNUQiio2NOO0xwU9oZTpea6NcPtZ7Qrf3INrO
MXnJKku4wWn9LqWxLdiTsuDb+DttqZJNJfFOZUmL+Gibp0iRDqvyts7xlTRt1KU0
deRK5GsTgbPNi3SnqSybT9ySEm5Gn17yf+VvIJbZLvBEATLqepMz8iXDt6LQ
-----END PKCS7-----
sscep: creating outer PKCS#7
sscep: signature added successfully
sscep: adding signed attributes
sscep: adding string attribute transId
sscep: adding string attribute messageType
sscep: adding octet attribute senderNonce
sscep: PKCS#7 data written successfully
sscep: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIIHPAYJKoZIhvcNAQcCoIIHLTCCBykCAQExDzANBglghkgBZQMEAgEFADCCA3AG
CSqGSIb3DQEHAaCCA2EEggNdMIIDWQYJKoZIhvcNAQcDoIIDSjCCA0YCAQAxggFe
MIIBWgIBADBCMDsxCzAJBgNVBAYTAkRNMREwDwYDVQQKDAhkb21pbmljYTEZMBcG
A1UEAwwQRG9taW5pY2FRQUNBMjAyMAIDD0JBMA0GCSqGSIb3DQEBAQUABIIBAHwN
mqJahvkV8yr7cfWQNjdA/BQq5EJPPhj4yQltpDmFhde0Br9el85+siJG76w/utOl
LwGuZbuGArVwJ/1TFceIV00AYgH00MWqUyAaOtweUYlW1FLCXWSfekwS9HK5f8Fa
QUUCbnUav52MwnamgzD7zUpXkGHF3sAP5iyKReNl2I9a6fwiNZKdkgp2DwlhDtRY
KmuQGq0RzQ7wgkKmxbPUoFsu0cFie0X6ErxIHB0E2vmK+IlpOd+yW6UOkmX11Odk
G4MVGDjTXQy9v5F/+HiUCrU74FLq8xHsSupfwB9AePWGc842mIeESFlmcEV3y+eK
0KouJZqogvq+ijk66ekwggHdBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECO3B1I25
iSgjgIIBuJ4zwMkyWwpn2FQ3H67h4ZoCCl3iGhAJKLkveC+pIOme2ugzZEnClXs1
NYhKuTYfPFzLqCSvjMXSCKzqXMF1kOZh1kdjQfG1PFHDg6h7MFSkTuriEFEqS5bQ
yUsPGjejHD3idqaezgjtBcTvr21yNUQatKxdZ3Ap34A57XSlBZCpLzpyzX18mFsu
6jBP+xp9TLgCjBefKvDa2sfQrwGaNY0K1+OYnr475eYxnG7390bLShgW8mAgiT9h
zl9WfeBCHYPgSpb+QQZcnZFHI7fKU5I4gqMrPO9D+SV6l0v2OpVMqw9mACE0Qpoa
bCA9wm62pmIp9wxByvmOAKIBxpuKCArRPDs+UF+bForsjkolE0OjnGuct9ne1rtx
ob+/XTPkGVuj84xeN/h8Jm52obOqXPayM7F3j3SBzucKE0qSohGxNUQiio2NOO0x
wU9oZTpea6NcPtZ7Qrf3INrOMXnJKku4wWn9LqWxLdiTsuDb+DttqZJNJfFOZUmL
+Gibp0iRDqvyts7xlTRt1KU0deRK5GsTgbPNi3SnqSybT9ySEm5Gn17yf+VvIJbZ
LvBEATLqepMz8iXDt6LQoIIB1zCCAdMwggE8oAMCAQICIDNBMTU5ODJDQ0RFOEIw
Nzc4MEZGQUJCNTA4NTYxM0EAMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMMFWFi
b3RlbGhvMy5leGFtcGxlLmNvbTAeFw0yMjEwMjExNjUxMTJaFw0yMjEwMjcxODUx
MTJaMCAxHjAcBgNVBAMMFWFib3RlbGhvMy5leGFtcGxlLmNvbTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAu/4x4wt5K4HPyj4Jp37dj+tipD38zwIYYVuJ0Y92
d8k5fa2FOtVnuj2gOo4so+IKgrxtxdDu/C5WdFEyb/kmwy7rx/N4NtlSYTI1sCS5
Q0cdnuVQ76ilP8dyAuOcDITG/2NklxrrC4Y1fyz1VsS2AB6ytlm0lcChBhXd+KI8
+u8CAwEAATANBgkqhkiG9w0BAQsFAAOBgQBdc0aTJXJpeHhyrMMOutvp5n/78hvc
9KlB3THWhW8DIFa579+ivqsCh3vDWvArGQOgZq/2owTF20vb3SBhxvB/OjwXFct6
ROR5AAbksF5xrgK3Y39bSp38syS2aZ5IvmqtjtnxBwnLwX7LojDFoZs2Kv3bysmn
VFrMicbULBnWWTGCAcIwggG+AgEBMEQwIDEeMBwGA1UEAwwVYWJvdGVsaG8zLmV4
YW1wbGUuY29tAiAzQTE1OTgyQ0NERThCMDc3ODBGRkFCQjUwODU2MTNBADANBglg
hkgBZQMEAgEFAKCB0TASBgpghkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzEL
BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMTAyMTE2NTExMlowIAYKYIZI
AYb4RQEJBTESBBBOqEmvZhufZ4OFfBXraLlYMC8GCSqGSIb3DQEJBDEiBCBfh2Ah
9xsmgQ+XASlVZhTejU7hS4bHCqOlc9MnUfybWTAwBgpghkgBhvhFAQkHMSITIDNB
MTU5ODJDQ0RFOEIwNzc4MEZGQUJCNTA4NTYxM0EwMA0GCSqGSIb3DQEBAQUABIGA
J2ZFX0iex9G01WFEhK0+dOldRdCjc2JzBIHAc/dAZxAKEJXw0ZLA466aC4aCJV6n
2wK79cVJldbFR7+llEOdDQTcGD9qB1E3ROznv4/0VpaBtHEbsLuIe3rg4TIScQLF
8sH1oP9PivWlL59Yzq23PFpPzS/qM0gpJeTRpvUcYtA=
-----END PKCS7-----
sscep: applying base64 encoding
sscep: base64 encoded payload size: 2515 bytes
sscep: scep request:
GET /ca/scep/caServerCert/pkiclient.exe?operation=PKIOperation&message=MIIHPAYJKoZIhvcNAQcCoIIHLTCCBykCAQExDzANBglghkgBZQMEAgEFADCCA3AG%0ACSqGSIb3DQEHAaCCA2EEggNdMIIDWQYJKoZIhvcNAQcDoIIDSjCCA0YCAQAxggFe%0AMIIBWgIBADBCMDsxCzAJBgNVBAYTAkRNMREwDwYDVQQKDAhkb21pbmljYTEZMBcG%0AA1UEAwwQRG9taW5pY2FRQUNBMjAyMAIDD0JBMA0GCSqGSIb3DQEBAQUABIIBAHwN%0AmqJahvkV8yr7cfWQNjdA/BQq5EJPPhj4yQltpDmFhde0Br9el85%2BsiJG76w/utOl%0ALwGuZbuGArVwJ/1TFceIV00AYgH00MWqUyAaOtweUYlW1FLCXWSfekwS9HK5f8Fa%0AQUUCbnUav52MwnamgzD7zUpXkGHF3sAP5iyKReNl2I9a6fwiNZKdkgp2DwlhDtRY%0AKmuQGq0RzQ7wgkKmxbPUoFsu0cFie0X6ErxIHB0E2vmK%2BIlpOd%2ByW6UOkmX11Odk%0AG4MVGDjTXQy9v5F/%2BHiUCrU74FLq8xHsSupfwB9AePWGc842mIeESFlmcEV3y%2BeK%0A0KouJZqogvq%2Bijk66ekwggHdBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECO3B1I25%0AiSgjgIIBuJ4zwMkyWwpn2FQ3H67h4ZoCCl3iGhAJKLkveC%2BpIOme2ugzZEnClXs1%0ANYhKuTYfPFzLqCSvjMXSCKzqXMF1kOZh1kdjQfG1PFHDg6h7MFSkTuriEFEqS5bQ%0AyUsPGjejHD3idqaezgjtBcTvr21yNUQatKxdZ3Ap34A57XSlBZCpLzpyzX18mFsu%0A6jBP%2Bxp9TLgCjBefKvDa2sfQrwGaNY0K1%2BOYnr475eYxnG7390bLShgW8mAgiT9h%0Azl9WfeBCHYPgSpb%2BQQZcnZFHI7fKU5I4gqMrPO9D%2BSV6l0v2OpVMqw9mACE0Qpoa%0AbCA9wm62pmIp9wxByvmOAKIBxpuKCArRPDs%2BUF%2BbForsjkolE0OjnGuct9ne1rtx%0Aob%2B/XTPkGVuj84xeN/h8Jm52obOqXPayM7F3j3SBzucKE0qSohGxNUQiio2NOO0x%0AwU9oZTpea6NcPtZ7Qrf3INrOMXnJKku4wWn9LqWxLdiTsuDb%2BDttqZJNJfFOZUmL%0A%2BGibp0iRDqvyts7xlTRt1KU0deRK5GsTgbPNi3SnqSybT9ySEm5Gn17yf%2BVvIJbZ%0ALvBEATLqepMz8iXDt6LQoIIB1zCCAdMwggE8oAMCAQICIDNBMTU5ODJDQ0RFOEIw%0ANzc4MEZGQUJCNTA4NTYxM0EAMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMMFWFi%0Ab3RlbGhvMy5leGFtcGxlLmNvbTAeFw0yMjEwMjExNjUxMTJaFw0yMjEwMjcxODUx%0AMTJaMCAxHjAcBgNVBAMMFWFib3RlbGhvMy5leGFtcGxlLmNvbTCBnzANBgkqhkiG%0A9w0BAQEFAAOBjQAwgYkCgYEAu/4x4wt5K4HPyj4Jp37dj%2BtipD38zwIYYVuJ0Y92%0Ad8k5fa2FOtVnuj2gOo4so%2BIKgrxtxdDu/C5WdFEyb/kmwy7rx/N4NtlSYTI1sCS5%0AQ0cdnuVQ76ilP8dyAuOcDITG/2NklxrrC4Y1fyz1VsS2AB6ytlm0lcChBhXd%2BKI8%0A%2Bu8CAwEAATANBgkqhkiG9w0BAQsFAAOBgQBdc0aTJXJpeHhyrMMOutvp5n/78hvc%0A9KlB3THWhW8DIFa579%2BivqsCh3vDWvArGQOgZq/2owTF20vb3SBhxvB/OjwXFct6%0AROR5AAbksF5xrgK3Y39bSp38syS2aZ5IvmqtjtnxBwnLwX7LojDFoZs2Kv3bysmn%0AVFrMicbULBnWWTGCAcIwggG%2BAgEBMEQwIDEeMBwGA1UEAwwVYWJvdGVsaG8zLmV4%0AYW1wbGUuY29tAiAzQTE1OTgyQ0NERThCMDc3ODBGRkFCQjUwODU2MTNBADANBglg%0AhkgBZQMEAgEFAKCB0TASBgpghkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzEL%0ABgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMTAyMTE2NTExMlowIAYKYIZI%0AAYb4RQEJBTESBBBOqEmvZhufZ4OFfBXraLlYMC8GCSqGSIb3DQEJBDEiBCBfh2Ah%0A9xsmgQ%2BXASlVZhTejU7hS4bHCqOlc9MnUfybWTAwBgpghkgBhvhFAQkHMSITIDNB%0AMTU5ODJDQ0RFOEIwNzc4MEZGQUJCNTA4NTYxM0EwMA0GCSqGSIb3DQEBAQUABIGA%0AJ2ZFX0iex9G01WFEhK0%2BdOldRdCjc2JzBIHAc/dAZxAKEJXw0ZLA466aC4aCJV6n%0A2wK79cVJldbFR7%2BllEOdDQTcGD9qB1E3ROznv4/0VpaBtHEbsLuIe3rg4TIScQLF%0A8sH1oP9PivWlL59Yzq23PFpPzS/qM0gpJeTRpvUcYtA%3D%0A HTTP/1.1
Host: ca1.example.com:8080
Connection: close

sscep: server response status code: 200, MIME header: application/x-pki-message
sscep: valid response from server
sscep: reading outer PKCS#7
sscep: PKCS#7 payload size: 663 bytes
sscep: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIICkwYJKoZIhvcNAQcCoIIChDCCAoACAQExDzANBglghkgBZQMEAgEFADAPBgkq
hkiG9w0BBwGgAgQAMYICVzCCAlMCAQEwQjA7MQswCQYDVQQGEwJETTERMA8GA1UE
CgwIZG9taW5pY2ExGTAXBgNVBAMMEERvbWluaWNhUUFDQTIwMjACAw9CQTANBglg
hkgBZQMEAgEFAKCB5zARBgpghkgBhvhFAQkCMQMTATMwEQYKYIZIAYb4RQEJAzED
EwEwMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwIAYKYIZIAYb4RQEJBTESBBDz
DitOqWcnTLg3zIjHoEmKMCAGCmCGSAGG+EUBCQYxEgQQTqhJr2Ybn2eDhXwV62i5
WDAvBgkqhkiG9w0BCQQxIgQg47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hS
uFUwMAYKYIZIAYb4RQEJBzEiEyAzQTE1OTgyQ0NERThCMDc3ODBGRkFCQjUwODU2
MTNBMDANBgkqhkiG9w0BAQEFAASCAQABg3UuagBnAGCFQojaUbiZ7x70/1AUJ1i+
K67l0fUdrFmE9WPVcZzGxEum6i9L5/NWMC5Ql4/G8nw4D3do0GHRkthEtiWDmdZc
A+q44Feeni+P+MShWalBemQd9HBB4BF36QOQMp+/trx38XktqTL6D6KdL8MANxT1
n8Rr6PIPfYKZ4Qi+vSU1Vs8ES0uD+QePnF0Z0I7w8HYQrF/7V4MRLab2lincHlqD
+Pf+Q2etZGp2gqXnUnrv9h7RT/eoCOngvLZ+bBd3WrftDNC4j8HSzLRkBUYuBgEP
YTC33qup5Y5Y1iA4N5VbtSvFZc2/i+N+JjF8HeebeCM8C6ID2N+v
-----END PKCS7-----
sscep: PKCS#7 contains 0 bytes of enveloped data
sscep: verifying signature
sscep: signature ok
sscep: finding signed attributes
sscep: finding attribute transId
sscep: allocating 32 bytes for attribute
sscep: reply transaction id: 3A15982CCDE8B07780FFABB5085613A0
sscep: finding attribute messageType
sscep: allocating 1 bytes for attribute
sscep: reply message type is good
sscep: finding attribute senderNonce
sscep: allocating 16 bytes for attribute
sscep: senderNonce in reply: F30E2B4EA967274CB837CC88C7A0498A
sscep: finding attribute recipientNonce
sscep: allocating 16 bytes for attribute
sscep: recipientNonce in reply: 4EA849AF661B9F6783857C15EB68B958
sscep: finding attribute pkiStatus
sscep: allocating 1 bytes for attribute
sscep: pkistatus: SUCCESS
sscep: illegal size of payload

The request in the Dogtag Agent Services Web UI: image

My understanding is that sscep: pkistatus: SUCCESS should be sscep: pkistatus: PENDING which would trigger sscep to go into polling mode.

Any assistance?

These are the files I used for pkispawn of the CA:

[QA] ca1:~/dogtag # cat subca-1.cfg 
[DEFAULT]
pki_server_database_password=Secret.123

[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

pki_client_database_password=Secret.123
pki_client_database_purge=True
pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=pki,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret.123

pki_security_domain_name=DMVLT

pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem

pki_external=True
pki_external_step_two=False

pki_ca_signing_csr_path=ca_signing.csr

[QA] ca1:~/dogtag # cat subca-2.cfg 
[DEFAULT]
pki_server_database_password=Secret.123
pki_cert_chain_nickname=root-ca_signing
pki_cert_chain_path=root-ca_signing.crt

[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

pki_client_database_password=Secret.123
pki_client_database_purge=True
pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=pki,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret.123

pki_security_domain_name=DMVLT

pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem

pki_external=True
pki_external_step_two=True

pki_ca_signing_csr_path=ca_signing.csr
pki_ca_signing_cert_path=ca_signing.crt
abotelho-cbn commented 1 year ago

https://github.com/certnanny/sscep/issues/159

I've posted this on sscep's end as well, because it's not clear to me which end is broken.

ckelleyRH commented 1 year ago

Thank you for raising this issue! We will discuss it in our Triage meeting on Tuesday 22nd November.