I have setup EJBCA as a divisional CA. Both root and issuing. Windows servers no issues. CISCO devices are my next obstacle (who wants to use self-signed certificates, and go through the 'i acknowledge' every time?! lol
Grabbing the CA chain, no problems.
Enrolling for the device cert is where the problems begin...
Logs:
1st attempt (ejbca successful - CISCO failed (says no cert and says request failed))
2022-05-26 15:31:48,166-0400 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-5) No SCEP alias specified in the URL. Using the default alias: scep
2022-05-26 15:31:48,166-0400 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-5) Received a SCEP message from (IP).
2022-05-26 15:31:48,180-0400 INFO [org.cesecore.certificates.certificate.request.PKCS10RequestMessage] (default task-5) No CN in DN: SN=(SN)+unstructuredName=(FQDN)
2022-05-26 15:31:48,180-0400 INFO [org.cesecore.certificates.certificate.request.PKCS10RequestMessage] (default task-5) No CN in DN: SN=(SN)+unstructuredName=(FQDN)
2022-05-26 15:31:48,182-0400 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-5) 2022-05-26 15:31:48-04:00;CA_USERAUTH;SUCCESS;CA;EJBCA;(IP);-1207975468;;(SN);msg=Authenticated user (SN).
2022-05-26 15:31:48,185-0400 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-5) 2022-05-26 15:31:48-04:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;(IP);;;;resource0=/ca_functionality/create_certificate;resource1=/ca/-1207975468
2022-05-26 15:31:48,185-0400 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-5) 2022-05-26 15:31:48-04:00;CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;(IP);-1207975468;;(SN);subjectdn=unstructuredName=(FQDN),SN=(SN);requestX500name=SN=(SN)+unstructuredName=(FQDN);subjectaltname=DNSNAME=(FQDN), IPADDRESS=(IP), IPADDRESS=(IP2);requestaltname=;certprofile=1340328713;keyusage=-1;notbefore=;notafter=;sequence=;publickey=(removed)
2022-05-26 15:31:48,192-0400 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-5) 2022-05-26 15:31:48-04:00;CERT_STORED;SUCCESS;CERTIFICATE;CORE;(IP);-1207975468;(Serial);(SN);msg=Certificate stored for username '(SN)', fp=c5fce136128b3b4841e702f9d243964d7ea669ae, subjectDN 'unstructuredName=(FQDN),SN=(SN)', issuerDN 'CN=(IssuingCN)', serialNo=(Serial).
2022-05-26 15:31:48,193-0400 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-5) 2022-05-26 15:31:48-04:00;CERT_CREATION;SUCCESS;CERTIFICATE;CORE;(IP);-1207975468;(Serial);(SN);subjectdn=unstructuredName=(FQDN),SN=(SN);certprofile=1340328713;issuancerevocationreason=-1;cert=(removed)
2022-05-26 15:31:48,206-0400 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-5) 2022-05-26 15:31:48-04:00;RA_EDITENDENTITY;SUCCESS;RA;CORE;Local admin call from EndEntityManagementSession.decRequestCounter;-1207975468;;(SN);msg=Edited end entity (SN), new status 40.
2022-05-26 15:31:48,206-0400 INFO [org.ejbca.core.ejb.ca.auth.EndEntityAuthenticationSessionBean] (default task-5) Changed status for '(SN)' to STATUS_GENERATED.
2022-05-26 15:31:48,210-0400 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-5) Sent a SCEP PKIOperation response to (IP).
Changed the certificate from GENERATED back to NEW to attempt again
2nd attempt (ejbca failed - CISCO failed (says no cert and says request failed))
2022-05-26 15:31:49,881-0400 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-5) No SCEP alias specified in the URL. Using the default alias: scep
2022-05-26 15:31:49,882-0400 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-5) Received a SCEP message from (IP).
2022-05-26 15:31:49,889-0400 INFO [org.cesecore.certificates.certificate.request.PKCS10RequestMessage] (default task-5) No CN in DN: SN=(SN)+unstructuredName=(FQDN)
2022-05-26 15:31:49,889-0400 INFO [org.cesecore.certificates.certificate.request.PKCS10RequestMessage] (default task-5) No CN in DN: SN=(SN)+unstructuredName=(FQDN)
2022-05-26 15:31:49,890-0400 INFO [org.ejbca.core.ejb.ca.auth.EndEntityAuthenticationSessionBean] (default task-5) Got request with status GENERATED (40), NEW, FAILED or INPROCESS required: (SN).
2022-05-26 15:31:49,890-0400 INFO [org.cesecore.certificates.certificate.request.PKCS10RequestMessage] (default task-5) No CN in DN: SN=(SN)+unstructuredName=(FQDN)
2022-05-26 15:31:49,890-0400 INFO [org.ejbca.core.protocol.scep.ScepMessageDispatcherSessionBean] (default task-5) Attempted to enroll on an end entity (username: (SN), alias: scep) with incorrect status: Got request with status GENERATED (40), NEW, FAILED or INPROCESS required: (SN).: org.ejbca.core.model.ca.AuthStatusException: Got request with status GENERATED (40), NEW, FAILED or INPROCESS required: (SN).
2022-05-26 15:31:48,206-0400 INFO [org.ejbca.core.ejb.ca.auth.EndEntityAuthenticationSessionBean] (default task-5) Changed status for '(SN)' to STATUS_GENERATED.
2022-05-26 15:31:49,897-0400 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-5) Sent a SCEP PKIOperation response to (IP).
So, why is EJBCA (or is it CISCO) expecting the cert status to match the serial number and not generated?
Jonathan