Re: Error while Enrolling the certificate

[David Grant]

Hi Surendra,

Please email the list instead of me directly in future!

The first issue is an easy one: you're adding the password to the CSR builder after you've built the CSR.  Therefore, the CSR actually contains no password.

As for the second issue, what is the request that is causing the problem?  It might be worth pointing out that the certificate profile you're passing to the enrol method looks a bit unusual; can you verify that is indeed the name of the NDES profile you're using?

Dave

On Thursday, 13 December 2012, Surendra Chilkoti wrote:

Hey David !

I am getting the following errors , can you please give some input on this.

 

Error:

Dec 10, 2012 10:49:24 PM org.jscep.message.PkiMessageDecoder decode

WARNING: Unable to verify message because the signedData contained no certificates.

 

Then looking at the Event viewer on server I found the following error message.

 

1. The Network Device Enrollment Service cannot locate a required password in the certificate request. Either a password must be present in the certificate request or the certificate request should be signed with a valid signing certificate. The signing certificate must chain up to a trusted root in the Enterprise store. The signing certificate and the certificate request must have the same subject name or subject alternate name.

 

2. The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag.

for above error there is a microsoft hotfix, but this hot fix is only applicable to Windows Server 2008 R2 but I am using Windows Server 2003

http://support.microsoft.com/kb/2483564

 

I also change the query string length in the server using following command (Based on documentation for SCEP) doesn't work too.

appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"4098" /commit:apphost

 

I have tried exporting the RootCACertificate in .cer format and tried to signed the using .cer file still the same error.

 

I am not sure, how can I sign the certificate for particular CA, my environment is very simple, I am using Windows Server 2003 and Win 7 as client in both Running on VMs

 

I am using the sample code as per jscep documentation.

 

Any thoughts, Direction or documentation regarding signing a request for CA will be helpful.

 

I have attached a program.

 

Thanks !

 

~Surendra

 

 

[S.Chilkoti]

Thanks David !

1. I have resolved the issue by moving the password code before CSR builder.

2. Initially when I  gave the  profile I got an error for incorrect profile name and error message has the "application/x-x509-next-ca-cert" as profile name to use, so I used "application/x-x509-next-ca-cert" by changing the profile name, but I reversed the changes, as expected working.

4. Upgraded to Windows Server 2008 R2 and ran the patch resolved the Operation Tag error.

5. After all those changes I started getting following error on Server side while enrolling from client i.e. client.Enroll(...)

"The revocation function was unable to check revocation because the revocation server was offline".

Above error message can be viewed by Enabling Windows Log for CAPI.

I resolved above error mentioned in number 5.  by executing the following command.

certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Thanks !

~Surendra

[David Grant]

I'm glad it's all working for you now.

Dave

--