HPE Community
Servers - General
1835215 Members
2427 Online
110078 Solutions
New Discussion

Failing to enable SCEP

 
MarcusSjogren
Visitor

‎10-31-2024 03:05 AM - last edited on ‎11-12-2024 12:46 AM by

‎10-31-2024 03:05 AM - last edited on ‎11-12-2024 12:46 AM by

Failing to enable SCEP

Hi guys!

I have just built my own PKI platform based on EJBCA. I have checked that everything is working properly on other machines so now I'm trying to use SCEP to enroll certificates to my iLO5.
The iLO has advanced features enabled, DNS is properly configured etc.

I even added a rule in my NGINX to append the message=MyCAName to the URL since iLO seems to not do that whilst EJBCA requires it.

I can see that the traffic hits my NGINX and that they are re-written properly, but EJBCA does not complaint in the logs, it just says that it accepted the connection and chose the proper SCEP-server. Then it all ends with iLO closing the connection.

Is there any way for me to debug this on the iLO-side?

iLO only states event class 0x37 and event code 0x26B in the security logs, doesn't really give me much to work with.

This is what the request looks like in NGINX:

2024/10/30 22:22:22 [notice] 324185#324185: *31615 "^" matches "/scep", client: 1.1.1.1, server: pki.mydomain.com, request: "GET /scep?operation=GetCACaps HTTP/1.1", host: "pki.mydomain.com"
2024/10/30 22:22:22 [notice] 324185#324185: *31615 rewritten redirect: "http://2.2.2.2:82/ejbca/publicweb/apply/scep/pkiclient.exe?message=MyPKISubCa&operation=GetCACaps", client: 1.1.1.1, server: pki.mydomain.com, request: "GET /scep?operation=GetCACaps HTTP/1.1", host: "pki.mydomain.com"
2024/10/30 22:22:22 [info] 324185#324185: *31615 client 1.1.1.1 closed keepalive connection

0 Kudos
Reply
1 REPLY 1
MarcusSjogren
Visitor

‎10-31-2024 05:18 AM

‎10-31-2024 05:18 AM

Re: Failing to enable SCEP

And if I go to the SCEP-URL myself, I get the below response:

 

POSTPKIOperation
Renewal
SHA-512
SHA-256
SHA-1
DES3
AES
SCEPStandard

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.