I’m running UMS 6.05-100 with IGEL OS 11.04.* and are having problem with SCEP.
The first onboarding goes with out problem and we are presented with a certifikate key/pem from our NDES server with a one-time password.
But the renewal process failes and I’m left with only a client.key file?
Any ideas?
Hi, do you get helpful insights when issuing a new certificate or only on renewals?
Waht does journalctl -f | grep scep
states when issuing the commands?
Perhaps that might help for troubleshooting: www.apanthos.com/igel-os-and-scep-commands-and-information-for-troubleshooting/
Btw. please update to latest .240.
New certificates is no problem only on renewals.
They way I have set this up is during prepping a new client a temporary scep-profile is uppdated with a one-time password gatherd from the NDES service and added only to the new client. This then requests a new cert with the one-time password and everything is great. Then the scep-profile is removed and the main scep-profile with networking and more is added to the client.
This is done on the lan, no wifi so no scripting is required.
Then the leasetime on the certificate goes out and the renewal should kick in, this seems to only accour during reboot? When the client has rebooted the negitioation with the NDES should use the client certificate to request a new/renewal och update the key/cert, but this does not happen and I’m left with only the client.key file
If I try to do a scep_renewl 0 the output in journalctl is scep_renew: files for renewak of /wfs/scep_certificates/cert0/cacert.pem not avalible
But the file is there and openssl has no problem reading it.
I’m wondering if the test case that I have lowered the cert-template in CS to only one day leasetime and the scep renewal period and expire check intervall is both set to 1 days in the scep config has anything to do with this.
Followed the instructions from Udo and that works fine, so does that mean that my renewal will work automaticly now in the future? I’m about to deploy a great number of clients and don’t what a problem when the lease time goes out.. Thereby the testing.
Hello. We had identified this, and we have a private build that released last night that should correct this. I will PM you with the download link.
Continue reading and comment on the thread ‘Configuring SCEP with IGEL UMS 6.05.100 with IGEL OS 11’. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?
Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.Submit a question, or Join Today!