|Applies To||Keon Certificate Authority 6.5.1|
Microsoft Windows 2000 Server SP4
Simple Certificate Enrollment Protocol (SCEP)
|Issue||Keon Certificate Authority (KCA) requires ChallengePassword attribute for SCEP certificate requests|
A SCEP certificate request (created using SSCEP open source client) submitted to KCA fails. The certificate request is not saved by the KCA. KCA and system log files do not show any error messages.
SCEP requests from another client (based on RSA BSAFE Cert-C) works fine and certificates are issued through SCEP
After enabling trace logging in KCA (see RSA Keon CA 6.5.1 Administrator's Guide) and capturing result codes by updating pkiclient.exe (see solution "Debugging SCEP enrollment issues") shows that KCA returns XrcNOTFOUND error. Listed below are some selected entries from the KCA Administration Server's trace log file:
|Cause||The SCEP certificate request, generated using SSCEP client, did not contain ChallengePassword attribute. KCA requires that ChallengePassword attribute be set in the SCEP certificate request. Requests without the password are rejected by KCA as "unauthenticated".|
The latest SCEP draft available at http://www.ietf.org/internet-drafts/draft-nourse-scep-12.txt is not very clear, but appears to require ChallengePassword in requests
To correct this issue, ensure that ChallengePassword attribute is set in the SCEP certificate request.
NOTE: RSA Security is reviewing whether or not KCA should require ChallengePassword attribute in SCEP certificate requests. Contact RSA Security Customer Support for more details on the current status.
|Legacy Article ID||a26958|