CMP client mode does not work properly

[XYQ202]

Hello,team
See Enrolling in Client Mode with HMAC Password Authentication under the CMP Operations Guide section of the official website
A cmp alias is "opensslclient" is added, as shown in the figure below, and a user user2 is also added, as shown in the figure below.

But I run the command:
openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/opensslclient -srvcert ManagementCA.cacert.pem -ref user3 -secret pass:password -certout clcert1.pem -newkey key1.pem -subject "/CN= user3/O=sunwave/C=CN"
It does not succeed, and the following error is displayed:

can you help me？

Another problem is that the renewal of the certificate (KUR) cannot be successful, and an error is also reported:
CMP Error: missing protection

[primetomas]

Looks like you received an error message from the server. Check the server.log to see what was wrong with your request. It's usually in pretty clear text in the server.logl.

[XYQ202]

where is the server.logl？ I cannot find it

[Realiserad]

It's in /opt/wildfly/standalone/log/server.log if you installed EJBCA manually (on Linux) using the instructions on PrimeKey's website.

If you are using the EJBCA container with docker, you can get the log output using something like docker logs $(docker ps | grep ejbca-ce | awk '{ print $1 }') -f.

Anyway, I think you are missing the implicit-confirm parameter.

I have a repository with some sample commands which may be of help.

[Realiserad]

@XYQ202 How did it go?