Hi All,
I have a setup where I have a root CA and a sub CA and the sub CA is set
up with a KRA and SCEP enabled.
I've fired up certmonger and added the SCEP CA.
When I attempt to request a certificate, the enrollment completes
successfully per the Dogtag side of the equation but the response from
the server cannot be decrypted by the client and I get the following
error in the certmonger debug log:
2018-01-29 23:56:43 [5396] Child output:
"Error: failed to verify signature on server
response.
"
2018-01-29 23:56:43 [5396] Error: failed to verify signature on server
response.
The following commands were used for server addition and certificate
registration.
getcert add-scep-ca -c Site_CA -u
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
<
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe> -R
/etc/pki/site-pki.pem
getcert request -c Site_CA -k /etc/pki/my_cert.pem -f
/etc/pki/my_cert.pub -I Host_Cert -R -w -L password
Looking at the certmonger code, it looks like it is completely skipping
all of the case statements and simply dropping down to the 'goto:'
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>
I've tried recompiling certmonger with some debug statements but I
haven't managed to suss out what's going on. If someone could tell me
how to print the actual response from the server, it would be appreciated.
It certainly feels like the SCEP support has taken a back seat to the
CMC features but the CMC features just aren't ready to replace SCEP at
this time and, of course, can't support a lot of hardware requirements.
A couple of things to try:
- look in the dogtag debug log (/var/log/pki-tomcat/somewhere). It may
have the raw PKCS#7 data to poke at
- stop the certmonger service and start it in a terminal with certmonger
-d 9 -n 2>&1 | tee /path/to/some/log and then redo the request. Again,
you may be able to get some data out of it.
I haven't tried SCEP with a subCA. It could be there is some
disagreement about who is actually signing the response.
rob