As an update, the sscep application set works properly with the sub-CA so it's definitely an issue on the certmonger side of things.

sscep in AES mode throws an exception in Dogtag and, unfortunately, sscep also doesn't support above SHA1.

That said, it's at least reasonable isolation of the issue at hand.

It looks like the sscep code may be able to be lifted directly into the certmonger stack if the licenses are compatible without too much issue.

Thanks,

Trevor

On Wed, Jan 31, 2018 at 2:27 PM, Trevor Vaughan <tvaughan@onyxpoint.com> wrote:
Hi Rob,

Thanks for getting back to me, I have no idea how I missed this message.

I dug through the CA and KRA debug logs and don't see any PKCS7 output anywhere.

I've been running certmonger in debug mode connected to the foreground and haven't really gotten anywhere there either.

I did determine that the spot where things are failing is at https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065 but I haven't been able to figure out how to print what is being received from the server.

Running the 'scep-submit' command by hand with -C works as expected (of course Dogtag doesn't respond with server capabilities so it downgrades itself into instanity but that doesn't seem to be the issue). I also checked to see that the certmonger configuration is correct in the ~/.config/certmonger space and the entire certificate chain appears to be present as expected.

Thanks,

Trevor

On Tue, Jan 30, 2018 at 10:38 AM, Rob Crittenden <rcritten@redhat.com> wrote:
Trevor Vaughan via FreeIPA-users wrote:
> Hi All,
>
> I have a setup where I have a root CA and a sub CA and the sub CA is set
> up with a KRA and SCEP enabled.
>
> I've fired up certmonger and added the SCEP CA.
>
> When I attempt to request a certificate, the enrollment completes
> successfully per the Dogtag side of the equation but the response from
> the server cannot be decrypted by the client and I get the following
> error in the certmonger debug log:
>
> 2018-01-29 23:56:43 [5396] Child output:           
> "Error: failed to verify signature on server
> response.                                                  
> "                                                  
> 2018-01-29 23:56:43 [5396] Error: failed to verify signature on server
> response.
>
> The following commands were used for server addition and certificate
> registration.
>
> getcert add-scep-ca -c Site_CA -u
> https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
> <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe> -R
> /etc/pki/site-pki.pem
>
> getcert request -c Site_CA -k /etc/pki/my_cert.pem -f
> /etc/pki/my_cert.pub -I Host_Cert -R -w -L password
>
> Looking at the certmonger code, it looks like it is completely skipping
> all of the case statements and simply dropping down to the 'goto:'
> https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
> <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>
>
> I've tried recompiling certmonger with some debug statements but I
> haven't managed to suss out what's going on. If someone could tell me
> how to print the actual response from the server, it would be appreciated.
>
> It certainly feels like the SCEP support has taken a back seat to the
> CMC features but the CMC features just aren't ready to replace SCEP at
> this time and, of course, can't support a lot of hardware requirements.

A couple of things to try:

- look in the dogtag debug log (/var/log/pki-tomcat/somewhere). It may
have the raw PKCS#7 data to poke at
- stop the certmonger service and start it in a terminal with certmonger
-d 9 -n 2>&1 | tee /path/to/some/log and then redo the request. Again,
you may be able to get some data out of it.

I haven't tried SCEP with a subCA. It could be there is some
disagreement about who is actually signing the response.

rob



--
Trevor Vaughan
Vice President, Onyx Point, Inc

-- This account not approved for unencrypted proprietary information --



--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --