Hi All,
I have a setup where I have a root CA and a sub CA and the sub CA is set up with a KRA and SCEP enabled.
I've fired up certmonger and added the SCEP CA.
When
I attempt to request a certificate, the enrollment completes
successfully per the Dogtag side of the equation but the response from
the server cannot be decrypted by the client and I get the following
error in the certmonger debug log:
2018-01-29 23:56:43 [5396] Child output:
"Error: failed to verify signature on server response.
"
2018-01-29 23:56:43 [5396] Error: failed to verify signature on server response.
The following commands were used for server addition and certificate registration.
getcert add-scep-ca -c Site_CA -u
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe -R /etc/pki/site-pki.pem
getcert request -c Site_CA -k /etc/pki/my_cert.pem -f /etc/pki/my_cert.pub -I Host_Cert -R -w -L password
Looking
at the certmonger code, it looks like it is completely skipping all of
the case statements and simply dropping down to the 'goto:'
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889I've
tried recompiling certmonger with some debug statements but I haven't
managed to suss out what's going on. If someone could tell me how to
print the actual response from the server, it would be appreciated.