Hi All,

I have a setup where I have a root CA and a sub CA and the sub CA is set up with a KRA and SCEP enabled.

I've fired up certmonger and added the SCEP CA.

When I attempt to request a certificate, the enrollment completes successfully per the Dogtag side of the equation but the response from the server cannot be decrypted by the client and I get the following error in the certmonger debug log:

2018-01-29 23:56:43 [5396] Child output:           
"Error: failed to verify signature on server response.                                                  
"                                                  
2018-01-29 23:56:43 [5396] Error: failed to verify signature on server response.

The following commands were used for server addition and certificate registration.

getcert add-scep-ca -c Site_CA -u https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe -R /etc/pki/site-pki.pem

getcert request -c Site_CA -k /etc/pki/my_cert.pem -f /etc/pki/my_cert.pub -I Host_Cert -R -w -L password

Looking at the certmonger code, it looks like it is completely skipping all of the case statements and simply dropping down to the 'goto:' https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889

I've tried recompiling certmonger with some debug statements but I haven't managed to suss out what's going on. If someone could tell me how to print the actual response from the server, it would be appreciated.

It certainly feels like the SCEP support has taken a back seat to the CMC features but the CMC features just aren't ready to replace SCEP at this time and, of course, can't support a lot of hardware requirements.

Any help is appreciated.

Thanks,

Trevor

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --