As an update, the sscep application set works properly with the
sub-CA
so it's definitely an issue on the certmonger side of things.
sscep in AES mode throws an exception in Dogtag and, unfortunately,
sscep also doesn't support above SHA1.
That said, it's at least reasonable isolation of the issue at hand.
It looks like the sscep code may be able to be lifted directly into the
certmonger stack if the licenses are compatible without too much issue.
Thanks,
Trevor
On Wed, Jan 31, 2018 at 2:27 PM, Trevor Vaughan <tvaughan(a)onyxpoint.com
<mailto:tvaughan@onyxpoint.com>> wrote:
Hi Rob,
Thanks for getting back to me, I have no idea how I missed this message.
I dug through the CA and KRA debug logs and don't see any PKCS7
output anywhere.
I've been running certmonger in debug mode connected to the
foreground and haven't really gotten anywhere there either.
I did determine that the spot where things are failing is at
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065> but I
haven't been able to figure out how to print what is being received
from the server.
Running the 'scep-submit' command by hand with -C works as expected
(of course Dogtag doesn't respond with server capabilities so it
downgrades itself into instanity but that doesn't seem to be the
issue). I also checked to see that the certmonger configuration is
correct in the ~/.config/certmonger space and the entire certificate
chain appears to be present as expected.
Thanks,
Trevor
On Tue, Jan 30, 2018 at 10:38 AM, Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>> wrote:
Trevor Vaughan via FreeIPA-users wrote:
> Hi All,
>
> I have a setup where I have a root CA and a sub CA and the sub
CA is set
> up with a KRA and SCEP enabled.
>
> I've fired up certmonger and added the SCEP CA.
>
> When I attempt to request a certificate, the enrollment completes
> successfully per the Dogtag side of the equation but the
response from
> the server cannot be decrypted by the client and I get the
following
> error in the certmonger debug log:
>
> 2018-01-29 23:56:43 [5396] Child output:
> "Error: failed to verify signature on server
> response.
> "
> 2018-01-29 23:56:43 [5396] Error: failed to verify signature
on server
> response.
>
> The following commands were used for server addition and
certificate
> registration.
>
> getcert add-scep-ca -c Site_CA -u
>
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
<
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>
> <
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
<
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>> -R
> /etc/pki/site-pki.pem
>
> getcert request -c Site_CA -k /etc/pki/my_cert.pem -f
> /etc/pki/my_cert.pub -I Host_Cert -R -w -L password
>
> Looking at the certmonger code, it looks like it is completely
skipping
> all of the case statements and simply dropping down to the 'goto:'
>
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>
> <
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>>
>
> I've tried recompiling certmonger with some debug statements but I
> haven't managed to suss out what's going on. If someone could
tell me
> how to print the actual response from the server, it would be
appreciated.
>
> It certainly feels like the SCEP support has taken a back seat
to the
> CMC features but the CMC features just aren't ready to replace
SCEP at
> this time and, of course, can't support a lot of hardware
requirements.
A couple of things to try:
- look in the dogtag debug log (/var/log/pki-tomcat/somewhere).
It may
have the raw PKCS#7 data to poke at
- stop the certmonger service and start it in a terminal with
certmonger
-d 9 -n 2>&1 | tee /path/to/some/log and then redo the request.
Again,
you may be able to get some data out of it.
I haven't tried SCEP with a subCA. It could be there is some
disagreement about who is actually signing the response.
rob
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788 <tel:(410)%20541-6699>
-- This account not approved for unencrypted proprietary information --
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org