RE: OpenSSL and SCEP

2000-03-10 Thread Mark E. Schoneman 



Dave wrote:

ertificate request as sent by a Cisco PIX firewall, but I have not
yet been able to generate the appropriate replies.

To unpack the request, take the "message" parameter that is sent in
the URL query string, BASE64-decode it, and pipe it to "openssl pkcs7
inform der -print_certs".  This will print out the certificate
request, which you can sign using normal procedure.

As I said, I still haven't figured out how to generate the replies,
but I believe that you can BASE64-encode the resulting certificate
and type it in directly to a Cisco router (but alas, I don't think
this works with the PIX).

d.

Ok you got my curiosity up. We have Cisco, we've got openssl so I tried it.

Got the CA certificate to the box. At least in IOS 12.07 it automatically
attaches pkiclient.exe to whatever you type as the URL

Issued the crypto enroll command

Got this back:

MIAGCSqGSIb3DQEHAqCAMIACAQExDjAMBggqhkiG9w0CBQUAMIAGCSqGSIb3DQEH
AaCAJIAEggLJMIAGCSqGSIb3DQEHA6CAMIACAQAxgDCCAUMCAQAwgaswgaUxCzAJ
BgNVBAYTAlVTMQ8wDQYDVQQIEwZLYW5zYXMxFjAUBgNVBAcTDU92ZXJsYW5kIFBh
cmsxFTATBgNVBAoTDFNwcmludCBDb3JwLjEMMAoGA1UECxMDQVREMRwwGgYDVQQD
ExNTcHJpbnQgQ29ycC4gVVNPIENBMSowKAYJKoZIhvcNAQkBFhttc2Nob25lbUBh
dGQuc3ByaW50Y29ycC5jb20CAQAwDQYJKoZIhvcNAQEBBQAEgYAKF3j9/EBrB4WX
OXJ24bBi2pFAkcSPy0hVAu84YYB/4sB8DycRyCERXTffyL6GZmme0bcv9Lt0cLNY
+HFWIVRZ856xV7TSBzh7GfV40fiUGOtwAVU1wyljVbsgQ+Zm8LLXtcO46R794PLA
NSe0EXkcDmCkKBHwbwqFzKNQDYY4lwAAMIAGCSqGSIb3DQEHATARBgUrDgMCBwQI
YMEcpaa6P3SggASCATCwEsViZDE13OY+15Y7u2FDBLlxmr95iwpoZ287LsfyAqgT
ylDwwChTPrliat6eJ5gs/y+QgO/1wP/W5dFxJhn3x107Bc1yyiR7aN3B0cee0MWM
v8YtAEveLZTbwrtV1Y6GIQiTbRsLbj/XjPcKr1OhumhM0hDjBuJ178UYihpB9Adi
9NFA/4Okxf08krytFoQA+TI389sz1w9dFXbdtOpysL2Z92sZywGgZgqns9+TuQIV
nSe9A33IlrtqYPNsmnzl6JetTqNjwbOTTSYrNUpRggdWy3AJTScYfuNbtxqRfXF3
RlDgQohwtfNIfqmj/sCFGGUanJ190e/eyFAD4RZNtvfAF2Au1MQcOBbts66H6dPr
aatsi+mdUr/VXoitATWUr/yG4Xi8LvrpaDnB+rxvBAhLlNZAMqg2GwAA
AACggDCCAVswggEFAiAyNDk0RUI5NUNGMjdFQ0YzMDFFNUFGQTVEMDA3
NzZENDANBgkqhkiG9w0BAQQFADApMScwJQYJKoZIhvcNAQkCFhgzODEwX0NFUlQu
c3ByaW50Y29ycC5jb20wHhcNOTMwMzAxMDExNzQxWhcNMDMwMjI3MDExNzQxWjAp
MScwJQYJKoZIhvcNAQkCFhgzODEwX0NFUlQuc3ByaW50Y29ycC5jb20wXDANBgkq
hkiG9w0BAQEFAANLADBIAkEA11jhZyQDKni4fIpc3z46f9gdeJnURLAag1bIEi1W
4/K7KXoKk9czoo2Y1F6P8aGboUQgF/XpnRkoITpcQ1hYsQIDAQABMA0GCSqGSIb3
DQEBBAUAA0EAhBFuqg/+ySwpxQCzgC5o9THs0V+M6rhUYOXOnvFTAVbpSob+E2kb
id0JpRDykzxa1AEt2Jd/SQA6e4uqB6nQ6QAAMYAwggFXAgEBME0wKTEnMCUGCSqG
SIb3DQEJAhYYMzgxMF9DRVJULnNwcmludGNvcnAuY29tAiAyNDk0RUI5NUNGMjdF
Q0YzMDFFNUFGQTVEMDA3NzZENDAMBggqhkiG9w0CBQUAoIGjMBIGCmCGSAGG+EUB
CQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAfBgkqhkiG9w0BCQQx
EgQQlbQf5EjbwN3CY1jVatn65DAgBgpghkgBhvhFAQkFMRIEEO+pYJIQHNQrcbjw
UaZ544UwMAYKYIZIAYb4RQEJBzEiEyAyNDk0RUI5NUNGMjdFQ0YzMDFFNUFGQTVE
MDA3NzZENDANBgkqhkiG9w0BAQEFAARAJcv799h7pDS1aHi+F2ypDdkrfHyYfRSb
QM7kEYgsVkwClKZRS24bB/2b7Ssg8F5haXMzWb0dyLZkRJHBLXNLHAAA

According to the SCEP spec base64 decode with the CA key

cake [2] % openssl base64 -in s.dat -d -kfile lib/private/cakey.pem -out
e.dat

Got a DER file that I can see some of the CA data

Using pkcs7 command, went looking for some certs.  Found


cake [5] % openssl pkcs7 -in e.dat -inform DER -print_certs -out c.dat
cake [6] % more c.dat

subject=/unstructuredName=3810_CERT.sprintcorp.com
issuer= /unstructuredName=3810_CERT.sprintcorp.com
-BEGIN CERTIFICATE-
MIIBWzCCAQUCIDI0OTRFQjk1Q0YyN0VDRjMwMUU1QUZBNUQwMDc3NkQ0MA0GCSqG
SIb3DQEBBAUAMCkxJzAlBgkqhkiG9w0BCQIWGDM4MTBfQ0VSVC5zcHJpbnRjb3Jw
LmNvbTAeFw05MzAzMDEwMTE3NDFaFw0wMzAyMjcwMTE3NDFaMCkxJzAlBgkqhkiG
9w0BCQIWGDM4MTBfQ0VSVC5zcHJpbnRjb3JwLmNvbTBcMA0GCSqGSIb3DQEBAQUA
A0sAMEgCQQDXWOFnJAMqeLh8ilzfPjp/2B14mdREsBqDVsgSLVbj8rspegqT1zOi
jZjUXo/xoZuhRCAX9emdGSghOlxDWFixAgMBAAEwDQYJKoZIhvcNAQEEBQADQQCE
EW6qD/7JLCnFALOALmj1MezRX4zquFRg5c6e8VMBVulKhv4TaRuJ3QmlEPKTPFrU
AS3Yl39JADp7i6oHqdDp
-END CERTIFICATE-

Found a vaild cert but no request. What did you do different to find the
request?
I included my test CA key

cake [7] %  openssl x509 -in c.dat -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:

32:34:39:34:45:42:39:35:43:46:32:37:45:43:46:33:30:31:45:35:41:46:41:35:44:3
0:30:37:37:36:44:34
Signature Algorithm: md5WithRSAEncryption
Issuer: unstructuredName=3810_CERT.sprintcorp.com
Validity
Not Before: Mar  1 01:17:41 1993 GMT
Not After : Feb 27 01:17:41 2003 GMT
Subject: unstructuredName=3810_CERT.sprintcorp.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:d7:58:e1:67:24:03:2a:78:b8:7c:8a:5c:df:3e:
3a:7f:d8:1d:78:99:d4:44:b0:1a:83:56:c8:12:2d:
56:e3:f2:bb:29:7a:0a:93:d7:33:a2:8d:98:d4:5e:
8f:f1:a1:9b:a1:44:20:17:f5:e9:9d:19:28:21:3a:
5c:43:58:58:b1
Exponent: 65537 (0x10001)
Signature Algorithm:

Re: OpenSSL and SCEP

2000-03-10 Thread Vadim Fedukovich 

On Fri, Mar 10, 2000 at 10:31:57AM -0600, Mark E. Schoneman wrote:
 ...
 Using pkcs7 command, went looking for some certs.  Found
 ...
 Found a vaild cert but no request. What did you do different to find the
 request?

Request should be in pkcs7 payload and the cert you found is self-signed.
...exactly as specified by SCEP

One can pickup router's public key either from this certificate or from
cert request, next sign router's key with CA's key resulting in 
a "real" certificate to use in production

 ...
 Issuer: unstructuredName=3810_CERT.sprintcorp.com
 Subject: unstructuredName=3810_CERT.sprintcorp.com

Regards,
Vadim
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL and SCEP

2000-03-06 Thread Massimiliano Pala 

[EMAIL PROTECTED] wrote:
 
 Has anyone done any SCEP work with OpenSSL? I need to receive a
 PKCS#10 certificate request from a client and use SCEP to get a
 certificate from a CA. I've got some of the work done, but I guess
 there's no need to reinvent the wheel if there's open source stuff
 available.

Hi,

I am from the OpenCA project. I've been contacted some time ago
from the SURFnet ExpertiseCentrum (nl) about their work on the
SCEP and the possibility to integrate our work. If you do like
to contribute let me know (Open Source is a must for us).

It seems like many people actually are woering on it and are willing
for coordinating their work

C'you,

Massimiliano Pala ([EMAIL PROTECTED])
 S/MIME Cryptographic Signature

Re: OpenSSL and SCEP

2000-03-06 Thread dave madden 

 =From: [EMAIL PROTECTED]
 =...
 =Has anyone done any SCEP work with OpenSSL? I need to receive a
 =PKCS#10 certificate request from a client and use SCEP to get a
 =certificate from a CA. I've got some of the work done, but I guess
 =there's no need to reinvent the wheel if there's open source stuff
 =available.

Popular subject these days!  I've been able to unbundle a PKCS10
certificate request as sent by a Cisco PIX firewall, but I have not
yet been able to generate the appropriate replies.

To unpack the request, take the "message" parameter that is sent in
the URL query string, BASE64-decode it, and pipe it to "openssl pkcs7
-inform der -print_certs".  This will print out the certificate
request, which you can sign using normal procedure.

As I said, I still haven't figured out how to generate the replies,
but I believe that you can BASE64-encode the resulting certificate
and type it in directly to a Cisco router (but alas, I don't think
this works with the PIX).

d.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL and SCEP

2000-03-06 Thread tormala 

Has anyone done any SCEP work with OpenSSL? I need to receive a
PKCS#10 certificate request from a client and use SCEP to get a
certificate from a CA. I've got some of the work done, but I guess
there's no need to reinvent the wheel if there's open source stuff
available.

Fred Tormala
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]