Dave wrote:
ertificate request as sent by a Cisco PIX firewall, but I have not
yet been able to generate the appropriate replies.
To unpack the request, take the "message" parameter that is sent in
the URL query string, BASE64-decode it, and pipe it to "openssl pkcs7
inform der -print_certs". This will print out the certificate
request, which you can sign using normal procedure.
As I said, I still haven't figured out how to generate the replies,
but I believe that you can BASE64-encode the resulting certificate
and type it in directly to a Cisco router (but alas, I don't think
this works with the PIX).
d.
Ok you got my curiosity up. We have Cisco, we've got openssl so I tried it.
Got the CA certificate to the box. At least in IOS 12.07 it automatically
attaches pkiclient.exe to whatever you type as the URL
Issued the crypto enroll command
Got this back:
MIAGCSqGSIb3DQEHAqCAMIACAQExDjAMBggqhkiG9w0CBQUAMIAGCSqGSIb3DQEH
AaCAJIAEggLJMIAGCSqGSIb3DQEHA6CAMIACAQAxgDCCAUMCAQAwgaswgaUxCzAJ
BgNVBAYTAlVTMQ8wDQYDVQQIEwZLYW5zYXMxFjAUBgNVBAcTDU92ZXJsYW5kIFBh
cmsxFTATBgNVBAoTDFNwcmludCBDb3JwLjEMMAoGA1UECxMDQVREMRwwGgYDVQQD
ExNTcHJpbnQgQ29ycC4gVVNPIENBMSowKAYJKoZIhvcNAQkBFhttc2Nob25lbUBh
dGQuc3ByaW50Y29ycC5jb20CAQAwDQYJKoZIhvcNAQEBBQAEgYAKF3j9/EBrB4WX
OXJ24bBi2pFAkcSPy0hVAu84YYB/4sB8DycRyCERXTffyL6GZmme0bcv9Lt0cLNY
+HFWIVRZ856xV7TSBzh7GfV40fiUGOtwAVU1wyljVbsgQ+Zm8LLXtcO46R794PLA
NSe0EXkcDmCkKBHwbwqFzKNQDYY4lwAAMIAGCSqGSIb3DQEHATARBgUrDgMCBwQI
YMEcpaa6P3SggASCATCwEsViZDE13OY+15Y7u2FDBLlxmr95iwpoZ287LsfyAqgT
ylDwwChTPrliat6eJ5gs/y+QgO/1wP/W5dFxJhn3x107Bc1yyiR7aN3B0cee0MWM
v8YtAEveLZTbwrtV1Y6GIQiTbRsLbj/XjPcKr1OhumhM0hDjBuJ178UYihpB9Adi
9NFA/4Okxf08krytFoQA+TI389sz1w9dFXbdtOpysL2Z92sZywGgZgqns9+TuQIV
nSe9A33IlrtqYPNsmnzl6JetTqNjwbOTTSYrNUpRggdWy3AJTScYfuNbtxqRfXF3
RlDgQohwtfNIfqmj/sCFGGUanJ190e/eyFAD4RZNtvfAF2Au1MQcOBbts66H6dPr
aatsi+mdUr/VXoitATWUr/yG4Xi8LvrpaDnB+rxvBAhLlNZAMqg2GwAA
AACggDCCAVswggEFAiAyNDk0RUI5NUNGMjdFQ0YzMDFFNUFGQTVEMDA3
NzZENDANBgkqhkiG9w0BAQQFADApMScwJQYJKoZIhvcNAQkCFhgzODEwX0NFUlQu
c3ByaW50Y29ycC5jb20wHhcNOTMwMzAxMDExNzQxWhcNMDMwMjI3MDExNzQxWjAp
MScwJQYJKoZIhvcNAQkCFhgzODEwX0NFUlQuc3ByaW50Y29ycC5jb20wXDANBgkq
hkiG9w0BAQEFAANLADBIAkEA11jhZyQDKni4fIpc3z46f9gdeJnURLAag1bIEi1W
4/K7KXoKk9czoo2Y1F6P8aGboUQgF/XpnRkoITpcQ1hYsQIDAQABMA0GCSqGSIb3
DQEBBAUAA0EAhBFuqg/+ySwpxQCzgC5o9THs0V+M6rhUYOXOnvFTAVbpSob+E2kb
id0JpRDykzxa1AEt2Jd/SQA6e4uqB6nQ6QAAMYAwggFXAgEBME0wKTEnMCUGCSqG
SIb3DQEJAhYYMzgxMF9DRVJULnNwcmludGNvcnAuY29tAiAyNDk0RUI5NUNGMjdF
Q0YzMDFFNUFGQTVEMDA3NzZENDAMBggqhkiG9w0CBQUAoIGjMBIGCmCGSAGG+EUB
CQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAfBgkqhkiG9w0BCQQx
EgQQlbQf5EjbwN3CY1jVatn65DAgBgpghkgBhvhFAQkFMRIEEO+pYJIQHNQrcbjw
UaZ544UwMAYKYIZIAYb4RQEJBzEiEyAyNDk0RUI5NUNGMjdFQ0YzMDFFNUFGQTVE
MDA3NzZENDANBgkqhkiG9w0BAQEFAARAJcv799h7pDS1aHi+F2ypDdkrfHyYfRSb
QM7kEYgsVkwClKZRS24bB/2b7Ssg8F5haXMzWb0dyLZkRJHBLXNLHAAA
According to the SCEP spec base64 decode with the CA key
cake [2] % openssl base64 -in s.dat -d -kfile lib/private/cakey.pem -out
e.dat
Got a DER file that I can see some of the CA data
Using pkcs7 command, went looking for some certs. Found
cake [5] % openssl pkcs7 -in e.dat -inform DER -print_certs -out c.dat
cake [6] % more c.dat
subject=/unstructuredName=3810_CERT.sprintcorp.com
issuer= /unstructuredName=3810_CERT.sprintcorp.com
-BEGIN CERTIFICATE-
MIIBWzCCAQUCIDI0OTRFQjk1Q0YyN0VDRjMwMUU1QUZBNUQwMDc3NkQ0MA0GCSqG
SIb3DQEBBAUAMCkxJzAlBgkqhkiG9w0BCQIWGDM4MTBfQ0VSVC5zcHJpbnRjb3Jw
LmNvbTAeFw05MzAzMDEwMTE3NDFaFw0wMzAyMjcwMTE3NDFaMCkxJzAlBgkqhkiG
9w0BCQIWGDM4MTBfQ0VSVC5zcHJpbnRjb3JwLmNvbTBcMA0GCSqGSIb3DQEBAQUA
A0sAMEgCQQDXWOFnJAMqeLh8ilzfPjp/2B14mdREsBqDVsgSLVbj8rspegqT1zOi
jZjUXo/xoZuhRCAX9emdGSghOlxDWFixAgMBAAEwDQYJKoZIhvcNAQEEBQADQQCE
EW6qD/7JLCnFALOALmj1MezRX4zquFRg5c6e8VMBVulKhv4TaRuJ3QmlEPKTPFrU
AS3Yl39JADp7i6oHqdDp
-END CERTIFICATE-
Found a vaild cert but no request. What did you do different to find the
request?
I included my test CA key
cake [7] % openssl x509 -in c.dat -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
32:34:39:34:45:42:39:35:43:46:32:37:45:43:46:33:30:31:45:35:41:46:41:35:44:3
0:30:37:37:36:44:34
Signature Algorithm: md5WithRSAEncryption
Issuer: unstructuredName=3810_CERT.sprintcorp.com
Validity
Not Before: Mar 1 01:17:41 1993 GMT
Not After : Feb 27 01:17:41 2003 GMT
Subject: unstructuredName=3810_CERT.sprintcorp.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:d7:58:e1:67:24:03:2a:78:b8:7c:8a:5c:df:3e:
3a:7f:d8:1d:78:99:d4:44:b0:1a:83:56:c8:12:2d:
56:e3:f2:bb:29:7a:0a:93:d7:33:a2:8d:98:d4:5e:
8f:f1:a1:9b:a1:44:20:17:f5:e9:9d:19:28:21:3a:
5c:43:58:58:b1
Exponent: 65537 (0x10001)
Signature Algorithm: