Hi All,

I have a setup where I have a root CA and a sub CA and the sub CA is set up
with a KRA and SCEP enabled.

I've fired up certmonger and added the SCEP CA.

When I attempt to request a certificate, the enrollment completes
successfully per the Dogtag side of the equation but the response from the
server cannot be decrypted by the client and I get the following error in
the certmonger debug log:

2018-01-29 23:56:43 [5396] Child output:
"Error: failed to verify signature on server response.

"
2018-01-29 23:56:43 [5396] Error: failed to verify signature on server
response.

The following commands were used for server addition and certificate
registration.

getcert add-scep-ca -c Site_CA -u https://ca.int.localdomain:
8443/ca/cgi-bin/pkiclient.exe -R /etc/pki/site-pki.pem

getcert request -c Site_CA -k /etc/pki/my_cert.pem -f /etc/pki/my_cert.pub
-I Host_Cert -R -w -L password

Looking at the certmonger code, it looks like it is completely skipping all
of the case statements and simply dropping down to the 'goto:'
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889

I've tried recompiling certmonger with some debug statements but I haven't
managed to suss out what's going on. If someone could tell me how to print
the actual response from the server, it would be appreciated.

It certainly feels like the SCEP support has taken a back seat to the CMC
features but the CMC features just aren't ready to replace SCEP at this
time and, of course, can't support a lot of hardware requirements.

Any help is appreciated.

Thanks,

Trevor

-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to