Trevor Vaughan via FreeIPA-users wrote:
> Hi All,
> I have a setup where I have a root CA and a sub CA and the sub CA is set
> up with a KRA and SCEP enabled.
> I've fired up certmonger and added the SCEP CA.
> When I attempt to request a certificate, the enrollment completes
> successfully per the Dogtag side of the equation but the response from
> the server cannot be decrypted by the client and I get the following
> error in the certmonger debug log:
> 2018-01-29 23:56:43  Child output:
> "Error: failed to verify signature on server
> 2018-01-29 23:56:43  Error: failed to verify signature on server
> The following commands were used for server addition and certificate
> getcert add-scep-ca -c Site_CA -u
> <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe> -R
> getcert request -c Site_CA -k /etc/pki/my_cert.pem -f
> /etc/pki/my_cert.pub -I Host_Cert -R -w -L password
> Looking at the certmonger code, it looks like it is completely skipping
> all of the case statements and simply dropping down to the 'goto:'
> I've tried recompiling certmonger with some debug statements but I
> haven't managed to suss out what's going on. If someone could tell me
> how to print the actual response from the server, it would be appreciated.
> It certainly feels like the SCEP support has taken a back seat to the
> CMC features but the CMC features just aren't ready to replace SCEP at
> this time and, of course, can't support a lot of hardware requirements.
A couple of things to try:
- look in the dogtag debug log (/var/log/pki-tomcat/somewhere). It may
have the raw PKCS#7 data to poke at
- stop the certmonger service and start it in a terminal with certmonger
-d 9 -n 2>&1 | tee /path/to/some/log and then redo the request. Again,
you may be able to get some data out of it.
I haven't tried SCEP with a subCA. It could be there is some
disagreement about who is actually signing the response.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org