Trevor Vaughan via FreeIPA-users wrote:
> Hi All,
> I have a setup where I have a root CA and a sub CA and the sub CA is set
> up with a KRA and SCEP enabled.
> I've fired up certmonger and added the SCEP CA.
> When I attempt to request a certificate, the enrollment completes
> successfully per the Dogtag side of the equation but the response from
> the server cannot be decrypted by the client and I get the following
> error in the certmonger debug log:
> 2018-01-29 23:56:43 [5396] Child output:           
> "Error: failed to verify signature on server
> response.                                                  
> "                                                  
> 2018-01-29 23:56:43 [5396] Error: failed to verify signature on server
> response.
> The following commands were used for server addition and certificate
> registration.
> getcert add-scep-ca -c Site_CA -u
> <> -R
> /etc/pki/site-pki.pem
> getcert request -c Site_CA -k /etc/pki/my_cert.pem -f
> /etc/pki/ -I Host_Cert -R -w -L password
> Looking at the certmonger code, it looks like it is completely skipping
> all of the case statements and simply dropping down to the 'goto:'
> <>
> I've tried recompiling certmonger with some debug statements but I
> haven't managed to suss out what's going on. If someone could tell me
> how to print the actual response from the server, it would be appreciated.
> It certainly feels like the SCEP support has taken a back seat to the
> CMC features but the CMC features just aren't ready to replace SCEP at
> this time and, of course, can't support a lot of hardware requirements.

A couple of things to try:

- look in the dogtag debug log (/var/log/pki-tomcat/somewhere). It may
have the raw PKCS#7 data to poke at
- stop the certmonger service and start it in a terminal with certmonger
-d 9 -n 2>&1 | tee /path/to/some/log and then redo the request. Again,
you may be able to get some data out of it.

I haven't tried SCEP with a subCA. It could be there is some
disagreement about who is actually signing the response.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to