As an update, the sscep application set works properly with the sub-CA so
it's definitely an issue on the certmonger side of things.
sscep in AES mode throws an exception in Dogtag and, unfortunately, sscep
also doesn't support above SHA1.
That said, it's at least reasonable isolation of the issue at hand.
It looks like the sscep code may be able to be lifted directly into the
certmonger stack if the licenses are compatible without too much issue.
On Wed, Jan 31, 2018 at 2:27 PM, Trevor Vaughan <tvaug...@onyxpoint.com>
> Hi Rob,
> Thanks for getting back to me, I have no idea how I missed this message.
> I dug through the CA and KRA debug logs and don't see any PKCS7 output
> I've been running certmonger in debug mode connected to the foreground and
> haven't really gotten anywhere there either.
> I did determine that the spot where things are failing is at
> https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065 but I
> haven't been able to figure out how to print what is being received from
> the server.
> Running the 'scep-submit' command by hand with -C works as expected (of
> course Dogtag doesn't respond with server capabilities so it downgrades
> itself into instanity but that doesn't seem to be the issue). I also
> checked to see that the certmonger configuration is correct in the
> ~/.config/certmonger space and the entire certificate chain appears to be
> present as expected.
> On Tue, Jan 30, 2018 at 10:38 AM, Rob Crittenden <rcrit...@redhat.com>
>> Trevor Vaughan via FreeIPA-users wrote:
>> > Hi All,
>> > I have a setup where I have a root CA and a sub CA and the sub CA is set
>> > up with a KRA and SCEP enabled.
>> > I've fired up certmonger and added the SCEP CA.
>> > When I attempt to request a certificate, the enrollment completes
>> > successfully per the Dogtag side of the equation but the response from
>> > the server cannot be decrypted by the client and I get the following
>> > error in the certmonger debug log:
>> > 2018-01-29 23:56:43  Child output:
>> > "Error: failed to verify signature on server
>> > response.
>> > "
>> > 2018-01-29 23:56:43  Error: failed to verify signature on server
>> > response.
>> > The following commands were used for server addition and certificate
>> > registration.
>> > getcert add-scep-ca -c Site_CA -u
>> > https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
>> > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe> -R
>> > /etc/pki/site-pki.pem
>> > getcert request -c Site_CA -k /etc/pki/my_cert.pem -f
>> > /etc/pki/my_cert.pub -I Host_Cert -R -w -L password
>> > Looking at the certmonger code, it looks like it is completely skipping
>> > all of the case statements and simply dropping down to the 'goto:'
>> > https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
>> > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>
>> > I've tried recompiling certmonger with some debug statements but I
>> > haven't managed to suss out what's going on. If someone could tell me
>> > how to print the actual response from the server, it would be
>> > It certainly feels like the SCEP support has taken a back seat to the
>> > CMC features but the CMC features just aren't ready to replace SCEP at
>> > this time and, of course, can't support a lot of hardware requirements.
>> A couple of things to try:
>> - look in the dogtag debug log (/var/log/pki-tomcat/somewhere). It may
>> have the raw PKCS#7 data to poke at
>> - stop the certmonger service and start it in a terminal with certmonger
>> -d 9 -n 2>&1 | tee /path/to/some/log and then redo the request. Again,
>> you may be able to get some data out of it.
>> I haven't tried SCEP with a subCA. It could be there is some
>> disagreement about who is actually signing the response.
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 x788 <(410)%20541-6699>
> -- This account not approved for unencrypted proprietary information --
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org