Hi,
> > sscep dies in OpenSSL function PKCS7_encrypt() with a SIGSEGV
> > without sending a single byte to the SCEP server:
> >
> thats strange, what system are you using, which openssl version, maybe
> an api change? since i never had sscep dieing while sending request,
> just when 'wrong' replyes from openca came back...
OpenCA 0.9.2.1, OpenSSL 0.9.7c.
See bottom of this message for details on config and certificate used.
> usaly i used sscep with the configfile and this worked fine so far
OK, haven't tried this yet.
> > Any help (tip, howto, faq, doc, experience) is appreciated.
> >
> i'll send some more stuff, when i'm home, for the moment
Sounds good.
> see posting: OpenCA-Users: 28.02.2004 04:02 from me
> this scep config usaly worked for me with openca
>
> but u have to do some more things
> a) use the init-procedure at the ca for creating an ra-cert
> b) export this too
OK, I do NOT have an RA certificate, instead I am using a certificate
I created solely for the SCEP Interface. If I understand the code
correctly, it should not be necessary to use the RA certificate.
> c) save it as openssl - you can do this via the ra-interface
> save one file for the key and one for the cert, just like
> u would do an apache-ssl
Yes, I did this (for my SCEP server cert).
> d) put the files somewhere
> e) put the path including the filename into the scep-part of config.xml
> f) rerun ./configure_etc.sh and ./openca_rc restart
Yup, no problem with this.
> otherwise search for scep in the user ml - there are quite some postings
> to this topic, also from me
Yes, I searched the list but did not find anything that helps in
my case...
But I'll read through your posts again.
Thanks,
Martin
----------
Configuration:
...
<!-- ===================== -->
<!-- configuration of SCEP -->
<!-- ===================== -->
<option>
<name>SCEP_RA_CERT</name>
<value>/usr/local/openca-0.9.2/etc/scep/scep-cert.pem</value>
</option>
<option>
<name>SCEP_RA_KEY</name>
<value>/usr/local/openca-0.9.2/etc/scep/scep-key.pem</value>
</option>
<option>
<name>SCEP_RA_PASSWD</name>
<value>xxxx</value>
</option>
...
openssl x509 -text -noout -in etc/scep/scep-cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, O=xxxxxx, OU=xxxx, CN=xxxxxxx TLS CA 3
Validity
Not Before: Dec 21 15:32:40 2004 GMT
Not After : Dec 30 00:00:00 2004 GMT
Subject: DC=xxxx, DC=xxxx, O=xxxxxxx, CN=xxxxxxxx:SCEP3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:be:95:92:3a:6b:45:d4:5b:3f:c6:bd:c7:f5:51:
......
0e:82:37:8e:a5:66:ac:0e:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
X509v3 Subject Key Identifier:
41:0D:9C:90:F3:91:48:DD:2B:6E:EF:C2:26:94:3E:C8:CD:B8:64:DC
X509v3 Authority Key Identifier:
keyid:D7:B5:62:36:57:2B:E2:A8:F3:15:CC:99:13:49:10:E4:64:F0:6B:FF
X509v3 Subject Alternative Name:
DNS:XXXXXXX
X509v3 CRL Distribution Points:
URI:ldap://xxxxxxxxxxxx
X509v3 Certificate Policies:
Policy: 1.3.6.xxxxx
User Notice:
Explicit Text: This certificate is for testing only -
do not use in production!
Signature Algorithm: sha1WithRSAEncryption
8b:2a:56:2c:8b:80:f5:1a:85:0a:8f:bd:60:f5:a8:21:b2:2e:
...
76:d6:e5:13
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
