Re: [Openca-Users] scep cisco router proposal/request

Mon, 16 Feb 2004 03:23:34 -0800

Michael Weith wrote:
I have set up OpenCA for testing on suse9.0 as CA NODE LDAP RA PUB SCEP
apache2
and mysql. openca-SNAP-20040205

Test equipment for scep:
        Cisco router 7206 and 1760 with IOS 12.3.5


Cisco is requesting a certificate via scep with following url verified
by
ethereal:

http://192.168.0.195/cgi-bin/scep/pkiclient.exe?operation=GetCACert&message=OpenCA
HTTP/1.0

The scep server is not knowing following parameters:

        pkiclient.exe   rename or copy scep to pkiclient.exe in /cgi-bin/secp/
directory
        operation             is like cmd, cannot changed in the cisco router
        GetCACert             is like scepGetCACert

The link include some mistakes:

1. We don't have a file pkiclient.exe. You must use

http://192.168.0.195/cgi-bin/scep/scep

   pkiclient.exe is from Windows based systems. We used a Cisco VPN
   concentrator and there it is configurable.

2. It is not necessary to rename "operation" because we already do this.

3. GetCACert is supported as operation by OpenCA 0.9.2 snaps.

So the major mistake is your Cisco configuration. pkiclient.exe is wrong.

with requesting from a browser
the
url:
http://192.168.0.195/cgi-bin/scep/scep?cmd=scepGetCACert&message=OpenCA%20HTTP/1.0
or
http://192.168.0.195/cgi-bin/scep/pkiclient.exe?cmd=scepGetCACert&message=OpenCA%20HTTP/1.0

I get now a certificate with the name scep.0 (pkiclient.0) in pksc7 DER
format.

pkiclient.exe should not work with OpenCA (except you copied scep to pkiclient.exe).

For further testing with cisco router the scep server must understand
"operation" in the url.

The SCEP server understands operation. We map it to cmd.

Michael
--
-------------------------------------------------------------------
Michael Bell                   Email: [EMAIL PROTECTED]
ZE Computer- und Medienservice            Tel.: +49 (0)30-2093 2482
(Computing Centre)                        Fax:  +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin                   Email (private): [EMAIL PROTECTED]
Germany                                       http://www.openca.org



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to