Re: [Openca-Users] SSCEP segmentation fault upon enroll

Mon, 01 Mar 2004 13:54:43 -0800

Thanks Dalini for the detailed response. I have not succeeded yet in enrolling successfully via SCEP. I am beginning to wonder if it is because of a flaw in my setup process. I have a RA / CA combination running on the same machine. My basic building process is:

1)
./configure options
make
make install-online
make install-ca

2)
setting dataexchange to 6 (the node acts as RA and CA)
./configure_etc.sh
./openca_start

3)
Initialization:
 a) Initialize Database
 b) Generate new CA secret key
 c) Generate new CA certificate request
 d) Self signed CA certificate
 e) Rebuild CA Chain
 f) Export Configuration --> to floppy

Could someone clarify what the steps should be from here, to initialize a CA and an RA operator when both CA and RA are running on the same machine.

When I attempt to retrieve the CA certificate, I only get one. In most examples that I read in this list, there are two certificates that are delivered to the sscep client.

Thanks
NB

From: dalini <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [Openca-Users] SSCEP segmentation fault upon enroll
Date: Sat, 28 Feb 2004 04:02:16 +0100

Nilgiris BlueMountain wrote:
I did a cvs update today and the segmentation fault persists. Here is how I invoked sscep:

./sscep enroll -c ca.crt -k local.key -r local.csr -l local.crt -u http://caserver/cgi-bin/scep/scep
./sscep: sending certificate request
./sscep: valid response from server
Segmentation fault

yeah, looks like u send a wrong request - and sscep can't decode the
wrong answer... if u use the scep interface - this is usally like an
ra/ca case in scep language... since at least i use extra certificates
for the scep interface

so ur call above implies a direct connection to the ca - this isn't
the case with common openca-scep installation

i also recommend to use a conf file - like the example sscep.conf
u just have to adopt to match ur setup...

and than call like:
./sscep getca -f my.conf
./sscep enroll -f my.conf

this is mutch easier to handle and to reproduce ;o)
i have added an example configuration of mine

u shouldt adoppt the paths at least - everything else
should be fine... maybe the name of the files generated
by mkrequest ;o)

the -0 and -1 are correct - since sscep creates two ca-files
when it gets more than one... should just work like setup otherwise
you have to change the 0 and the 1...

i just tested this - with not the newest sscep client
but actual cvs code - just works fine

For sscep operations, my order of operation was:
1. getca
2. enroll

this lookes fine ;o)

greetings
dalini




#
# sscep.conf -- configuration file for SSCEP
#
# All configuration options are key-value pairs separated with one
# or more space characters:
#
# "Key"     [spaces]    "Value"
#
# Quotation marks are optional - they are needed only if the value contains
# space characters (space or tab). Quotation marks inside the value string
# must be escaped using a backslash:
#
# "Key"     [spaces]    "Value \"containing quotation marks\""
#
# Comment lines (lines starting with '#') and empty lines are discarded.
#

#
# Common options for all operations
#
# URL of the SCEP server.
URL             http://10.128.2.5/pki/ra-001/cgi-bin/scep/scep

# Use HTTP proxy server
#Proxy          localhost:8080

# This is one is needed with all operations.
CACertFile      /usr/local/pki/tools/sscep/cacert.crt-1

# Possible values: yes or no.
Verbose         yes
Debug           yes


#
# Options for getca
#
# Some CAs require you to define this
#CAIdentifier   "CA Identifier"

# Display fingerprint algorithm (md5/sha1)
FingerPrint     md5


#
# Common options for enroll, getcert and getcrl
#
# Private key created with mkrequest
PrivateKeyFile  /usr/local/pki/tools/sscep/local.key

# Where to write successfully enrolled certificate
LocalCertFile   /usr/local/pki/tools/sscep/local.crt

# If your CA/RA uses a different certificates for encyption
# and signing, define this
EncCertFile     /usr/local/pki/tools/sscep/cacert.crt-0

# PKCS#7 encryption/signing
# Note: this could be very misleading, current SCEP draft provides no
# mechanism to "negotiate" the algorithm - even if you send 3des, reply
# might be des.

# Encryption algorithm: des, 3des or blowfish. Default: des
#EncAlgorithm   3des
# Signature algorithm: md5 or sha1. Default: md5
#SigAlgorithm   sha1


#
# Options for enroll
#

# Certificate request file created with mkrequest
CertReqFile     /usr/local/pki/tools/sscep/local.csr

# Write optionally the selfsigned certificate in file
#SelfSignedFile ./selfsigned.crt

# Poll periodically for pending certificate (seconds)
PollInterval    5

# Maximum polling time
MaxPollTime     28800

# Maximum polling count
MaxPollCount    256



#
# Options for getcert
#
# Certificate serial number (decimal)
GetCertSerial   1

# Write certificate as
GetCertFile     /usr/local/pki/tools/sscep/cert.crt


#
# Options for getcrl
#
# Write CRL as
GetCrlFile      /usr/local/pki/tools/sscep/crl.crl




_________________________________________________________________
Find and compare great deals on Broadband access at the MSN High-Speed Marketplace. http://click.atdmt.com/AVE/go/onm00200360ave/direct/01/



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to