Hi Paul,
Paul Charles wrote:
When you mention a self signed certificate, what should be the authority that signs the certificate ?
The certificate itself, therefore it is called self-signed. If you use SCEP then your client generates a selfsigned cert to sign it's PKCS#7 container and the SCEP server uses this certificate to encrypt the ansers.
Currently, I have two different certificates on the netscreen box: 1) the CA certificate
2) the SCEP certificate
This is correct.
It seems that the certificate that is used to communicate with the SCEP interface is the CA certificate. Could that be the issue ?
The certificate which is used with the SCEP interface must be the SCEP certificate (the most installation instructions call this certificate the "RA certificate").
Here is a more complete log message from the netscreen:
## 23:39:33 : scep_rsp_cmd: p_scep_context = 66648e8 ## 23:39:33 : scep_rsp_pkioperation: SCEP_SUCCESS ## 23:39:33 : scep_rsp_pkioperation_success: p_scep_context = 66648e8 <056e4540> ## 23:39:33 : scep_transaction_id: len = 4 72d7f2bc 56946530 e3aecc71 16e1c0dc ## 23:39:33 : X509_new <02082a18>. ## 23:39:33 : PKCS7: envoloped. ## 23:39:33 : lib=33 func=109 reason=111 file=../../pkcs7/pk7_doit.c line=670
Cool, NetScreen uses OpenSSL :)
lib=33 --> ERR_LIB_PKCS7 func=109 --> PKCS7_F_PKCS7_SET_CONTENT reason=111 --> PKCS7_R_UNSUPPORTED_CIPHER_TYPE
This means that the OpenSSL on the netscreen box cannot decrypt the message because it does not know the used cipher. We use 3DES by default. Cisco's testequipment cannot handle strong ciphers by default. Perhaps NetScreen has the same problem (our testequipment had no such problems).
BTW it is not a good idea to put a phone numberinto the CN of a request.
Michael
P.S. you can find pk7_doit.c in the OpenSSL source code (crypto/pkcs7/pk7_doit.c).
--
-------------------------------------------------------------------
Michael Bell Email: [EMAIL PROTECTED]
ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482
(Computing Centre) Fax: +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin Email (private): [EMAIL PROTECTED]
Germany http://www.openca.org
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
