Michael Bell wrote: >> When you mention a self signed certificate, what should be the authority >> that signs the certificate ? > > The certificate itself, therefore it is called self-signed. If you use > SCEP then your client generates a selfsigned cert to sign it's PKCS#7 > container and the SCEP server uses this certificate to encrypt the ansers. > well, it uses the public key from the netscreen, send in a selfsigned cert - but i think this isn't our problem actually ;(
> The certificate which is used with the SCEP interface must be the SCEP > certificate (the most installation instructions call this certificate > the "RA certificate"). > right - i don't know if you may be able to set somewhere at netscreen something like: i'm talking to a ca or an ra (like cisco calls it, if you communicate directly with the ca or with an intermediary interface, the ra) >> Here is a more complete log message from the netscreen: > lib=33 --> ERR_LIB_PKCS7 > func=109 --> PKCS7_F_PKCS7_SET_CONTENT > reason=111 --> PKCS7_R_UNSUPPORTED_CIPHER_TYPE > > This means that the OpenSSL on the netscreen box cannot decrypt the > message because it does not know the used cipher. We use 3DES by > default. Cisco's testequipment cannot handle strong ciphers by default. > Perhaps NetScreen has the same problem (our testequipment had no such > problems). > but the cipher is described in the standard, it should be supported, this is strange... what key sizes are used? for the ca/ra keys? cisco can only work with up to 2048, maybe netscreen has a similar problem... but since it could send the request - i'm not sure about here... > P.S. you can find pk7_doit.c in the OpenSSL source code > (crypto/pkcs7/pk7_doit.c). but it may be difficult to fix it on the netscreen - or? ;) if there would be a problem... greetings dalini ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
