Re: [Q] Dealing with Cisco SCEP (Simple Certificate Enrollment Protocol)

Mon, 6 Mar 2000 11:40:07 -0800 

 =>On Sun, Mar 05, 2000 at 10:26:43PM -0800, I wrote:
 =>> [...]
 =>> I'm trying to use OpenSSL to create certificates for a Cisco PIX
 =>> firewall/vpn box.  I've been able to download my CA cert to the PIX,
 =>> and (thanks to Matt Burgoon!) I've extracted the PIX's certificate
 =>> request from the PKCS7 object it sends when you tell it to acquire a
 =>> cert.  However, the protocol for returning a certificate to the PIX
 =>> differs somewhat from the way a Cisco router works, so I don't believe

 =>Vadim Fedukovich <[EMAIL PROTECTED]> replied:
 =>...
 =>Can you please be more specific: PIX's protocol differs from what?
 =>There's a way defined in scep_wp.htm to get a cert back to PIX;
 =>do you believe it doesnt works?

Sorry for not being more specific.  I belive Matt had success by
signing the certificate request, encoding it as a BASE64 string, and
typing that into the router configuration.  (Cisco uses a text-format
configuration; I suppose he downloaded the config, edited it using a
normal editor, and uploaded it again.)  The PIX also has a readable
text configuration, but I don't have an example of what a
configuration containing a certificate looks like, so I can't edit it
to resemble a working one.  The Cisco document I referenced describes
a web-server-based certificate enrollment protocol: the PIX sends and
receives data over an HTTP connection.

It sends a "GetCACert" request to which I have successfully responded
with an "application/x-x509-ca-cert" body, and a "PKIOperation"
(Request Certificate) request, whose body I have been able to
decode and sign, but the response to that request is one of three
PKCS7 messages: "PENDING", "FAILURE", or "SUCCESS", which messages I
haven't been able to generate yet.  (The "SUCCESS" message contains
the signed certificate.)

So, I'd like to generate those PKCS7 messages (as specified in the
scep_wp.htm) document.  I believe that if I can generate them
correctly, I'll be able to use OpenSSL to produce certificates that
play nicely with the Cisco.

regards,
d.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to