I have a large set of sscep (version 20081211 and 20030417) clients running
on OpenBSD 3.7/4.0. Clients generate local certs and enroll with MicroSoft
CA + mscep add-on. The enrollment and obtaining crl using Win2000 or
Win2003 CA with relevant mscep add-on is working perfectly fine. However, a
new standalone 2008 R2 CA setup with built-in mscep (NDES) successfully
enrolls the clients but fails with Event ID 45 when crl is checked.
Is there something that I can tweak in sscep to fix this issue? OBSD sscep
calls, configuration and local.crt/local.csr are attached.
Thanks,
Error message <==========
MSCEP Event ID 45, NetworkDeviceEnrollmentService
The Network Device Enrollment Service cannot match the issuer name and
serial number in the device request to any certification authority (CA)
certificate.Verify that the device request contains the correct CA
certificate information, then resubmit the request.
sscep enrollment <==========
./sscep: starting sscep, version 20030417
./sscep: hostname: 172.16.37.2
./sscep: directory: certsrv/mscep/mscep.dll
./sscep: port: 80
./sscep: SCEP_OPERATION_GETCA
./sscep: requesting CA certificate
./sscep: server returned status code 200
./sscep: MIME header: application/x-x509-ca-ra-cert
./sscep: valid response from server
./sscep: found certificate with
subject: /C=US/CN=SCEPCA
issuer: /CN=SCEPCA
usage: Digital Signature
SHA1 fingerprint:
E8:C9:5C:C5:CF:44:37:91:DA:52:AD:3B:E8:92:03:D6:8E:EE:23:85
./sscep: writing cert
./sscep: certificate written as ./ca.crt-0
./sscep: found certificate with
subject: /C=US/CN=SCEPCA
issuer: /CN=SCEPCA
usage: Key Encipherment
SHA1 fingerprint:
84:FC:93:08:83:0E:4B:35:07:AF:B8:34:5E:5A:6A:E5:AE:21:BC:C7
./sscep: writing cert
./sscep: certificate written as ./ca.crt-1
./sscep: found certificate with
subject: /CN=SCEPCA
issuer: /CN=SCEPCA
usage: Digital Signature, Certificate Sign, CRL Sign
SHA1 fingerprint:
18:27:7C:13:EE:8F:4A:D5:C6:C9:45:F2:31:0F:8F:B8:0F:8C:11:F0
./sscep: writing cert
./sscep: certificate written as ./ca.crt-2
./sscep: starting sscep, version 20030417
./sscep: hostname: 172.16.37.2
./sscep: directory: certsrv/mscep/mscep.dll
./sscep: port: 80
./sscep: new transaction
./sscep: transaction id: DAD6C1C6EB4612955FEC920B673C8B8D
./sscep: generating selfsigned certificate
./sscep: SCEP_OPERATION_ENROLL
./sscep: sending certificate request
./sscep: creating inner PKCS#7
./sscep: data payload size: 248 bytes
./sscep: successfully encrypted payload
./sscep: envelope size: 639 bytes
./sscep: creating outer PKCS#7
./sscep: signature added successfully
./sscep: adding signed attributes
./sscep: adding string attribute transId
./sscep: adding string attribute messageType
./sscep: adding octet attribute senderNonce
./sscep: PKCS#7 data written successfully
./sscep: applying base64 encoding
./sscep: base64 encoded payload size: 1881 bytes
./sscep: server returned status code 200
./sscep: MIME header: x-pki-message
./sscep: valid response from server
./sscep: reading outer PKCS#7
./sscep: PKCS#7 payload size: 1636 bytes
./sscep: PKCS#7 contains 1022 bytes of enveloped data
./sscep: verifying signature
./sscep: signature ok
./sscep: finding signed attributes
./sscep: finding attribute transId
./sscep: allocating 32 bytes for attribute
./sscep: reply transaction id: DAD6C1C6EB4612955FEC920B673C8B8D
./sscep: finding attribute messageType
./sscep: allocating 1 bytes for attribute
./sscep: reply message type is good
./sscep: finding attribute senderNonce
./sscep: allocating 16 bytes for attribute
./sscep: senderNonce in reply: 4027FE45D2970C43AE4428FD48F1CE77
./sscep: finding attribute recipientNonce
./sscep: allocating 16 bytes for attribute
./sscep: recipientNonce in reply: 87638C2A48BAB67866B02C21CF1CD4CE
./sscep: finding attribute pkiStatus
./sscep: allocating 1 bytes for attribute
./sscep: pkistatus: SUCCESS
./sscep: reading inner PKCS#7
./sscep: decrypting inner PKCS#7
./sscep: PKCS#7 payload size: 803 bytes
./sscep: found certificate with
subject: /CN=172.16.37.5
issuer: /CN=SCEPCA
./sscep: writing cert
./sscep: certificate written as ./local.crt
./sscep: starting sscep, version 20030417
./sscep: hostname: 172.16.37.2
./sscep: directory: certsrv/mscep/mscep.dll
./sscep: port: 80
./sscep: new transaction
./sscep: transaction id: SSCEP transactionId
./sscep: SCEP_OPERATION_GETCRL
./sscep: requesting crl
./sscep: data payload size: 33 bytes
./sscep: successfully encrypted payload
./sscep: envelope size: 419 bytes
./sscep: creating outer PKCS#7
./sscep: signature added successfully
./sscep: adding signed attributes
./sscep: adding string attribute transId
./sscep: adding string attribute messageType
./sscep: adding octet attribute senderNonce
./sscep: PKCS#7 data written successfully
./sscep: applying base64 encoding
./sscep: base64 encoded payload size: 2121 bytes
./sscep: server returned status code 200
./sscep: MIME header: x-pki-message
./sscep: valid response from server
./sscep: reading outer PKCS#7
./sscep: PKCS#7 payload size: 615 bytes
./sscep: PKCS#7 contains 1 bytes of enveloped data
./sscep: verifying signature
./sscep: signature ok
./sscep: finding signed attributes
./sscep: finding attribute transId
./sscep: allocating 19 bytes for attribute
./sscep: reply transaction id: SSCEP transactionId
./sscep: finding attribute messageType
./sscep: allocating 1 bytes for attribute
./sscep: reply message type is good
./sscep: finding attribute senderNonce
./sscep: allocating 16 bytes for attribute
./sscep: senderNonce in reply: 5C25503DE15D97479A602AD6ACC5C809
./sscep: finding attribute recipientNonce
./sscep: allocating 16 bytes for attribute
./sscep: recipientNonce in reply: 07C908B0B8D06205AD04464D7B595EC0
./sscep: finding attribute pkiStatus
./sscep: allocating 1 bytes for attribute
./sscep: pkistatus: FAILURE
./sscep: finding attribute failInfo
./sscep: allocating 1 bytes for attribute
./sscep: reason: Transaction not permitted or supported
./sscep: illegal size of payload
# sscep.conf -- configuration file for SSCEP
#
URL
http://172.16.37.2/certsrv/mscep/mscep.dll
IPAddress 172.16.37.5
CACertFile ./ca.crt
# CAIdentifier "CA-CA"
Verbose yes
Debug no
FingerPrint sha1
PrivateKeyFile ./local.key
LocalCertFile ./local.crt
EncCertFile ./ca.crt-1
CertReqFile ./local.csr
# GetCertSerial 1
GetCrlFile ./crl.pem
PollInterval 6
MaxPollTime 28800
MaxPollCount 256
local.crt <==========
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:4f:c4:b1:00:00:00:00:00:0a
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=SCEPCA
Validity
Not Before: Jun 26 16:57:42 2011 GMT
Not After : Jun 26 17:07:42 2012 GMT
Subject: CN=172.16.37.5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:c8:4c:24:4e:82:f7:68:96:cd:35:13:58:ab:60:
b3:21:99:cf:1c:3b:12:d8:fc:11:bf:c1:da:db:71:
3d:76:81:c3:57:76:fa:3f:17:3d:f0:71:7b:0c:b2:
c1:80:cc:82:20:00:6c:e9:98:24:37:ce:3c:0a:9f:
1b:42:34:76:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name: critical
IP Address:172.16.37.5
X509v3 Subject Key Identifier:
71:7E:DE:A8:55:97:DF:F7:38:1D:85:1D:EA:4F:A5:3E:16:6E:DB:AB
X509v3 Authority Key Identifier:
keyid:AF:25:51:5F:43:9B:2F:8F:AD:8A:50:33:F4:25:A9:1F:AD:4E:88:92
X509v3 CRL Distribution Points:
URI:file://CA/CertEnroll/SCEPCA.crl
Authority Information Access:
CA Issuers - URI:file://CA/CertEnroll/CA_SCEPCA.crt
1.3.6.1.4.1.311.20.2:
.0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e
Signature Algorithm: sha1WithRSAEncryption
a9:13:78:63:c2:7f:22:66:83:2d:19:a8:48:34:9c:6d:67:2f:
b0:ea:67:6d:0e:d9:f4:28:35:75:59:7a:b6:8b:5c:ec:af:06:.............<snip>
local.csr <==========
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=172.16.37.5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:c8:4c:24:4e:82:f7:68:96:cd:35:13:58:ab:60:
b3:21:99:cf:1c:3b:12:d8:fc:11:bf:c1:da:db:71:
3d:76:81:c3:57:76:fa:3f:17:3d:f0:71:7b:0c:b2:
c1:80:cc:82:20:00:6c:e9:98:24:37:ce:3c:0a:9f:
1b:42:34:76:3f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name: critical
IP Address:172.16.37.5
Signature Algorithm: md5WithRSAEncryption
58:82:5c:07:e8:ec:0a:35:9f:e7:64:9b:c4:77:e4:13:3c:48:
90:d1:b2:d0:dd:e5:92:26:d9:83:76:32:67:dd:99:2d:e4:d0:
58:d4:f0:7e:8d:c0:1c:74:f7:d9:eb:34:25:50:de:2f:0f:fc:
17:c4:0b:bb:99:51:6f:8d:34:d3
-----BEGIN CERTIFICATE REQUEST-----
MIH1MIGgAgEAMBYxFDASBgNVBAMTCzE3Mi4xNi4zNy41MFwwDQYJKoZIhvcNAQEB
BQADSwAwSAJBAMhMJE6C92iWzTUTWKtgsyGZzxw7Etj8Eb/B2ttxPXaBw1d2+j8X
PfBxewyywYDMgiAAbOmYJDfOPAqfG0I0dj8CAwEAAaAlMCMGCSqGSIb3DQEJDjEW
MBQwEgYDVR0RAQH/BAgwBocErBAlBTANBgkqhkiG9w0BAQQFAANBAFiCXAfo7Ao1
n+dkm8R35BM8SJDRstDd5ZIm2YN2MmfdmS3k0FjU8H6NwBx099nrNCVQ3i8P/BfE
C7uZUW+NNNM=
-----END CERTIFICATE REQUEST-----
--
View this message in context:
http://old.nabble.com/sscep-crl-check-works-in-Win2000-2003-server-but-fails-in-2008-tp31940861p31940861.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
