Hi
It try to setup a scep auto-enroll environment for our cisco routers.
I did a basic setup of openxpki and i am able to get the CA cert over
scep but i can't get a cert
In /var/openxpki/openxpki.log i get the error cannot decrypt request:
----------------------------------------------------------
2015/07/09 23:43:26 openxpki.system.ERROR:15526 [OpenXPKI::Crypto::CLI
(437); scep-server-1()@7f9e] test show cmd: crl2pkcs7 -nocrl -outform
DER -out /var/tmp/openxpki15526UkPNsHrM -certfile
/var/tmp/openxpki15526gM6Qyd39 -certfile /var/tmp/openxpki155264JL3FgaB
-certfile /var/tmp/openxpki15526aqpi2m2k
2015/07/09 23:43:27 openxpki.system.ERROR:15529 [OpenXPKI::Crypto::CLI
(437); scep-server-1()@ade4] test show cmd: -print_msgtype -noout
-inform DER -in /var/tmp/openxpki15529VxIZliaO -out
/var/tmp/openxpki15529xGeYwph3
2015/07/09 23:43:27 openxpki.system.ERROR:15529 [OpenXPKI::Crypto::CLI
(437); scep-server-1()@ade4] test show cmd: -print_transid -noout
-inform DER -in /var/tmp/openxpki15529meJun913 -out
/var/tmp/openxpki155297Dj03OP6
2015/07/09 23:43:27 openxpki.application.INFO:15529
[OpenXPKI::Service::SCEP::Command::PKIOperation
(/usr/lib/perl5/OpenXPKI/Service/SCEP/Command/PKIOperation.pm:274);
scep-server-1()@ade4] SCEP incoming request, id
1657BD9DB46D4883E090A74B17F61014
2015/07/09 23:43:27 openxpki.application.INFO:15529
[OpenXPKI::Service::SCEP::Command::PKIOperation (324);
scep-server-1()@ade4] SCEP try to start new workflow for
1657BD9DB46D4883E090A74B17F61014
2015/07/09 23:43:27 openxpki.system.ERROR:15529 [OpenXPKI::Crypto::CLI
(437); scep-server-1()@ade4] test show cmd: -print_req -noout -passin
env:pwd -keyfile /etc/openxpki/ssl/ca-one/ca-one-scep-1.pem -in
/var/tmp/openxpki15529by9Quqwf -out /var/tmp/openxpki15529dthmLl9T
2015/07/09 23:43:27 openxpki.system.ERROR:15529 [OpenXPKI::Crypto::CLI
(437); scep-server-1()@ade4] OpenSSL error (exit_status): scep.c:1183:
cannot decrypt request
2015/07/09 23:43:27 openxpki.system.ERROR:15529 [OpenXPKI::Service::SCEP
(/usr/lib/perl5/OpenXPKI/Service/SCEP.pm:395); scep-server-1()@ade4]
Error executing SCEP command 'PKIOperation':
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10; __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256
----------------------------------------------------------
My /etc/openxpki/config.d/realm/ca-one/scep/scep-server-1.yaml looks
like this:
----------------------------------------------------------
# By default, all scep endpoints wll use the default token defined
# by the scep token group, if you pass a name here, it is considered
# a group name from the alias table
#token: ca-one-special-scep
# Earliest time to create a renewal request
renewal_period: 000014
replace_period: 05
revoke_on_replace:
reason_code: keyCompromise
invalidity_time: +000014
workflow_type: enrollment
# allow rsa keys with 1020 to 2048 bit
# the 1020 is necessary as some implementations can have
# leading 0 in the modulus which will reduce the bitcount
key_size:
rsaEncryption: 200-4096
hash_type: sha1 sha256
authorized_signer_on_behalf:
rule1:
# Full DN
subject: CN=.+:scepclient,.*
policy:
allow_anon_enroll: 0
allow_man_authen: 1
allow_man_approv: 1
max_active_certs: 1
allow_expired_signer: 0
auto_revoke_existing_certs: 1
approval_points: 1
response:
# The scep standard is a bit unclear if the root should be in the
chain or not
# We consider it a security risk (trust should be always set by
hand) but
# as most clients seem to expect it, we include the root by default
# If you are sure your clients do not need the root, set this to 1
getcacert_strip_root: 0
# Mapping of names to OpenXPKI profiles to be used with the
# Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2)
profile_map:
pc-client: I18N_OPENXPKI_PROFILE_USER_AUTHENTICATION
subject_style: enroll
challenge:
value: pass
eligible:
initial:
value: 1
renewal:
value: 1
----------------------------------------------------------
and the /etc/openxpki/scep/default.conf looks like this:
----------------------------------------------------------
[global]
log_config = /etc/openxpki/scep/log.conf
log_facility = client.scep
socket=/var/openxpki/openxpki.socket
realm=ca-one
iprange=0.0.0.0/0
profile=I18N_OPENXPKI_PROFILE_TLS_SERVER
servername=scep-server-1
encryption_algorithm=DES
hash_algorithm=SHA1
----------------------------------------------------------
On the cisco router, the trustpoint looks like this:
----------------------------------------------------------
crypto pki trustpoint CA_ONE
enrollment retry count 5
enrollment retry period 3
enrollment mode ra
enrollment url http://10.251.194.73:80/scep/scep
serial-number none
ip-address none
subject-name cn=router1.test.local
vrf mgmt
revocation-check none
source interface Loopback0
rsakeypair CA-ONE-RSAKEYPAIR
auto-enroll regenerate
----------------------------------------------------------
Since i am new to openxpki and this scep-auto-enroll-thing it is
probably a simple configuration problem.
Does anyone have some suggestions on how i can solve this?
Thanks in advance
Regards,
Lukas
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
