Hi Lukas, Am 10.07.2015 um 00:20 schrieb Lukas Habegger:
It try to setup a scep auto-enroll environment for our cisco routers. I did a basic setup of openxpki and i am able to get the CA cert over scep but i can't get a cert In /var/openxpki/openxpki.log i get the error cannot decrypt request: ---------------------------------------------------------- 2015/07/09 23:43:26 openxpki.system.ERROR:15526 [OpenXPKI::Crypto::CLI (437); scep-server-1()@7f9e] test show cmd: crl2pkcs7 -nocrl -outform DER -out /var/tmp/openxpki15526UkPNsHrM -certfile /var/tmp/openxpki15526gM6Qyd39 -certfile /var/tmp/openxpki155264JL3FgaB -certfile /var/tmp/openxpki15526aqpi2m2k 2015/07/09 23:43:27 openxpki.system.ERROR:15529 [OpenXPKI::Crypto::CLI (437); scep-server-1()@ade4] test show cmd: -print_msgtype -noout -inform DER -in /var/tmp/openxpki15529VxIZliaO -out /var/tmp/openxpki15529xGeYwph3 2015/07/09 23:43:27 openxpki.system.ERROR:15529 [OpenXPKI::Crypto::CLI (437); scep-server-1()@ade4] test show cmd: -print_transid -noout -inform DER -in /var/tmp/openxpki15529meJun913 -out /var/tmp/openxpki155297Dj03OP6 2015/07/09 23:43:27 openxpki.application.INFO:15529 [OpenXPKI::Service::SCEP::Command::PKIOperation (/usr/lib/perl5/OpenXPKI/Service/SCEP/Command/PKIOperation.pm:274); scep-server-1()@ade4] SCEP incoming request, id 1657BD9DB46D4883E090A74B17F61014 2015/07/09 23:43:27 openxpki.application.INFO:15529 [OpenXPKI::Service::SCEP::Command::PKIOperation (324); scep-server-1()@ade4] SCEP try to start new workflow for 1657BD9DB46D4883E090A74B17F61014 2015/07/09 23:43:27 openxpki.system.ERROR:15529 [OpenXPKI::Crypto::CLI (437); scep-server-1()@ade4] test show cmd: -print_req -noout -passin env:pwd -keyfile /etc/openxpki/ssl/ca-one/ca-one-scep-1.pem -in /var/tmp/openxpki15529by9Quqwf -out /var/tmp/openxpki15529dthmLl9T 2015/07/09 23:43:27 openxpki.system.ERROR:15529 [OpenXPKI::Crypto::CLI (437); scep-server-1()@ade4] OpenSSL error (exit_status): scep.c:1183: cannot decrypt request 2015/07/09 23:43:27 openxpki.system.ERROR:15529 [OpenXPKI::Service::SCEP (/usr/lib/perl5/OpenXPKI/Service/SCEP.pm:395); scep-server-1()@ade4] Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10; __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256
This means that OpenXPKI is not able to unwrap the SCEP transport container - check if your key file of the scep token is named properly, readable and is unlocked (password set in config or entered on the UI).
If this is ok, did you set up a "complex" CA/RA/SCEP chain or did you use the default settings provided? We had problems with cisco routers when the CA cert and issuer are not under the same root - to test this, extract the pkcs7 from the workflow and try to decrpt it using the ca signing key.
Oliver -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
