[OpenXPKI-users] OpenSSL error: cannot decrypt request (bis)

Fri, 25 Nov 2016 05:35:40 -0800 

Hi all,


I am trying to setup openxpki to manage certificates on Cisco Ipsec GW with 
IKEv2 (manual enrollment).

I'm facing the same error as Lukas Habegger in 2015 : I succeed in getting the 
CA certificate on the Cisco box (crypto pki authenticate GEN-TRUST-PKI-MEA) but 
get a message "failed" when trying "crypto pki enroll GEN-TRUST-PKI-MEA".

The log on openxpki server shows:

2016/11/24 17:02:39 openxpki.application.INFO:16730 
[OpenXPKI::Service::SCEP::Command::PKIOperation (415); scep-server-1()@9c5d] 
SCEP try to start new workflow for 180B055EB43D7C78552B91E010A25F8C
2016/11/24 17:02:39 openxpki.system.ERROR:16730 [OpenXPKI::Crypto::CLI 
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Crypto/CLI.pm:435); 
scep-server-1()@9c5d] OpenSSL error: scep.c:1183: cannot decrypt request
2016/11/24 17:02:39 openxpki.system.ERROR:16730 [OpenXPKI::Service::SCEP 
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP.pm:395); 
scep-server-1()@9c5d] Error executing SCEP command 'PKIOperation': 
I18N_OPEN_OPENXPKI_TOOLKIT_COMMAND_FAILED; __ERRVAL__ => 
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256; __COMMAND__ => 
OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10


The Cisco box pki configuration is :

crypto pki trustpoint GEN-TRUST-PKI-MEA
 enrollment mode ra
 enrollment url http://10.102.1.1:80/scep/scep
 usage ike
 serial-number none
 fqdn none
 ip-address none
 subject-name CN=asr1.mea.com
 revocation-check none
 rsakeypair PKI_MEA 2048
 storage nvram:

The openxpki configuration uses the example scripts.

In 2015, the answer was "

This means that OpenXPKI is not able to unwrap the SCEP transport
container - check if your key file of the scep token is named properly,
readable and is unlocked (password set in config or entered on the UI).
"
Could you please tell me how I can do these checkings?
I'm not able to see the scep alias in the UI. Could it be the source of my 
problem ?
Any other hints that could be usefull ?

thanks in advance,

by the way, you've done a great job with openxpki ;-).

Régis

------------------------------------------------------------------------------

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to