[OpenXPKI-users] OpenXPKI with Macbooks

Thu, 02 May 2019 08:35:31 -0700 

Hi everyone,

I am currently trying to put together a test server running OpenXPKI in order 
to manage the certificates of the company. To give a little bit of insight, our 
corporate laptops are macbooks, and we are managing them with a solution called 
JAMF that allows us to configure the use of a SCEP server for automatic 
enrollment. We would like to have automatic distribution of certificate to 
enable 802.1X with EAP-TLS on our network. The first step was to create a test 
instance of OpenXPKI and test the sscep server. Thanks to the help of the 
people on this mailing list, this worked fine and the SCEP server is working so 
I can get a certificate with the sscep client (shout-out to Martin for the 
solution). However when the macbook request the certificate I get an error 500 
from the server and OpenXPKI throws this error in the logs:

2019/05/02 16:16:42 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; 
__EXIT_STATUS__ => 256 
[pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC]
2019/05/02 16:16:42 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __ERRVAL__ => 
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256; __COMMAND__ => 
OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10 
[pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC]
2019/05/02 16:16:42 ERROR Error executing SCEP command 'PKIOperation': 
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => 
OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10; __ERRVAL__ => 
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256 
[pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC]

The based 64 encoded message that the macbook is sending to the SCEP server is 
the following:

operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIIFOjCABgkqhkiG9w0BBwOggDCAAgEAMYICTTCCAkkCAQAwMTAkMSIwIAYDVQQDDBlPcGVuWFBLSSBDQS1PbmUgUm9vdCBDQSAxAgkAzRuwJn9GOjYwDQYJKoZIhvcNAQEBBQAEggIAI8Mu%2FxAIT4Twepuz5GL0A0Qr4JTWr5S%2BQ4RfgAGdUqPF1tsJshET1zY65F985UTuRI27RV2eV5z5nFkd7wbNrXwcLG3%2F20Wn%2BYCrF56u3CkL8FwxGdi8dKucwQfQLL4Kxzp95rdCiJ4d2z4qYqKRW6HN5uvB%2F7igNPWD17FA%2BT6iqy57VLAanyQnfgLatNeAHxXjJZA7EExe9eEZ4MikLKOdgWD0RDPqLEaquJRK%2BQ26uYBnkos81mvi3AbSibx3lECoeiN09QFLWTbHfflrHCfjSvDx9rrjQ2WMTWu6Mi%2F8FfRdIdzdFAFketDJ%2FgoPLzhOnmIQcmt2Dl73lJLgNtJnkz5psdhAMj8VuGk35Fy%2FhSYZBKMF1Dt8ld7Gt%2BrHooMhHcxdY3fn%2FjDJl7DU8BNMuAlSYwb4w6tvmZGeWy1z1XLiRG9wgbcBJVVxW3JUqt87rdP6XYoVsyTm6pxh7aUnet3WoOqGhJLO82xpbE1SnQMQIizB5IxnX6WqWTo4hbmoiJm8P%2Bny%2FVVseCi3f1P7xhC3D4lUcBKTrk%2FXqGPI8GdEBV8uVlFkfjAxOksynF6vEY1jXqlFCAWkCNZU0R7k2ejApEPYYcaw7xmhkI6kj%2BEBov%2B%2BcT1aApfZ99muX8JqSJNwcOvJmobbe27Wkf3muKXvjmclXjpH4wjxAHgwgAYJKoZIhvcNAQcBMBQGCCqGSIb3DQMHBAjkDlQnwAtiM6CABIICmFvt0s2onPQQmvVTh2I4w1r8Ntl5avtCwTx50yHhJpyyfEGPINfmFocBUqWR40ojipJA05PJV8sZPYEJlBPzY%2BGNRe2rTEDeYPEawyf0Raa2CkbRVku7i2nZRkJdsAR9ZzCwXYiwc0vKwk5XYOeR%2FlB%2BEWwHiGtOsgS3uOe2LDDYDu%2FXOlR3TeaFrCShl2Pg7kvHErbymNfaIq6UExdPZhiZl9ODJWO5ZONbAlLWrjur3Ycu0M847%2BoJfr72Rv%2FpdVAiF%2Bw5WhB8HnlS63wLE0PJhbZ9jx13k0ww9Aj0XmlA0Ixx0Gy7ChbhD8p9dsUfOwzp7H9ae%2BSHKzqfvtxiQQ39ExYfOTKol9xC50rgqzTRPi6SpLwrs4%2FyIQDl5kUMFg9vlgvowJfR%2BUEHInMbYezo8LSWDM2DRsjB312zz0Cflckfe7D12X5s3GgvEcfhoWGqebQTlv8oaZbUDUEjv28F%2BH6Dh%2BZevJNjTrVdR8dOyGBd2Ft4dxqCNWwE4m4SWF67qQiaIbXQenG136Zsxp6Yz70Zk6y323zDimFnc1ZFXSAqlVdX2Ru5RRYufwkEwr5nRr1%2BRtRAkXxD9j1CL5gLuSo0v%2BjDm5MTCdz7aLyeH6RUAMwTcK6%2BOFs94nBWNwLG9AGaf%2FkSLZV83zTxlbYJFMWTqJyPyN4ikCyqZ4Nu0EGngjCc1Anetp5r%2B3wH4pZEzdN832jQN%2FJoCWXzZoKku2a7uOJNw5YZdl8uNsijq1Yt7TENT4H9VjqOMDM0ZjERkhIoQrGGeDID2ycFcLjpJ8JivPEQIVfGL20nm5WIBQRVXSkA1pDL0KGQRtchd1c7RsoeSPDkiT2KAdgk5Jq5jFzRuULgpk%2BObPI8tFdvFime5U5dGyUECJytLBenLwaWAAAAAAAAAAAAAAAAAAAAAKCCA0EwggM9MIICJaADAgECAgEBMA0GCSqGSIb3DQEBCwUAMEwxPTA7BgNVBAMMNE1ETSBTQ0VQIFNJR05FUiAyQkYwOTcyNC1FMjgzLTRCRTgtOERFNS0wMjA2NzE4QTQ4MTIxCzAJBgNVBAYTAk5MMB4XDTE5MDUwMjEzNTk1OVoXDTIwMDUwMTEzNTk1OVowTDE9MDsGA1UEAww0TURNIFNDRVAgU0lHTkVSIDJCRjA5NzI0LUUyODMtNEJFOC04REU1LTAyMDY3MThBNDgxMjELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQcQ1YpNJwie61YkYSwRXEeSza%2Fn5PRggV%2FhtaoSmrh03B1%2BkvDVyh6FxzhaVdA23ZhBUk5WtF2CrgHrOj0twZOkQteP31A885pY0%2FkLZTVKS6F%2BgiTP8beoTqGwJiELHd3RNyVJ%2BbU4Saxgwm%2FQ8U%2Fbsb792v0Gw406YR63B3wYDKhJBJkxctzJTXHkHQRhYHr%2FOIR59dIpFVJIlt2s7naHg5g5U38a%2BBI5FTvaolPBcjGHIxGbp1NyxfbupzCmqE4OATrG9YgZLEjWks9BdgTFfBEbbgP6hkP8ydRVooyC2aqBABiWaNdmknZQ5jik8r0pu8JXGF4ehJB1HPxsvVAgMBAAGjKjAoMA4GA1UdDwEB%2FwQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAkHMKWupXRGiEOqvK55TZWgojhMe1ERuEzSrCWo5aeEUWEMH99G1wFg1ZVug%2FGMucP08og5tO2%2B1KOS8R1uKS5MCm%2BuPzlA2RBbZyfVeP%2FL0Ds2%2B7Os3CwszV6Iem2r25LvxkftKkI37H%2BWdv%2FQQYVI0tQYWK%2FPo%2BLtMKI7YyvWUE%2BN2%2BNXcfUgNk2sV4u80JOC05qk91PVGGmFidB8987px%2BsW3qM%2B9ceksmSD2D752t6pR0Fi42fH4I7AOhjnEHvfxANDZjvqAq0cZa4BgQTUXWrplDzM2V6SImv7%2BkrujzWtsvZ79TXmczuULSx6LZ9ncF5kMFd6twSg1jLdDCRDGCApEwggKNAgEBMFEwTDE9MDsGA1UEAww0TURNIFNDRVAgU0lHTkVSIDJCRjA5NzI0LUUyODMtNEJFOC04REU1LTAyMDY3MThBNDgxMjELMAkGA1UEBhMCTkwCAQEwDQYJYIZIAWUDBAIDBQCgggERMBIGCmCGSAGG%2BEUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAYBgpghkgBhvhFAQkFMQoECJ6XWkjcxLJIMBwGCSqGSIb3DQEJBTEPFw0xOTA1MDIxMzU5NTlaMB4GCSqGSIb3DQEJBzEREw9TZWNyZXRDaGFsbGVuZ2UwOAYKYIZIAYb4RQEJBzEqEyg5NDQ1MjRCRTNGNjQ2QTIwQzM5ODlGODU1QUEwNkM4NjdDOEJBMTUyME8GCSqGSIb3DQEJBDFCBEALOjR0s1FTbW5ru2xG%2BhRP6%2Bn0krtOyHWtkdvhLpTc%2FhebL1Y0jD7Ke%2FCqfeETf2FHV3gdY8KAfiiYa9vBjCbBMA0GCSqGSIb3DQEBAQUABIIBAFNOYk4ZKaHxV32q8uUboxQCxxhFtrmlwfQUMdGf%2Bp%2BQFGnGargqLI6F%2FlyTx72wKyxMomxx9Gaa4WaKIdC5nPNewrvz3MXYfPmS5nc%2F4ONBZhGQLaY3EhMSzX%2F9zKc5yz0yyNp8ggqx4%2B8cWCS4WdfO5U0xfVkHGX8NIRyyIXO1A7cLiuTDa77jSFNu9wdER6lw0IGlduH55L3nlcegH3%2FHedNqlX68VsZcADLUgiGvFaBQniXmPZdRlEC052dPaSQmZEvbrC8Mwza6os1pYorLPGWzgj4gitgzUj6I0B64iLeIRxEKCDLC1x%2BKfO4LP6ye1a6EMsQyWvvwB8GpkVIAAAAAAAA%3D

Both those commands can be used to decode it:

cat request.txt | perl -pe 'use 
MIME::Base64;s/%([0-9a-f]{2})/sprintf("%s",pack("H2",$1))/eig;$_=MIME::Base64::decode($_);'
 | openssl asn1parse -inform DER

cat request.txt | perl -pe 'use 
MIME::Base64;s/%([0-9a-f]{2})/sprintf("%s",pack("H2",$1))/eig;$_=MIME::Base64::decode($_);'
 | openssl pkcs7 -inform DER -print_certs -text

I do not know if anybody ever tried that, could not find much info online about 
it. So not really sure how to troubleshoot it.

Hope someone can help me with this. Thanks in advance to everyone :)

Best,

--
Nicolas Merle

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to