Hi Nicolas, I did not decode the message but the most likely problem is that you used the wrong certificate to encrypt the PCKS7 container. OpenXPKI returns the SCEP RA Certificate which must be used as first certificate on the "GetCA" call.
Do you have any chance to check if this is used correctly?
Oliver
Am 02.05.19 um 16:02 schrieb Nicolas Merle:
> Hi everyone,
>
> I am currently trying to put together a test server running OpenXPKI in
> order to manage the certificates of the company. To give a little bit of
> insight, our corporate laptops are macbooks, and we are managing them
> with a solution called JAMF that allows us to configure the use of a
> SCEP server for automatic enrollment. We would like to have automatic
> distribution of certificate to enable 802.1X with EAP-TLS on our
> network. The first step was to create a test instance of OpenXPKI and
> test the sscep server. Thanks to the help of the people on this mailing
> list, this worked fine and the SCEP server is working so I can get a
> certificate with the sscep client (shout-out to Martin for the
> solution). However when the macbook request the certificate I get an
> error 500 from the server and OpenXPKI throws this error in the logs:
>
> 2019/05/02 16:16:42 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
> __EXIT_STATUS__ => 256
> [pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC]
> 2019/05/02 16:16:42 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
> __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__
> => 256; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10
> [pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC]
> 2019/05/02 16:16:42 ERROR Error executing SCEP command 'PKIOperation':
> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
> OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10; __ERRVAL__ =>
> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256
> [pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC]
>
> The based 64 encoded message that the macbook is sending to the SCEP
> server is the following:
>
> operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIIFOjCABgkqhkiG9w0BBwOggDCAAgEAMYICTTCCAkkCAQAwMTAkMSIwIAYDVQQDDBlPcGVuWFBLSSBDQS1PbmUgUm9vdCBDQSAxAgkAzRuwJn9GOjYwDQYJKoZIhvcNAQEBBQAEggIAI8Mu%2FxAIT4Twepuz5GL0A0Qr4JTWr5S%2BQ4RfgAGdUqPF1tsJshET1zY65F985UTuRI27RV2eV5z5nFkd7wbNrXwcLG3%2F20Wn%2BYCrF56u3CkL8FwxGdi8dKucwQfQLL4Kxzp95rdCiJ4d2z4qYqKRW6HN5uvB%2F7igNPWD17FA%2BT6iqy57VLAanyQnfgLatNeAHxXjJZA7EExe9eEZ4MikLKOdgWD0RDPqLEaquJRK%2BQ26uYBnkos81mvi3AbSibx3lECoeiN09QFLWTbHfflrHCfjSvDx9rrjQ2WMTWu6Mi%2F8FfRdIdzdFAFketDJ%2FgoPLzhOnmIQcmt2Dl73lJLgNtJnkz5psdhAMj8VuGk35Fy%2FhSYZBKMF1Dt8ld7Gt%2BrHooMhHcxdY3fn%2FjDJl7DU8BNMuAlSYwb4w6tvmZGeWy1z1XLiRG9wgbcBJVVxW3JUqt87rdP6XYoVsyTm6pxh7aUnet3WoOqGhJLO82xpbE1SnQMQIizB5IxnX6WqWTo4hbmoiJm8P%2Bny%2FVVseCi3f1P7xhC3D4lUcBKTrk%2FXqGPI8GdEBV8uVlFkfjAxOksynF6vEY1jXqlFCAWkCNZU0R7k2ejApEPYYcaw7xmhkI6kj%2BEBov%2B%2BcT1aApfZ99muX8JqSJNwcOvJmobbe27Wkf3muKXvjmclXjpH4wjxAHgwgAYJKoZIhvcNAQcBMBQGCCqGSIb3DQMHBAjkDlQnwAtiM6CABIICmFvt0s2onPQQmvVTh2I4w1r8Ntl5avtCwTx50yHhJpyyfEGPINfmFocBUqWR40ojipJA05PJV8sZPYEJlBPzY%2BGNRe2rTEDeYPEawyf0Raa2CkbRVku7i2nZRkJdsAR9ZzCwXYiwc0vKwk5XYOeR%2FlB%2BEWwHiGtOsgS3uOe2LDDYDu%2FXOlR3TeaFrCShl2Pg7kvHErbymNfaIq6UExdPZhiZl9ODJWO5ZONbAlLWrjur3Ycu0M847%2BoJfr72Rv%2FpdVAiF%2Bw5WhB8HnlS63wLE0PJhbZ9jx13k0ww9Aj0XmlA0Ixx0Gy7ChbhD8p9dsUfOwzp7H9ae%2BSHKzqfvtxiQQ39ExYfOTKol9xC50rgqzTRPi6SpLwrs4%2FyIQDl5kUMFg9vlgvowJfR%2BUEHInMbYezo8LSWDM2DRsjB312zz0Cflckfe7D12X5s3GgvEcfhoWGqebQTlv8oaZbUDUEjv28F%2BH6Dh%2BZevJNjTrVdR8dOyGBd2Ft4dxqCNWwE4m4SWF67qQiaIbXQenG136Zsxp6Yz70Zk6y323zDimFnc1ZFXSAqlVdX2Ru5RRYufwkEwr5nRr1%2BRtRAkXxD9j1CL5gLuSo0v%2BjDm5MTCdz7aLyeH6RUAMwTcK6%2BOFs94nBWNwLG9AGaf%2FkSLZV83zTxlbYJFMWTqJyPyN4ikCyqZ4Nu0EGngjCc1Anetp5r%2B3wH4pZEzdN832jQN%2FJoCWXzZoKku2a7uOJNw5YZdl8uNsijq1Yt7TENT4H9VjqOMDM0ZjERkhIoQrGGeDID2ycFcLjpJ8JivPEQIVfGL20nm5WIBQRVXSkA1pDL0KGQRtchd1c7RsoeSPDkiT2KAdgk5Jq5jFzRuULgpk%2BObPI8tFdvFime5U5dGyUECJytLBenLwaWAAAAAAAAAAAAAAAAAAAAAKCCA0EwggM9MIICJaADAgECAgEBMA0GCSqGSIb3DQEBCwUAMEwxPTA7BgNVBAMMNE1ETSBTQ0VQIFNJR05FUiAyQkYwOTcyNC1FMjgzLTRCRTgtOERFNS0wMjA2NzE4QTQ4MTIxCzAJBgNVBAYTAk5MMB4XDTE5MDUwMjEzNTk1OVoXDTIwMDUwMTEzNTk1OVowTDE9MDsGA1UEAww0TURNIFNDRVAgU0lHTkVSIDJCRjA5NzI0LUUyODMtNEJFOC04REU1LTAyMDY3MThBNDgxMjELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQcQ1YpNJwie61YkYSwRXEeSza%2Fn5PRggV%2FhtaoSmrh03B1%2BkvDVyh6FxzhaVdA23ZhBUk5WtF2CrgHrOj0twZOkQteP31A885pY0%2FkLZTVKS6F%2BgiTP8beoTqGwJiELHd3RNyVJ%2BbU4Saxgwm%2FQ8U%2Fbsb792v0Gw406YR63B3wYDKhJBJkxctzJTXHkHQRhYHr%2FOIR59dIpFVJIlt2s7naHg5g5U38a%2BBI5FTvaolPBcjGHIxGbp1NyxfbupzCmqE4OATrG9YgZLEjWks9BdgTFfBEbbgP6hkP8ydRVooyC2aqBABiWaNdmknZQ5jik8r0pu8JXGF4ehJB1HPxsvVAgMBAAGjKjAoMA4GA1UdDwEB%2FwQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAkHMKWupXRGiEOqvK55TZWgojhMe1ERuEzSrCWo5aeEUWEMH99G1wFg1ZVug%2FGMucP08og5tO2%2B1KOS8R1uKS5MCm%2BuPzlA2RBbZyfVeP%2FL0Ds2%2B7Os3CwszV6Iem2r25LvxkftKkI37H%2BWdv%2FQQYVI0tQYWK%2FPo%2BLtMKI7YyvWUE%2BN2%2BNXcfUgNk2sV4u80JOC05qk91PVGGmFidB8987px%2BsW3qM%2B9ceksmSD2D752t6pR0Fi42fH4I7AOhjnEHvfxANDZjvqAq0cZa4BgQTUXWrplDzM2V6SImv7%2BkrujzWtsvZ79TXmczuULSx6LZ9ncF5kMFd6twSg1jLdDCRDGCApEwggKNAgEBMFEwTDE9MDsGA1UEAww0TURNIFNDRVAgU0lHTkVSIDJCRjA5NzI0LUUyODMtNEJFOC04REU1LTAyMDY3MThBNDgxMjELMAkGA1UEBhMCTkwCAQEwDQYJYIZIAWUDBAIDBQCgggERMBIGCmCGSAGG%2BEUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAYBgpghkgBhvhFAQkFMQoECJ6XWkjcxLJIMBwGCSqGSIb3DQEJBTEPFw0xOTA1MDIxMzU5NTlaMB4GCSqGSIb3DQEJBzEREw9TZWNyZXRDaGFsbGVuZ2UwOAYKYIZIAYb4RQEJBzEqEyg5NDQ1MjRCRTNGNjQ2QTIwQzM5ODlGODU1QUEwNkM4NjdDOEJBMTUyME8GCSqGSIb3DQEJBDFCBEALOjR0s1FTbW5ru2xG%2BhRP6%2Bn0krtOyHWtkdvhLpTc%2FhebL1Y0jD7Ke%2FCqfeETf2FHV3gdY8KAfiiYa9vBjCbBMA0GCSqGSIb3DQEBAQUABIIBAFNOYk4ZKaHxV32q8uUboxQCxxhFtrmlwfQUMdGf%2Bp%2BQFGnGargqLI6F%2FlyTx72wKyxMomxx9Gaa4WaKIdC5nPNewrvz3MXYfPmS5nc%2F4ONBZhGQLaY3EhMSzX%2F9zKc5yz0yyNp8ggqx4%2B8cWCS4WdfO5U0xfVkHGX8NIRyyIXO1A7cLiuTDa77jSFNu9wdER6lw0IGlduH55L3nlcegH3%2FHedNqlX68VsZcADLUgiGvFaBQniXmPZdRlEC052dPaSQmZEvbrC8Mwza6os1pYorLPGWzgj4gitgzUj6I0B64iLeIRxEKCDLC1x%2BKfO4LP6ye1a6EMsQyWvvwB8GpkVIAAAAAAAA%3D
>
>
> Both those commands can be used to decode it:
>
> cat request.txt | perl -pe 'use
> MIME::Base64;s/%([0-9a-f]{2})/sprintf("%s",pack("H2",$1))/eig;$_=MIME::Base64::decode($_);'
> | openssl asn1parse -inform DER
>
> cat request.txt | perl -pe 'use
> MIME::Base64;s/%([0-9a-f]{2})/sprintf("%s",pack("H2",$1))/eig;$_=MIME::Base64::decode($_);'
> | openssl pkcs7 -inform DER -print_certs -text
>
> I do not know if anybody ever tried that, could not find much info
> online about it. So not really sure how to troubleshoot it.
>
> Hope someone can help me with this. Thanks in advance to everyone :)
>
> Best,
>
> --
> Nicolas Merle
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
