Hi Oliver,
As I am not sure which certificate is the scep client on the macbook choosing
to encrypt, and the certificate is verified thanks to a fingerprint I would
like to make sure that GetCA only returns the SCEP RA certificate, so I
modified scep-server-1.yaml to get this:
getca:
ra: endentity
issuer: endentity
I rebooted the machine, but when I run the GetCA command, I still end up with 3
certificates.
Any idea how I can fix this?
Btw here is the configuration options I have on the macbook side:
[cid:[email protected]]
Thanks again for the help!
Best,
Nicolas Merle
ICS Security Consultant
Office: +31 (0) 20 833 4020
Mobile: +31 (0) 64 303 2384
Teleportboulevard 110
1043 EJ Amsterdam
http://www.applied-risk.com<http://www.applied-risk.com/>
[applied-risk logo]
Industrial Automation Security and Beyond
This e-mail and any attachments thereto may contain confidential information
and/or information protected by intellectual property rights for the exclusive
attention of the intended addressees named above. If you have received this
transmission in error, please immediately notify the sender by return e-mail
and delete this message and its attachments. Unauthorized use, copying or
further full or partial distribution of this e-mail or its contents is
prohibited.
On 5/2/19 6:31 PM, Oliver Welter wrote:
Hi Nicolas,
I did not decode the message but the most likely problem is that you
used the wrong certificate to encrypt the PCKS7 container. OpenXPKI
returns the SCEP RA Certificate which must be used as first certificate
on the "GetCA" call.
Do you have any chance to check if this is used correctly?
Oliver
Am 02.05.19 um 16:02 schrieb Nicolas Merle:
Hi everyone,
I am currently trying to put together a test server running OpenXPKI in
order to manage the certificates of the company. To give a little bit of
insight, our corporate laptops are macbooks, and we are managing them
with a solution called JAMF that allows us to configure the use of a
SCEP server for automatic enrollment. We would like to have automatic
distribution of certificate to enable 802.1X with EAP-TLS on our
network. The first step was to create a test instance of OpenXPKI and
test the sscep server. Thanks to the help of the people on this mailing
list, this worked fine and the SCEP server is working so I can get a
certificate with the sscep client (shout-out to Martin for the
solution). However when the macbook request the certificate I get an
error 500 from the server and OpenXPKI throws this error in the logs:
2019/05/02 16:16:42 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__EXIT_STATUS__ => 256
[pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC]
2019/05/02 16:16:42 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__
=> 256; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10
[pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC]
2019/05/02 16:16:42 ERROR Error executing SCEP command 'PKIOperation':
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10; __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256
[pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC]
The based 64 encoded message that the macbook is sending to the SCEP
server is the following:
operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIIFOjCABgkqhkiG9w0BBwOggDCAAgEAMYICTTCCAkkCAQAwMTAkMSIwIAYDVQQDDBlPcGVuWFBLSSBDQS1PbmUgUm9vdCBDQSAxAgkAzRuwJn9GOjYwDQYJKoZIhvcNAQEBBQAEggIAI8Mu%2FxAIT4Twepuz5GL0A0Qr4JTWr5S%2BQ4RfgAGdUqPF1tsJshET1zY65F985UTuRI27RV2eV5z5nFkd7wbNrXwcLG3%2F20Wn%2BYCrF56u3CkL8FwxGdi8dKucwQfQLL4Kxzp95rdCiJ4d2z4qYqKRW6HN5uvB%2F7igNPWD17FA%2BT6iqy57VLAanyQnfgLatNeAHxXjJZA7EExe9eEZ4MikLKOdgWD0RDPqLEaquJRK%2BQ26uYBnkos81mvi3AbSibx3lECoeiN09QFLWTbHfflrHCfjSvDx9rrjQ2WMTWu6Mi%2F8FfRdIdzdFAFketDJ%2FgoPLzhOnmIQcmt2Dl73lJLgNtJnkz5psdhAMj8VuGk35Fy%2FhSYZBKMF1Dt8ld7Gt%2BrHooMhHcxdY3fn%2FjDJl7DU8BNMuAlSYwb4w6tvmZGeWy1z1XLiRG9wgbcBJVVxW3JUqt87rdP6XYoVsyTm6pxh7aUnet3WoOqGhJLO82xpbE1SnQMQIizB5IxnX6WqWTo4hbmoiJm8P%2Bny%2FVVseCi3f1P7xhC3D4lUcBKTrk%2FXqGPI8GdEBV8uVlFkfjAxOksynF6vEY1jXqlFCAWkCNZU0R7k2ejApEPYYcaw7xmhkI6kj%2BEBov%2B%2BcT1aApfZ99muX8JqSJNwcOvJmobbe27Wkf3muKXvjmclXjpH4wjxAHgwgAYJKoZIhvcNAQcBMBQGCCqGSIb3DQMHBAjkDlQnwAtiM6CABIICmFvt0s2onPQQmvVTh2I4w1r8Ntl5avtCwTx50yHhJpyyfEGPINfmFocBUqWR40ojipJA05PJV8sZPYEJlBPzY%2BGNRe2rTEDeYPEawyf0Raa2CkbRVku7i2nZRkJdsAR9ZzCwXYiwc0vKwk5XYOeR%2FlB%2BEWwHiGtOsgS3uOe2LDDYDu%2FXOlR3TeaFrCShl2Pg7kvHErbymNfaIq6UExdPZhiZl9ODJWO5ZONbAlLWrjur3Ycu0M847%2BoJfr72Rv%2FpdVAiF%2Bw5WhB8HnlS63wLE0PJhbZ9jx13k0ww9Aj0XmlA0Ixx0Gy7ChbhD8p9dsUfOwzp7H9ae%2BSHKzqfvtxiQQ39ExYfOTKol9xC50rgqzTRPi6SpLwrs4%2FyIQDl5kUMFg9vlgvowJfR%2BUEHInMbYezo8LSWDM2DRsjB312zz0Cflckfe7D12X5s3GgvEcfhoWGqebQTlv8oaZbUDUEjv28F%2BH6Dh%2BZevJNjTrVdR8dOyGBd2Ft4dxqCNWwE4m4SWF67qQiaIbXQenG136Zsxp6Yz70Zk6y323zDimFnc1ZFXSAqlVdX2Ru5RRYufwkEwr5nRr1%2BRtRAkXxD9j1CL5gLuSo0v%2BjDm5MTCdz7aLyeH6RUAMwTcK6%2BOFs94nBWNwLG9AGaf%2FkSLZV83zTxlbYJFMWTqJyPyN4ikCyqZ4Nu0EGngjCc1Anetp5r%2B3wH4pZEzdN832jQN%2FJoCWXzZoKku2a7uOJNw5YZdl8uNsijq1Yt7TENT4H9VjqOMDM0ZjERkhIoQrGGeDID2ycFcLjpJ8JivPEQIVfGL20nm5WIBQRVXSkA1pDL0KGQRtchd1c7RsoeSPDkiT2KAdgk5Jq5jFzRuULgpk%2BObPI8tFdvFime5U5dGyUECJytLBenLwaWAAAAAAAAAAAAAAAAAAAAAKCCA0EwggM9MIICJaADAgECAgEBMA0GCSqGSIb3DQEBCwUAMEwxPTA7BgNVBAMMNE1ETSBTQ0VQIFNJR05FUiAyQkYwOTcyNC1FMjgzLTRCRTgtOERFNS0wMjA2NzE4QTQ4MTIxCzAJBgNVBAYTAk5MMB4XDTE5MDUwMjEzNTk1OVoXDTIwMDUwMTEzNTk1OVowTDE9MDsGA1UEAww0TURNIFNDRVAgU0lHTkVSIDJCRjA5NzI0LUUyODMtNEJFOC04REU1LTAyMDY3MThBNDgxMjELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQcQ1YpNJwie61YkYSwRXEeSza%2Fn5PRggV%2FhtaoSmrh03B1%2BkvDVyh6FxzhaVdA23ZhBUk5WtF2CrgHrOj0twZOkQteP31A885pY0%2FkLZTVKS6F%2BgiTP8beoTqGwJiELHd3RNyVJ%2BbU4Saxgwm%2FQ8U%2Fbsb792v0Gw406YR63B3wYDKhJBJkxctzJTXHkHQRhYHr%2FOIR59dIpFVJIlt2s7naHg5g5U38a%2BBI5FTvaolPBcjGHIxGbp1NyxfbupzCmqE4OATrG9YgZLEjWks9BdgTFfBEbbgP6hkP8ydRVooyC2aqBABiWaNdmknZQ5jik8r0pu8JXGF4ehJB1HPxsvVAgMBAAGjKjAoMA4GA1UdDwEB%2FwQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAkHMKWupXRGiEOqvK55TZWgojhMe1ERuEzSrCWo5aeEUWEMH99G1wFg1ZVug%2FGMucP08og5tO2%2B1KOS8R1uKS5MCm%2BuPzlA2RBbZyfVeP%2FL0Ds2%2B7Os3CwszV6Iem2r25LvxkftKkI37H%2BWdv%2FQQYVI0tQYWK%2FPo%2BLtMKI7YyvWUE%2BN2%2BNXcfUgNk2sV4u80JOC05qk91PVGGmFidB8987px%2BsW3qM%2B9ceksmSD2D752t6pR0Fi42fH4I7AOhjnEHvfxANDZjvqAq0cZa4BgQTUXWrplDzM2V6SImv7%2BkrujzWtsvZ79TXmczuULSx6LZ9ncF5kMFd6twSg1jLdDCRDGCApEwggKNAgEBMFEwTDE9MDsGA1UEAww0TURNIFNDRVAgU0lHTkVSIDJCRjA5NzI0LUUyODMtNEJFOC04REU1LTAyMDY3MThBNDgxMjELMAkGA1UEBhMCTkwCAQEwDQYJYIZIAWUDBAIDBQCgggERMBIGCmCGSAGG%2BEUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAYBgpghkgBhvhFAQkFMQoECJ6XWkjcxLJIMBwGCSqGSIb3DQEJBTEPFw0xOTA1MDIxMzU5NTlaMB4GCSqGSIb3DQEJBzEREw9TZWNyZXRDaGFsbGVuZ2UwOAYKYIZIAYb4RQEJBzEqEyg5NDQ1MjRCRTNGNjQ2QTIwQzM5ODlGODU1QUEwNkM4NjdDOEJBMTUyME8GCSqGSIb3DQEJBDFCBEALOjR0s1FTbW5ru2xG%2BhRP6%2Bn0krtOyHWtkdvhLpTc%2FhebL1Y0jD7Ke%2FCqfeETf2FHV3gdY8KAfiiYa9vBjCbBMA0GCSqGSIb3DQEBAQUABIIBAFNOYk4ZKaHxV32q8uUboxQCxxhFtrmlwfQUMdGf%2Bp%2BQFGnGargqLI6F%2FlyTx72wKyxMomxx9Gaa4WaKIdC5nPNewrvz3MXYfPmS5nc%2F4ONBZhGQLaY3EhMSzX%2F9zKc5yz0yyNp8ggqx4%2B8cWCS4WdfO5U0xfVkHGX8NIRyyIXO1A7cLiuTDa77jSFNu9wdER6lw0IGlduH55L3nlcegH3%2FHedNqlX68VsZcADLUgiGvFaBQniXmPZdRlEC052dPaSQmZEvbrC8Mwza6os1pYorLPGWzgj4gitgzUj6I0B64iLeIRxEKCDLC1x%2BKfO4LP6ye1a6EMsQyWvvwB8GpkVIAAAAAAAA%3D
Both those commands can be used to decode it:
cat request.txt | perl -pe 'use
MIME::Base64;s/%([0-9a-f]{2})/sprintf("%s",pack("H2",$1))/eig;$_=MIME::Base64::decode($_);'
| openssl asn1parse -inform DER
cat request.txt | perl -pe 'use
MIME::Base64;s/%([0-9a-f]{2})/sprintf("%s",pack("H2",$1))/eig;$_=MIME::Base64::decode($_);'
| openssl pkcs7 -inform DER -print_certs -text
I do not know if anybody ever tried that, could not find much info
online about it. So not really sure how to troubleshoot it.
Hope someone can help me with this. Thanks in advance to everyone :)
Best,
--
Nicolas Merle
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
