Hi Nicolas, the SCEP server is under rework and the docs miss some of the new features :(
The chain is cached in the database - have a look at the "datapool" table for items with namespace 'scep.cache.getca' and delete them. Oliver Am 03.05.19 um 12:47 schrieb Nicolas Merle: > Hi Oliver, > > As I am not sure which certificate is the scep client on the macbook > choosing to encrypt, and the certificate is verified thanks to a > fingerprint I would like to make sure that GetCA only returns the SCEP > RA certificate, so I modified scep-server-1.yaml to get this: > > getca: > ra: endentity > issuer: endentity > > I rebooted the machine, but when I run the GetCA command, I still end up > with 3 certificates. > > Any idea how I can fix this? > > Btw here is the configuration options I have on the macbook side: > > Thanks again for the help! > > Best, > > *Nicolas Merle* > ICS Security Consultant > Office: +31 (0) 20 833 4020 > Mobile: +31 (0) 64 303 2384 > Teleportboulevard 110 > 1043 EJ Amsterdam > http://www.applied-risk.com <http://www.applied-risk.com/> > applied-risk logo > *Industrial**Automation**Security**and**Beyond* > This e-mail and any attachments thereto may contain confidential > information and/or information protected by intellectual property rights > for the exclusive attention of the intended addressees named above. If > you have received this transmission in error, please immediately notify > the sender by return e-mail and delete this message and its attachments. > Unauthorized use, copying or further full or partial distribution of > this e-mail or its contents is prohibited. > > On 5/2/19 6:31 PM, Oliver Welter wrote: >> Hi Nicolas, >> >> I did not decode the message but the most likely problem is that you >> used the wrong certificate to encrypt the PCKS7 container. OpenXPKI >> returns the SCEP RA Certificate which must be used as first certificate >> on the "GetCA" call. >> >> Do you have any chance to check if this is used correctly? >> >> Oliver >> >> >> Am 02.05.19 um 16:02 schrieb Nicolas Merle: >>> Hi everyone, >>> >>> I am currently trying to put together a test server running OpenXPKI in >>> order to manage the certificates of the company. To give a little bit of >>> insight, our corporate laptops are macbooks, and we are managing them >>> with a solution called JAMF that allows us to configure the use of a >>> SCEP server for automatic enrollment. We would like to have automatic >>> distribution of certificate to enable 802.1X with EAP-TLS on our >>> network. The first step was to create a test instance of OpenXPKI and >>> test the sscep server. Thanks to the help of the people on this mailing >>> list, this worked fine and the SCEP server is working so I can get a >>> certificate with the sscep client (shout-out to Martin for the >>> solution). However when the macbook request the certificate I get an >>> error 500 from the server and OpenXPKI throws this error in the logs: >>> >>> 2019/05/02 16:16:42 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; >>> __EXIT_STATUS__ => 256 >>> [pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC] >>> 2019/05/02 16:16:42 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; >>> __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ >>> => 256; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10 >>> [pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC] >>> 2019/05/02 16:16:42 ERROR Error executing SCEP command 'PKIOperation': >>> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => >>> OpenXPKI::Crypto::Tool::SCEP::Command::get_pkcs10; __ERRVAL__ => >>> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256 >>> [pid=25158|sid=dEVG|sceptid=D54F4B0D438ACA46CC416CCAD7455738F418E3FC] >>> >>> The based 64 encoded message that the macbook is sending to the SCEP >>> server is the following: >>> >>> operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIIFOjCABgkqhkiG9w0BBwOggDCAAgEAMYICTTCCAkkCAQAwMTAkMSIwIAYDVQQDDBlPcGVuWFBLSSBDQS1PbmUgUm9vdCBDQSAxAgkAzRuwJn9GOjYwDQYJKoZIhvcNAQEBBQAEggIAI8Mu%2FxAIT4Twepuz5GL0A0Qr4JTWr5S%2BQ4RfgAGdUqPF1tsJshET1zY65F985UTuRI27RV2eV5z5nFkd7wbNrXwcLG3%2F20Wn%2BYCrF56u3CkL8FwxGdi8dKucwQfQLL4Kxzp95rdCiJ4d2z4qYqKRW6HN5uvB%2F7igNPWD17FA%2BT6iqy57VLAanyQnfgLatNeAHxXjJZA7EExe9eEZ4MikLKOdgWD0RDPqLEaquJRK%2BQ26uYBnkos81mvi3AbSibx3lECoeiN09QFLWTbHfflrHCfjSvDx9rrjQ2WMTWu6Mi%2F8FfRdIdzdFAFketDJ%2FgoPLzhOnmIQcmt2Dl73lJLgNtJnkz5psdhAMj8VuGk35Fy%2FhSYZBKMF1Dt8ld7Gt%2BrHooMhHcxdY3fn%2FjDJl7DU8BNMuAlSYwb4w6tvmZGeWy1z1XLiRG9wgbcBJVVxW3JUqt87rdP6XYoVsyTm6pxh7aUnet3WoOqGhJLO82xpbE1SnQMQIizB5IxnX6WqWTo4hbmoiJm8P%2Bny%2FVVseCi3f1P7xhC3D4lUcBKTrk%2FXqGPI8GdEBV8uVlFkfjAxOksynF6vEY1jXqlFCAWkCNZU0R7k2ejApEPYYcaw7xmhkI6kj%2BEBov%2B%2BcT1aApfZ99muX8JqSJNwcOvJmobbe27Wkf3muKXvjmclXjpH4wjxAHgwgAYJKoZIhvcNAQcBMBQGCCqGSIb3DQMHBAjkDlQnwAtiM6CABIICmFvt0s2onPQQmvVTh2I4w1r8Ntl5avtCwTx50yHhJpyyfEGPINfmFocBUqWR40ojipJA05PJV8sZPYEJlBPzY%2BGNRe2rTEDeYPEawyf0Raa2CkbRVku7i2nZRkJdsAR9ZzCwXYiwc0vKwk5XYOeR%2FlB%2BEWwHiGtOsgS3uOe2LDDYDu%2FXOlR3TeaFrCShl2Pg7kvHErbymNfaIq6UExdPZhiZl9ODJWO5ZONbAlLWrjur3Ycu0M847%2BoJfr72Rv%2FpdVAiF%2Bw5WhB8HnlS63wLE0PJhbZ9jx13k0ww9Aj0XmlA0Ixx0Gy7ChbhD8p9dsUfOwzp7H9ae%2BSHKzqfvtxiQQ39ExYfOTKol9xC50rgqzTRPi6SpLwrs4%2FyIQDl5kUMFg9vlgvowJfR%2BUEHInMbYezo8LSWDM2DRsjB312zz0Cflckfe7D12X5s3GgvEcfhoWGqebQTlv8oaZbUDUEjv28F%2BH6Dh%2BZevJNjTrVdR8dOyGBd2Ft4dxqCNWwE4m4SWF67qQiaIbXQenG136Zsxp6Yz70Zk6y323zDimFnc1ZFXSAqlVdX2Ru5RRYufwkEwr5nRr1%2BRtRAkXxD9j1CL5gLuSo0v%2BjDm5MTCdz7aLyeH6RUAMwTcK6%2BOFs94nBWNwLG9AGaf%2FkSLZV83zTxlbYJFMWTqJyPyN4ikCyqZ4Nu0EGngjCc1Anetp5r%2B3wH4pZEzdN832jQN%2FJoCWXzZoKku2a7uOJNw5YZdl8uNsijq1Yt7TENT4H9VjqOMDM0ZjERkhIoQrGGeDID2ycFcLjpJ8JivPEQIVfGL20nm5WIBQRVXSkA1pDL0KGQRtchd1c7RsoeSPDkiT2KAdgk5Jq5jFzRuULgpk%2BObPI8tFdvFime5U5dGyUECJytLBenLwaWAAAAAAAAAAAAAAAAAAAAAKCCA0EwggM9MIICJaADAgECAgEBMA0GCSqGSIb3DQEBCwUAMEwxPTA7BgNVBAMMNE1ETSBTQ0VQIFNJR05FUiAyQkYwOTcyNC1FMjgzLTRCRTgtOERFNS0wMjA2NzE4QTQ4MTIxCzAJBgNVBAYTAk5MMB4XDTE5MDUwMjEzNTk1OVoXDTIwMDUwMTEzNTk1OVowTDE9MDsGA1UEAww0TURNIFNDRVAgU0lHTkVSIDJCRjA5NzI0LUUyODMtNEJFOC04REU1LTAyMDY3MThBNDgxMjELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQcQ1YpNJwie61YkYSwRXEeSza%2Fn5PRggV%2FhtaoSmrh03B1%2BkvDVyh6FxzhaVdA23ZhBUk5WtF2CrgHrOj0twZOkQteP31A885pY0%2FkLZTVKS6F%2BgiTP8beoTqGwJiELHd3RNyVJ%2BbU4Saxgwm%2FQ8U%2Fbsb792v0Gw406YR63B3wYDKhJBJkxctzJTXHkHQRhYHr%2FOIR59dIpFVJIlt2s7naHg5g5U38a%2BBI5FTvaolPBcjGHIxGbp1NyxfbupzCmqE4OATrG9YgZLEjWks9BdgTFfBEbbgP6hkP8ydRVooyC2aqBABiWaNdmknZQ5jik8r0pu8JXGF4ehJB1HPxsvVAgMBAAGjKjAoMA4GA1UdDwEB%2FwQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAkHMKWupXRGiEOqvK55TZWgojhMe1ERuEzSrCWo5aeEUWEMH99G1wFg1ZVug%2FGMucP08og5tO2%2B1KOS8R1uKS5MCm%2BuPzlA2RBbZyfVeP%2FL0Ds2%2B7Os3CwszV6Iem2r25LvxkftKkI37H%2BWdv%2FQQYVI0tQYWK%2FPo%2BLtMKI7YyvWUE%2BN2%2BNXcfUgNk2sV4u80JOC05qk91PVGGmFidB8987px%2BsW3qM%2B9ceksmSD2D752t6pR0Fi42fH4I7AOhjnEHvfxANDZjvqAq0cZa4BgQTUXWrplDzM2V6SImv7%2BkrujzWtsvZ79TXmczuULSx6LZ9ncF5kMFd6twSg1jLdDCRDGCApEwggKNAgEBMFEwTDE9MDsGA1UEAww0TURNIFNDRVAgU0lHTkVSIDJCRjA5NzI0LUUyODMtNEJFOC04REU1LTAyMDY3MThBNDgxMjELMAkGA1UEBhMCTkwCAQEwDQYJYIZIAWUDBAIDBQCgggERMBIGCmCGSAGG%2BEUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAYBgpghkgBhvhFAQkFMQoECJ6XWkjcxLJIMBwGCSqGSIb3DQEJBTEPFw0xOTA1MDIxMzU5NTlaMB4GCSqGSIb3DQEJBzEREw9TZWNyZXRDaGFsbGVuZ2UwOAYKYIZIAYb4RQEJBzEqEyg5NDQ1MjRCRTNGNjQ2QTIwQzM5ODlGODU1QUEwNkM4NjdDOEJBMTUyME8GCSqGSIb3DQEJBDFCBEALOjR0s1FTbW5ru2xG%2BhRP6%2Bn0krtOyHWtkdvhLpTc%2FhebL1Y0jD7Ke%2FCqfeETf2FHV3gdY8KAfiiYa9vBjCbBMA0GCSqGSIb3DQEBAQUABIIBAFNOYk4ZKaHxV32q8uUboxQCxxhFtrmlwfQUMdGf%2Bp%2BQFGnGargqLI6F%2FlyTx72wKyxMomxx9Gaa4WaKIdC5nPNewrvz3MXYfPmS5nc%2F4ONBZhGQLaY3EhMSzX%2F9zKc5yz0yyNp8ggqx4%2B8cWCS4WdfO5U0xfVkHGX8NIRyyIXO1A7cLiuTDa77jSFNu9wdER6lw0IGlduH55L3nlcegH3%2FHedNqlX68VsZcADLUgiGvFaBQniXmPZdRlEC052dPaSQmZEvbrC8Mwza6os1pYorLPGWzgj4gitgzUj6I0B64iLeIRxEKCDLC1x%2BKfO4LP6ye1a6EMsQyWvvwB8GpkVIAAAAAAAA%3D >>> >>> >>> Both those commands can be used to decode it: >>> >>> cat request.txt | perl -pe 'use >>> MIME::Base64;s/%([0-9a-f]{2})/sprintf("%s",pack("H2",$1))/eig;$_=MIME::Base64::decode($_);' >>> | openssl asn1parse -inform DER >>> >>> cat request.txt | perl -pe 'use >>> MIME::Base64;s/%([0-9a-f]{2})/sprintf("%s",pack("H2",$1))/eig;$_=MIME::Base64::decode($_);' >>> | openssl pkcs7 -inform DER -print_certs -text >>> >>> I do not know if anybody ever tried that, could not find much info >>> online about it. So not really sure how to troubleshoot it. >>> >>> Hope someone can help me with this. Thanks in advance to everyone :) >>> >>> Best, >>> >>> -- >>> Nicolas Merle >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
