Thanks gents!
I'm finding some interesting things on different platforms.
Summary: MacOS 11 reports a security error after it retrieves the SCEP and
CA certs. iOS 14 simply fails. iOS 15 a little more descriptive "The
Registration Authority’s response is invalid" and MacOS 12 fails with the
same error as MacOS11.
OpenXPKI SCEP log:
2021/06/18 10:51:04 DEB Config for service scep loaded [pid=30304]
2021/06/18 10:51:04 INF SCEP handler initialized [pid=30304]
2021/06/18 10:51:04 INF Incoming request from 10.15.1.153 with GetCACaps
[pid=30304]
2021/06/18 10:51:04 DEB Response send [pid=30304]
2021/06/18 10:51:05 DEB Config for service scep loaded [pid=30306]
2021/06/18 10:51:05 INF SCEP handler initialized [pid=30306]
2021/06/18 10:51:05 INF Incoming request from 10.15.1.153 with GetCACert
[pid=30306]
2021/06/18 10:51:05 DEB Response send [pid=30306]
MacOS:
default 10:37:47.912045-0600 CertificateService
[1366478549:Cert_PI:HTTPUtil:<0x66d303>] >>>>> Sending HTTP request (GET)
[SCEP:GetCACert] >>>>>
default 10:37:48.661191-0600 CertificateService
[1366478549:Cert_PI:HTTPUtil:<0x66d303>] <<<<< Received HTTP response (200)
[SCEP:GetCACert] <<<<<
default 10:37:48.661886-0600 CertificateService ProcessGetCACertResponse:
Content-Type: 'application/x-x509-ca-ra-cert'
default 10:37:48.661978-0600 CertificateService ProcessGetCACertResponse:
application/x-x509-ca-ra-cert; err = errSecCertificateCannotOperate
default 10:37:48.662168-0600 CertificateService ProcessGetCACertResponse:
CFArrayGetCount(returnedCerts) > 1
default 10:37:48.662254-0600 CertificateService SortAndSetCACertificates:
(CFArrayGetCount(returnedCerts) = 3
default 10:37:48.662409-0600 CertificateService SortAndSetCACertificates:
use heuristics to determine which is which, namely find the encryption and
signature certificates
default 10:37:48.662482-0600 CertificateService SortAndSetCACertificates:
certs[0]
default 10:37:48.666002-0600 CertificateService SortAndSetCACertificates:
certs[1]
default 10:37:48.666450-0600 CertificateService SortAndSetCACertificates:
certs[2]
error 10:37:48.666852-0600 CertificateService ProcessGetCACertResponse:
session->caCert == NULL
error 10:37:48.667010-0600 CertificateService [ERROR] <: [MDM_SCEP_Enroll]
Calling SCEPGetCACert. CA Ident: CA One --> <NSOSStatusErrorDomain:-67817>
error 10:37:48.820130-0600
com.apple.preferences.configurationprofiles.remoteservice [ERROR] Profile
installation (scep test
(andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2:361796F2-11EC-41D8-8F2C-E9648FE4EF1E))
( <NSOSStatusErrorDomain:-67817>)
default 10:37:49.443017-0600 AssetCache Notification user info: {
ProfileAction = Remove;
ProfileTypes = (
"com.apple.security.scep"
);
ProfileUUID = "361796F2-11EC-41D8-8F2C-E9648FE4EF1E";
ProfileUserUID = 1366478549;
ProfileUsername = ndawson;
}
default 10:49:53.207134-0600 Finder Trying to issue sandbox extension for
/Users/ndawson/Library/Mobile
Documents/iCloud~com~apple~configurator~ui/Documents/scep test.mobileconfig
default 10:49:53.207235-0600 Finder Successfully issued sandbox extension
for /Users/ndawson/Library/Mobile
Documents/iCloud~com~apple~configurator~ui/Documents/scep test.mobileconfig
iOS:
error 10:31:21.622518-0600 profiled Cannot retrieve SCEP identity: NSError:
Desc : The Registration Authority’s response is invalid.
US Desc: The Registration Authority’s response is invalid.
Domain : MCSCEPErrorDomain
Code : 22003
Type : MCFatalError
error 10:31:21.622745-0600 profiled Installation of profile
“andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2” failed with error: NSError:
Desc : The profile “scep test” could not be installed.
Sugg : The Registration Authority’s response is invalid.
US Desc: The profile “scep test” could not be installed.
US Sugg: The Registration Authority’s response is invalid.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"scep test"
)
...Underlying error:
NSError:
Desc : The Registration Authority’s response is invalid.
US Desc: The Registration Authority’s response is invalid.
Domain : MCSCEPErrorDomain
Code : 22003
Type : MCFatalError
Extra info:
{
isPrimary = 1;
}
error 10:31:21.623296-0600 profiled Profile
“andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2” failed to install with
error: NSError:
Desc : Profile Failed to Install
Sugg : The Registration Authority’s response is invalid.
US Desc: Profile Failed to Install
US Sugg: The Registration Authority’s response is invalid.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : The profile “scep test” could not be installed.
Sugg : The Registration Authority’s response is invalid.
US Desc: The profile “scep test” could not be installed.
US Sugg: The Registration Authority’s response is invalid.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"scep test"
)
...Underlying error:
NSError:
Desc : The Registration Authority’s response is invalid.
US Desc: The Registration Authority’s response is invalid.
Domain : MCSCEPErrorDomain
Code : 22003
Type : MCFatalError
Extra info:
{
isPrimary = 1;
}
error 10:31:21.667570-0600 profiled Installation failed. Error: NSError:
Desc : Profile Installation Failed
Sugg : The Registration Authority’s response is invalid.
US Desc: Profile Installation Failed
US Sugg: The Registration Authority’s response is invalid.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : Profile Failed to Install
Sugg : The Registration Authority’s response is invalid.
US Desc: Profile Failed to Install
US Sugg: The Registration Authority’s response is invalid.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : The profile “scep test” could not be installed.
Sugg : The Registration Authority’s response is invalid.
US Desc: The profile “scep test” could not be installed.
US Sugg: The Registration Authority’s response is invalid.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"scep test"
)
...Underlying error:
NSError:
Desc : The Registration Authority’s response
On Fri, Jun 18, 2021 at 12:46 AM, Michal Moravec <
michal.mora...@logicworks.cz> wrote:
> Hey Nick,
>
> do you have this problem with iOS or macOS?
>
> I spent a lot of time this year trying use SCEP directly between Apple
> systems and OpenXPKI.
>
> There are bugs in macOS 11 and earlier preventing this.
> Apple fixed all of the bugs I reported in macOS 12. I’ve tested with first
> beta and can confirm.
>
> I was unable to persuade iOS SCEP client to accept CA certificates from
> OpenXPKI.
> SCEP client bailed out before even trying to request the certificate.
> Apple also stated they fixed this problem but currently I don’t have a iOS
> device to run beta iOS so I can’t test.
>
> Michal Moravec
> Sent from my iPhone
>
> On 17. 6. 2021, at 23:50, Nick Dawson <nd+openx...@nickdawson.net> wrote:
>
>
> hey OpenXPKI friends,
> I've been struggling with SCEP and could use some help. I have SCEP set up
> using the default config. When I use sscep I can get the capabilities and
> get the CA certs. sscep downloads 3 certs (the scep cert, the CA cert, and
> the root cert). I have fullchain set in the config so that seems correct.
>
> On Apple devices, I'm attempting to install a profile. On OpenXPKI, the
> logs show the apple devices trying to get the CA. The server sends the
> certs. And then the apple devices fail.
>
> Specifically, apple devices return: errSecCertificateCannotOperate
> (which is error: -67817).
>
> I've tried capturing the exact url queries from the webserver's access
> logs. When I paste them into a browser, it downloads a file called
> "untitled". When I examine untitled with OpenSSL, I can see that it is a
> pkcs7 bundle of the three certs.
>
> Could it be as simple as needed a better filename like untiled.p7 ? And,
> if so, where would I set that in OpenXPKI's config files? I didnt see
> anything in scep or enrollment files.
>
> Or, might this be a different issue? Does anyone have experience with
> Apple devices and OpenXPKI's SCEP implementation? Any tips or tricks?
>
> thanks!
>
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
