Thanks gents
I saw that commit and have been anxious to try to see if adding the
keyusage bits will help.
Well, now I've broken it further :)
TL;DR I cannot import the new SCEP cert and key into the datastore.
2021/06/21 15:52:51 Initialization failed - message is ERROR
Initialization failed. Stopped at /
usr/local/lib/perl5/site_perl/OpenXPKI/Client/Simple.pm line 310.
I started with checking the new stuff in git and adding the following to my
openssl.cnf
[ v3_scep_reqexts ]
subjectKeyIdentifier = hash
[ v3_scep_extensions ]
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer
Then I removed the existing token
openxpkiadm alias --realm dzsec --remove --alias scep-1
I generated a new CSR for a new SCEP cert
openssl req -verbose -config "openssl.cnf" -reqexts v3_scep_reqexts -batch
-newkey rsa:2048 -passout pass:<long complex pass> -keyout "scep2.pem"
-subj "/DC=DZsec/DC=net/CN=scep2" -out "scep.csr"
Using configuration from openssl.cnf
Generating a RSA private key
...........................................+++++
..............................................................................................................................................................................+++++
writing new private key to 'scep2.pem'
-----
I verified it is using a new subject name, but I don't see the key usage
flags reflected...
openssl req -text -noout -verify -in ./scep.csr
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: DC = DZsec, DC = net, CN = scep2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
I signed the CSR and generated a new cert
openssl ca -in scep.csr -config openssl.cnf -extensions
v3_scep_extensions -keyfile "$BASE/ca-root-1.pem" -cert
"$BASE/ca-root-1.crt" -out "$BASE/ca-one-scep-2.crt" -batch -passin
pass:<long complex pass> -outdir ./
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
domainComponent :IA5STRING:'DZsec'
domainComponent :IA5STRING:'net'
commonName :ASN.1 12:'scep2'
Certificate is to be certified until Jan 7 21:52:35 2023 GMT (565 days)
Write out database with 1 new entries
Data Base Updated
I tried to import into OpenXPKI but it fails. I've verified file ownerships
and paths.
openxpkiadm alias --realm dzsec --token scep --file
/usr/local/etc/openxpki/ssl/dzsec/ca-one-scep-2.crt --key
/usr/local/etc/openxpki/ssl/dzsec/scep2.pem
2021/06/21 15:52:51 Initialization failed - message is ERROR
Initialization failed. Stopped at /
usr/local/lib/perl5/site_perl/OpenXPKI/Client/Simple.pm line 310.
On Sun, Jun 20, 2021 at 2:11 AM, Oliver Welter <m...@oliwel.de> wrote:
> Hi Nick,
>
> Michal created a ticket https://github.com/openxpki/openxpki-config/
> issues/14 saying that SCEP on Apple expects the proper keyUsage bits set
> which we did not on older sample configs, so might this be the problem in
> your setup, too?
>
> Oliver
>
> Am 18.06.21 um 18:54 schrieb Nick Dawson:
>
> Thanks gents!
> I'm finding some interesting things on different platforms.
>
> Summary: MacOS 11 reports a security error after it retrieves the SCEP and
> CA certs. iOS 14 simply fails. iOS 15 a little more descriptive "The
> Registration Authority’s response is invalid" and MacOS 12 fails with the
> same error as MacOS11.
>
> OpenXPKI SCEP log:
> 2021/06/18 10:51:04 DEB Config for service scep loaded [pid=30304]
> 2021/06/18 10:51:04 INF SCEP handler initialized [pid=30304]
> 2021/06/18 10:51:04 INF Incoming request from 10.15.1.153 with GetCACaps
> [pid=30304]
> 2021/06/18 10:51:04 DEB Response send [pid=30304]
> 2021/06/18 10:51:05 DEB Config for service scep loaded [pid=30306]
> 2021/06/18 10:51:05 INF SCEP handler initialized [pid=30306]
> 2021/06/18 10:51:05 INF Incoming request from 10.15.1.153 with GetCACert
> [pid=30306]
> 2021/06/18 10:51:05 DEB Response send [pid=30306]
>
>
> MacOS:
> default 10:37:47.912045-0600 CertificateService
> [1366478549:Cert_PI:HTTPUtil:<0x66d303>] >>>>> Sending HTTP request (GET)
> [SCEP:GetCACert] >>>>>
> default 10:37:48.661191-0600 CertificateService
> [1366478549:Cert_PI:HTTPUtil:<0x66d303>] <<<<< Received HTTP response (200)
> [SCEP:GetCACert] <<<<<
> default 10:37:48.661886-0600 CertificateService ProcessGetCACertResponse:
> Content-Type: 'application/x-x509-ca-ra-cert'
> default 10:37:48.661978-0600 CertificateService ProcessGetCACertResponse:
> application/x-x509-ca-ra-cert; err = errSecCertificateCannotOperate
> default 10:37:48.662168-0600 CertificateService ProcessGetCACertResponse:
> CFArrayGetCount(returnedCerts) > 1
> default 10:37:48.662254-0600 CertificateService SortAndSetCACertificates:
> (CFArrayGetCount(returnedCerts) = 3
> default 10:37:48.662409-0600 CertificateService SortAndSetCACertificates:
> use heuristics to determine which is which, namely find the encryption and
> signature certificates
> default 10:37:48.662482-0600 CertificateService SortAndSetCACertificates:
> certs[0]
> default 10:37:48.666002-0600 CertificateService SortAndSetCACertificates:
> certs[1]
> default 10:37:48.666450-0600 CertificateService SortAndSetCACertificates:
> certs[2]
> error 10:37:48.666852-0600 CertificateService ProcessGetCACertResponse:
> session->caCert == NULL
> error 10:37:48.667010-0600 CertificateService [ERROR] <: [MDM_SCEP_Enroll]
> Calling SCEPGetCACert. CA Ident: CA One --> <NSOSStatusErrorDomain:-67817>
> error 10:37:48.820130-0600 com.apple.preferences.configurationprofiles.
> remoteservice [ERROR] Profile installation (scep test
> (andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2:361796F2-11EC-41D8-8F2C-E9648FE4EF1E))
> ( <NSOSStatusErrorDomain:-67817>)
> default 10:37:49.443017-0600 AssetCache Notification user info: {
> ProfileAction = Remove;
> ProfileTypes = (
> "com.apple.security.scep"
> );
> ProfileUUID = "361796F2-11EC-41D8-8F2C-E9648FE4EF1E";
> ProfileUserUID = 1366478549;
> ProfileUsername = ndawson;
> }
> default 10:49:53.207134-0600 Finder Trying to issue sandbox extension for
> /Users/ndawson/Library/Mobile
> Documents/iCloud~com~apple~configurator~ui/Documents/scep test.mobileconfig
> default 10:49:53.207235-0600 Finder Successfully issued sandbox extension
> for /Users/ndawson/Library/Mobile
> Documents/iCloud~com~apple~configurator~ui/Documents/scep test.mobileconfig
>
>
>
> iOS:
>
> error 10:31:21.622518-0600 profiled Cannot retrieve SCEP identity: NSError:
> Desc : The Registration Authority’s response is invalid.
> US Desc: The Registration Authority’s response is invalid.
> Domain : MCSCEPErrorDomain
> Code : 22003
> Type : MCFatalError
> error 10:31:21.622745-0600 profiled Installation of profile
> “andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2” failed with error: NSError:
> Desc : The profile “scep test” could not be installed.
> Sugg : The Registration Authority’s response is invalid.
> US Desc: The profile “scep test” could not be installed.
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCProfileErrorDomain
> Code : 1009
> Type : MCFatalError
> Params : (
> "scep test"
> )
> ...Underlying error:
> NSError:
> Desc : The Registration Authority’s response is invalid.
> US Desc: The Registration Authority’s response is invalid.
> Domain : MCSCEPErrorDomain
> Code : 22003
> Type : MCFatalError
> Extra info:
> {
> isPrimary = 1;
> }
> error 10:31:21.623296-0600 profiled Profile
> “andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2” failed to install with
> error: NSError:
> Desc : Profile Failed to Install
> Sugg : The Registration Authority’s response is invalid.
> US Desc: Profile Failed to Install
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCInstallationErrorDomain
> Code : 4001
> Type : MCFatalError
> ...Underlying error:
> NSError:
> Desc : The profile “scep test” could not be installed.
> Sugg : The Registration Authority’s response is invalid.
> US Desc: The profile “scep test” could not be installed.
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCProfileErrorDomain
> Code : 1009
> Type : MCFatalError
> Params : (
> "scep test"
> )
> ...Underlying error:
> NSError:
> Desc : The Registration Authority’s response is invalid.
> US Desc: The Registration Authority’s response is invalid.
> Domain : MCSCEPErrorDomain
> Code : 22003
> Type : MCFatalError
> Extra info:
> {
> isPrimary = 1;
> }
> error 10:31:21.667570-0600 profiled Installation failed. Error: NSError:
> Desc : Profile Installation Failed
> Sugg : The Registration Authority’s response is invalid.
> US Desc: Profile Installation Failed
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCInstallationErrorDomain
> Code : 4001
> Type : MCFatalError
> ...Underlying error:
> NSError:
> Desc : Profile Failed to Install
> Sugg : The Registration Authority’s response is invalid.
> US Desc: Profile Failed to Install
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCInstallationErrorDomain
> Code : 4001
> Type : MCFatalError
> ...Underlying error:
> NSError:
> Desc : The profile “scep test” could not be installed.
> Sugg : The Registration Authority’s response is invalid.
> US Desc: The profile “scep test” could not be installed.
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCProfileErrorDomain
> Code : 1009
> Type : MCFatalError
> Params : (
> "scep test"
> )
> ...Underlying error:
> NSError:
> Desc : The Registration Authority’s response
>
>
>
>
> On Fri, Jun 18, 2021 at 12:46 AM, Michal Moravec <michal.moravec@
> logicworks.cz> wrote:
>
> Hey Nick,
>
> do you have this problem with iOS or macOS?
>
> I spent a lot of time this year trying use SCEP directly between Apple
> systems and OpenXPKI.
>
> There are bugs in macOS 11 and earlier preventing this.
> Apple fixed all of the bugs I reported in macOS 12. I’ve tested with first
> beta and can confirm.
>
> I was unable to persuade iOS SCEP client to accept CA certificates from
> OpenXPKI.
> SCEP client bailed out before even trying to request the certificate.
> Apple also stated they fixed this problem but currently I don’t have a iOS
> device to run beta iOS so I can’t test.
>
> Michal Moravec
> Sent from my iPhone
>
> On 17. 6. 2021, at 23:50, Nick Dawson <nd+openx...@nickdawson.net> wrote:
>
>
> hey OpenXPKI friends,
> I've been struggling with SCEP and could use some help. I have SCEP set up
> using the default config. When I use sscep I can get the capabilities and
> get the CA certs. sscep downloads 3 certs (the scep cert, the CA cert, and
> the root cert). I have fullchain set in the config so that seems correct.
>
> On Apple devices, I'm attempting to install a profile. On OpenXPKI, the
> logs show the apple devices trying to get the CA. The server sends the
> certs. And then the apple devices fail.
>
> Specifically, apple devices return: errSecCertificateCannotOperate
> (which is error: -67817).
>
> I've tried capturing the exact url queries from the webserver's access
> logs. When I paste them into a browser, it downloads a file called
> "untitled". When I examine untitled with OpenSSL, I can see that it is a
> pkcs7 bundle of the three certs.
>
> Could it be as simple as needed a better filename like untiled.p7 ? And,
> if so, where would I set that in OpenXPKI's config files? I didnt see
> anything in scep or enrollment files.
>
> Or, might this be a different issue? Does anyone have experience with
> Apple devices and OpenXPKI's SCEP implementation? Any tips or tricks?
>
> thanks!
>
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing
> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
