Happy to post my mobileconfig file (below). My environment is in production…. Guess it shows my naiveté (which I'm sure is obvious, although I'm learning quite a lot here lately!) , I know posting certs is, in theory, safe (with the keys being safely held). Is there any thing I should be careful to redact from the OpenXPKI files besides secrets?
Mobileconfig: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " http://www.apple.com/DTDs/PropertyList-1.0.dtd";> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>CAFingerprint</key> <data> REDACTED </data> <key>Challenge</key> <string>REDACTED</string> <key>Key Type</key> <string>RSA</string> <key>Key Usage</key> <integer>5</integer> <key>Keysize</key> <integer>2048</integer> <key>Name</key> <string>scep4</string> #my active SCEP cert name <key>Retries</key> <integer>3</integer> <key>RetryDelay</key> <integer>10</integer> <key>Subject</key> <array> <array> <array> #THIS AREA LOOKS PROBLEMATIC, ALSO TRIED /notation <string>CN</string> <string>MyDeviceName,DC</string> </array> </array> <array> <array> <string>DZSEC,DC</string> <string>NET</string> </array> </array> </array> <key>URL</key> <string>http://scep.dzsec.net/scep/</string> </dict> <key>PayloadDescription</key> <string>Configures SCEP settings</string> <key>PayloadDisplayName</key> <string>SCEP</string> <key>PayloadIdentifier</key> <string>com.apple.security.scep.1959D1B9-6DD9-4C56-9B5F-65ED4494853D <http://com.apple.security.scep.1959d1b9-6dd9-4c56-9b5f-65ed4494853d/> </string> <key>PayloadType</key> <string>com.apple.security.scep</string> <key>PayloadUUID</key> <string>1959D1B9-6DD9-4C56-9B5F-REDACTED</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>this is a test of the DZsec SCEP deployment</string> <key>PayloadDisplayName</key> <string>scep test</string> <key>PayloadIdentifier</key> <string>MyHostName.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2</string> <key>PayloadOrganization</key> <string>DZsec</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>F1949DEA-FF3E-4EA2-8BFC-7D3EBAA31BB2</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> On Tue, Jun 22, 2021 at 2:50 PM, Michal Moravec < michal.mora...@logicworks.cz> wrote: > Could you post you mobileconfig file, All CA certificates currently in use > and you OpenXPKI configuration? > > MM > > > On 22. 6. 2021, at 22:37, Nick Dawson <nd+openx...@nickdawson.net> wrote: > > Thanks! That helped and I learned a lot about the datapool and keys. > > update: > Success with SSCEP. It worked. Apple devices now fail with an invalid CSR > error. > > sscep: > > Apple devices: > openxpki.log > > 2021/06/22 14:28:46 ERROR Error executing SCEP command 'PKIOperation': > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => > message_static_functions.c:238: Not valid CSR after decrpytion > LibSCEP.xs:1197: scep_unwrap failed > 34370961408:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid > object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, > Type=X509_NAME_ENTRY > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, > Type=X509_REQ_INFO > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, > Type=X509_REQ > [pid=57435|sid=aCoa] > > I captured the CSR in scep.log and decoded it: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, > C=US > Validity > Not Before: Jun 22 20:18:47 2021 GMT > Not After : Jun 22 20:18:47 2022 GMT > Subject: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, > C=US > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > Truncated > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: critical > TLS Web Client Authentication > Signature Algorithm: sha256WithRSAEncryption > Truncated > -----BEGIN CERTIFICATE----- > Truncated > -----END CERTIFICATE----- > > My rules in generic.yaml > > workflow: > type: certificate_enroll > param: > # key: name in workflow context, value: parameter from scep wrapper > # server and interface are always set, the mapping below is > # the default set that is used when no map is given > transaction_id: transaction_id > signer_cert: signer_cert > pkcs10: pkcs10 > _url_params: url_params > #_pkcs7: pkcs7 > > authorized_signer: > rule1: > # Full DN > #subject: CN=.+:pkiclient,.* > subject: .*,CN=US > rule2: > # Full DN > subject: CN=my.scep.enroller.com > <http://cn=my.scep.enroller.com/>:generic,.* > rule3: > #Attempt match on Apple CSRs > subject: CN=MDM.+.* > policy: > > allow_man_authen: 1 > allow_anon_enroll: 0 > allow_man_approv: 1 > allow_eligibility_recheck: 0 > approval_points: 0 > max_active_certs: 1 > auto_revoke_existing_certs: 1 > allow_replace: 1 > > > On Mon, Jun 21, 2021 at 11:57 PM, Oliver Welter <m...@oliwel.de> wrote: > > Hi Nick, > > Am 22.06.21 um 03:08 schrieb Nick Dawson: > > If I ra | issuer: endentity or chain, I get an SSL error. BUT scep.log > looks like it can interpret the request > > Openxpki.log: > > ERROR Error executing SCEP command 'PKIOperation': > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => > 34370961408:error:0B080074:x509 certificate > routines:X509_check_private_key:key values > mismatch:/usr/src/crypto/openssl/crypto/x509/x509_cmp.c:297: > 34370961408:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does > not match > certificate:/usr/src/crypto/openssl/crypto/pkcs7/pk7_smime.c:495: > message_static_functions.c:221: decryption failed > LibSCEP.xs:1197: scep_unwrap failed > > this sounds as you now finally broke your SCEP setup - if you really > ignored the SQL errors (and have created a new key) then your Cert and Key > does not match so you get a crypto error. All logs you have shown are far > away from an enrollment request where we have to work around the > "signer cert" problem. > > I suggest you just create a new token (key and cert) and import it again, > this should create a new SCEP Token alias with a new generation number. > Make sure your DataVault token ist operational before you try loading the > key! > > Oliver > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
