Hi Oliver, I’ve tried the same enrollment process but this time I switched to « log_level = TRACE » in the configuration of OpenXPKI (scep/default.conf) so that I can collect more information.
FYI: router configuration: crypto pki trustpoint TEST_PKI enrollment retry count 3 enrollment retry period 5 enrollment mode ra enrollment url http://xxx.xxx.xxx.xxx:80/scep/scep <http://192.168.245.110/scep/scep> serial-number fqdn test1.router.com <http://test1.router.com/> password 7 03375E08140A356F46081509121C0C09 fingerprint 99407E43407A531236DA622C514ABCDA subject-name CN=test1.router.com <http://test1.router.com/> vrf Mgmt-intf revocation-check crl source interface GigabitEthernet0 rsakeypair TEST_RSA_KEY auto-enroll 1 regenerate hash sha256 Then I successfully fetch the CA: router1#crypto pki authenticate TEST_PKI Trustpoint 'TEST_PKI' is a subordinate CA and holds a non self signed cert Certificate has the following attributes: Fingerprint MD5: 99407E43 407A5312 36DA622C 514ABCDA Fingerprint SHA1: 8CC5B9CE 21BD145B BDB5436C 5762BC99 D1672575 Trustpoint Fingerprint: 99407E43 407A5312 36DA622C 514ABCDA Certificate validated - fingerprints matched. Trustpoint CA certificate accepted. Then I tried to enroll the router with « crypto pki enroll TEST_PKI ». At that point I’ve collected the logs from /var/log/openxpki/scep.log. I’ve extracted from the logs the message I received just before I get the error message in the log file: "ERR Unable to find signer certificate in enveloped message [pid=70|ep=scep] ». You will find this message just below in PEM format and the format decoded by openssl thereafter. As far as I can tell it looks like a self-signed certificate from the router ? Tell me if you have enough information to understand what goes wrong with this enrollment. Thanks in advance for your help. BR, Damien. —— ❯ cat scep-message.txt -----BEGIN PKCS7----- MIIKnQYJKoZIhvcNAQcCoIIKjjCCCooCAQExDzANBglghkgBZQMEAgEFADCCBWAG CSqGSIb3DQEHAaCCBVEEggVNMIIFSQYJKoZIhvcNAQcDoIIFOjCCBTYCAQAxggIO MIICCgIBADByMFoxCzAJBgNVBAYTAkRFMREwDwYDVQQKDAhPcGVuWFBLSTEMMAoG A1UECwwDUEtJMSowKAYDVQQDDCFPcGVuWFBLSSBEZW1vIElzc3VpbmcgQ0EgMjAy MzA1MTUCFHsbbWU7DrJBR6HM6msLps2Z50RzMA0GCSqGSIb3DQEBAQUABIIBgFTx Rj2d8wOTXctCiMwXpzO999Smuvtz23jRA5hSzlJsxTbslHNkonSwL29G6USWd/dw HtvAzO/pVH1dIA/JR3qzMe7UPlpo9QcXpOyu3cgnzLJRloAOP/YTbeRxxnCAyO55 pdFKWHxE06mqzih2PqkWEEAgyXyM/6bGR4N9/JEHR0f16d3FyOPjaXZH0epqTMvi LdZscTSndxzOIWd5+6D4kLGdiDOO0gPmn6fKLpKdOcN7yMYdTx2yywbjh4B6t8Ww 6e5fK6Z2JK6OvBA9ReYqldmR3w9R57hVoRyrA7ymouYPUifk1zmo4V3F9lG884Hp d0Y5b4xqerBF+zAjb8AW3Bv7szpmgKQ5EEfgmPMOa28ElJvNdYk8HeeBHK3+C86n vljYoWIKgveOlxy6F94GtO0NKyphaZm5s2qJtQWBK453orkrrNeYUyRmiBbYj5b/ Hl1FLMdcXG8j1ol7W6Hz5J2qP6yUU4WeDjDzGW5xWmAQJMf191zaVBrtn1CJJDCC Ax0GCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIzatJOdpYc16AggL4CPcXCqjfISqs A1fZOnX7x7QrKVtCspflweXl0mr+ayUwcGy+Ql09lqtGSgxxa01w+cFElz56jtrX 2NyVv5noVex7FGiDLSMHStPmHFci7DPXEBBBNF26G9cwOeQnS1qyLJ4tqCx7jO5c 5pe9XCz4IpX7dvStyRgwMe1qV9KTYsYSgp1Oay50TPBBZmwpraYWA/tIs3Kwe8qg OBQSEk3qF9IFPSweJaj48a1FLAIth4JIVx2vDAExbJVzWjTXBtwiQTmgbF3aFtj1 9sCDnSmAlt7n72BiH51ufKXUOOwkrkHowEnodkBVtu2CVkPQ9IoLINd0bZZaBd13 SChIjmK+8zxeUIyAxF7BclUVuappgGHquxgFk94xx+9oa9yADRCNnV9IVmbvupdn gE+HQKB3FBkVCrMVHCUMaBCM2s7qFxWDmWQMyFcFHV+8TIEZDWb4K2pMuuapnml2 AHdCHhlfvS91m0gPKh1/sq4gdi9cpp2aHgNpfw3GEmcBsSHt0pCDi1sh06t/FAw3 hmdpM8FiouoPzwJWE1Wpwy2x5PLFcaQth8kM3JElcctQSd3UI/ogFhWhEQm3IgPN wdKlFcR++1MRLDLAPwvtLr+4XUH6u3ZUjlXacrV5FWjAlfX+GGkiD65zVl26iBlW Dj1NHMY5zMxzQF+OZqZCEUHNSTia/D5Kg/JVXKTL3ne/y6eRQc1/pgs6NUQjlWNP X4acskQ6brSLYqEvN6bmEASjPhZK99ZfLa4wjDx1PE4S45NarwIfkQw+RNm1VFKz 3lwpN2YvINldSQa6g//bE1h5Z5UHv/rmC5/Dl2x7Rz1cc/9wCm8NL99ULqjb7qxO 7UABkctMW5MQqdeN9Idi7iV76aapHOC7BqIUQILt1TRigQATbDKl7WiIa/W6guvw HSL6aN/kbIWHRMR5yyryMkvVgLCPWEbm1VXbgfK44+EDLzndB9xxzZbtktj1sTsD mvOZpGMiiI7Loax4sa5LMubNgy0u1S+LrBNg/npMcaCCAuowggLmMIIBzgIDAPoe MA0GCSqGSIb3DQEBCwUAMDgxNjA0BgkqhkiG9w0BCQIWJ3Rlc3QxLnJvdXRlci5j b20gICAgICAgICAgICAgICAgICAgICAgIDAeFw0yMzA1MjMxMjQ3MzdaFw0zMzA1 MjIxMjQ3MzdaMDgxNjA0BgkqhkiG9w0BCQIWJ3Rlc3QxLnJvdXRlci5jb20gICAg ICAgICAgICAgICAgICAgICAgIDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMf/5CcAcQIfRvOCz14+0oWw0/7M2QOOijq6+/ATAkW2zCvASdGr9dj/QP2m 0KEpuTvIP1kHmRb+tmiP7mJ9+sFNCCH3JMhh5UM4aauC9vlPJt2uVR7oO3LSPoSy dq8dRlTApvfg7JlnXnRE9geYyYp/FautBWXH2NyjbQwK9BUZCq7rqCb5v7ccxQVE 8SMo6ZGoLG9sLKTUiOJnL7y6nzvzPU1dCrKS+XfgEXBjgPj59fDWBMimFSMgEDtR u+s5yjyYZ0xiI1d6+l0p7dltM8eMEQBCZFg9iY5XHeLbiHWRWwJbDvArkKtkyF3W JSnORZgJ8agQrZeBLTSY3H/5pL8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAwTfR jMr0kIYOT9eZBOMHjxQ43Y5yLzYSqX5fwknjqTFaLuQfHIioN1kAjevM4Jj80TVu ZtZfN/+4d0k8CZj63RBZ4mifTTUsVRYqUkGg0GDzREK5bnQEOv5hRcS0e/v0W4VX lkWL7R6XYyZVYVW1X57lKgxSsC4pszhriBHJRsABNnWS2+ak/WjE7uGs34C8avsC U6BebnbXDnVfELxYq9d6REHZe392euFbOI31ZkBkgz1juIeSaKaUwlE6KNaDizN6 fQvF59lSpv8E6pOBRCm4/PL8tzXy0/1mQWT/ndLvM1c29eEHzPbQyOlYtJhjUWFz T83joqd7mzqw1SrTSDGCAiAwggIcAgEBMD8wODE2MDQGCSqGSIb3DQEJAhYndGVz dDEucm91dGVyLmNvbSAgICAgICAgICAgICAgICAgICAgICAgAgMA+h4wDQYJYIZI AWUDBAIBBQCggbMwEgYKYIZIAYb4RQEJAjEEEwIxOTAYBgkqhkiG9w0BCQMxCwYJ KoZIhvcNAQcBMCAGCmCGSAGG+EUBCQUxEgQQ8qUHJnysOnR7o2pCwkMyKTAvBgkq hkiG9w0BCQQxIgQguFl6xSMCfVy2mz4mjdL0Osd6tJ1cn76KOASTIt91HtMwMAYK YIZIAYb4RQEJBzEiEyBDMjE1MkY4NUZFQzMyMkVFMkU5QjgzOTg1OEY4NTJCRTAN BgkqhkiG9w0BAQEFAASCAQB35HC6b7I8woy6SxQCcvGlGtllturui/l2gdls9gjP eDD9wGCzdjYSBQZDRIn3qeD9fYtqJ842uZ/mnn57lOm+FyLUmX9cN6gpXtq8LJ7d sgR3wDFC1A2uns4UtsbrJC+Rn8AmIZ+an8vnhUdAzpuINI+SYG2i7wtFy6NtEgqg vafBbVGqFY7GMrx4u6uIcMgA6ZZrg+xhtBxZxSVDurIeDVTTVUZ52udGgzYhWo29 MjfbVNhY/lNOgzY1hd9KQaDx50l6fYSelHhulRX2UV0ALU1KOjSaBP1LX56bsOK/ b7mzKkI6Q+UO9nAcTr3ine9sxqRyG/w6nd3RLTMgLEx4 -----END PKCS7—— ❯ openssl pkcs7 -in scep-message.txt -print_certs -text Certificate: Data: Version: 1 (0x0) Serial Number: 64030 (0xfa1e) Signature Algorithm: sha256WithRSAEncryption Issuer: unstructuredName=test1.router.com Validity Not Before: May 23 12:47:37 2023 GMT Not After : May 22 12:47:37 2033 GMT Subject: unstructuredName=test1.router.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c7:ff:e4:27:00:71:02:1f:46:f3:82:cf:5e:3e: d2:85:b0:d3:fe:cc:d9:03:8e:8a:3a:ba:fb:f0:13: 02:45:b6:cc:2b:c0:49:d1:ab:f5:d8:ff:40:fd:a6: d0:a1:29:b9:3b:c8:3f:59:07:99:16:fe:b6:68:8f: ee:62:7d:fa:c1:4d:08:21:f7:24:c8:61:e5:43:38: 69:ab:82:f6:f9:4f:26:dd:ae:55:1e:e8:3b:72:d2: 3e:84:b2:76:af:1d:46:54:c0:a6:f7:e0:ec:99:67: 5e:74:44:f6:07:98:c9:8a:7f:15:ab:ad:05:65:c7: d8:dc:a3:6d:0c:0a:f4:15:19:0a:ae:eb:a8:26:f9: bf:b7:1c:c5:05:44:f1:23:28:e9:91:a8:2c:6f:6c: 2c:a4:d4:88:e2:67:2f:bc:ba:9f:3b:f3:3d:4d:5d: 0a:b2:92:f9:77:e0:11:70:63:80:f8:f9:f5:f0:d6: 04:c8:a6:15:23:20:10:3b:51:bb:eb:39:ca:3c:98: 67:4c:62:23:57:7a:fa:5d:29:ed:d9:6d:33:c7:8c: 11:00:42:64:58:3d:89:8e:57:1d:e2:db:88:75:91: 5b:02:5b:0e:f0:2b:90:ab:64:c8:5d:d6:25:29:ce: 45:98:09:f1:a8:10:ad:97:81:2d:34:98:dc:7f:f9: a4:bf Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption c1:37:d1:8c:ca:f4:90:86:0e:4f:d7:99:04:e3:07:8f:14:38: dd:8e:72:2f:36:12:a9:7e:5f:c2:49:e3:a9:31:5a:2e:e4:1f: 1c:88:a8:37:59:00:8d:eb:cc:e0:98:fc:d1:35:6e:66:d6:5f: 37:ff:b8:77:49:3c:09:98:fa:dd:10:59:e2:68:9f:4d:35:2c: 55:16:2a:52:41:a0:d0:60:f3:44:42:b9:6e:74:04:3a:fe:61: 45:c4:b4:7b:fb:f4:5b:85:57:96:45:8b:ed:1e:97:63:26:55: 61:55:b5:5f:9e:e5:2a:0c:52:b0:2e:29:b3:38:6b:88:11:c9: 46:c0:01:36:75:92:db:e6:a4:fd:68:c4:ee:e1:ac:df:80:bc: 6a:fb:02:53:a0:5e:6e:76:d7:0e:75:5f:10:bc:58:ab:d7:7a: 44:41:d9:7b:7f:76:7a:e1:5b:38:8d:f5:66:40:64:83:3d:63: b8:87:92:68:a6:94:c2:51:3a:28:d6:83:8b:33:7a:7d:0b:c5: e7:d9:52:a6:ff:04:ea:93:81:44:29:b8:fc:f2:fc:b7:35:f2: d3:fd:66:41:64:ff:9d:d2:ef:33:57:36:f5:e1:07:cc:f6:d0: c8:e9:58:b4:98:63:51:61:73:4f:cd:e3:a2:a7:7b:9b:3a:b0: d5:2a:d3:48 -----BEGIN CERTIFICATE----- MIIC5jCCAc4CAwD6HjANBgkqhkiG9w0BAQsFADA4MTYwNAYJKoZIhvcNAQkCFid0 ZXN0MS5yb3V0ZXIuY29tICAgICAgICAgICAgICAgICAgICAgICAwHhcNMjMwNTIz MTI0NzM3WhcNMzMwNTIyMTI0NzM3WjA4MTYwNAYJKoZIhvcNAQkCFid0ZXN0MS5y b3V0ZXIuY29tICAgICAgICAgICAgICAgICAgICAgICAwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDH/+QnAHECH0bzgs9ePtKFsNP+zNkDjoo6uvvwEwJF tswrwEnRq/XY/0D9ptChKbk7yD9ZB5kW/rZoj+5iffrBTQgh9yTIYeVDOGmrgvb5 TybdrlUe6Dty0j6EsnavHUZUwKb34OyZZ150RPYHmMmKfxWrrQVlx9jco20MCvQV GQqu66gm+b+3HMUFRPEjKOmRqCxvbCyk1IjiZy+8up878z1NXQqykvl34BFwY4D4 +fXw1gTIphUjIBA7UbvrOco8mGdMYiNXevpdKe3ZbTPHjBEAQmRYPYmOVx3i24h1 kVsCWw7wK5CrZMhd1iUpzkWYCfGoEK2XgS00mNx/+aS/AgMBAAEwDQYJKoZIhvcN AQELBQADggEBAME30YzK9JCGDk/XmQTjB48UON2Oci82Eql+X8JJ46kxWi7kHxyI qDdZAI3rzOCY/NE1bmbWXzf/uHdJPAmY+t0QWeJon001LFUWKlJBoNBg80RCuW50 BDr+YUXEtHv79FuFV5ZFi+0el2MmVWFVtV+e5SoMUrAuKbM4a4gRyUbAATZ1ktvm pP1oxO7hrN+AvGr7AlOgXm521w51XxC8WKvXekRB2Xt/dnrhWziN9WZAZIM9Y7iH kmimlMJROijWg4szen0LxefZUqb/BOqTgUQpuPzy/Lc18tP9ZkFk/53S7zNXNvXh B8z20MjpWLSYY1Fhc0/N46Kne5s6sNUq00g= -----END CERTIFICATE----- > Le 17 mai 2023 à 20:41, Oliver Welter <[email protected]> a écrit : > > Hi Damien, > > I do not know this Cisco IOS version but from the error message it is clear > that the router does either not attach the (self signed) signer certificate > or we have some assumptions in our code that prevent OpenXPKI from detecting > it properly. If you can provide the PKCS7 envelope I can have a look at this. > > Oliver > > On 16.05.23 17:42, M. Damien BILLON wrote: >> Hi, >> >> I’m trying to setup a lab with a couple of Cisco routers getting their >> certificates from OpenXPKI using SCEP. >> >> I installed OpenXPKI on an Ubuntu 22.04 server using Docker containers. >> >> I used the provided configuration script to setup the initial configuration >> : “sampleconfig.sh”. >> >> The router gets successfully the CA certificate (cn=OpenXPKI Demo Issuing CA >> 20230515). >> >> But when it tries to fetch its own certificate I get the following error >> message from the SCEP server (scep.log): >> 2023/05/16 13:41:57 ERR Unable to find signer certificate in enveloped >> message [pid=77|ep=scep] >> 2023/05/16 13:41:57 ERR Unable to unwrap message (Error running command: >> Unable to find signer certificate in enveloped message at >> /usr/share/perl5/OpenXPKI/Client/Simple.pm line 465. >> ) [pid=77|ep=scep] >> 2023/05/16 13:41:57 INF Disconnect client [pid=77|ep=scep] >> >> I tried the same process using SSCEP (using the Quickstart Guide at >> https://openxpki.readthedocs.io/en/latest/quickstart.html). >> The request is accepted by OpenXPKI but it stays in a pending state (waiting >> for a manual approval on the WebGUI). >> I probably need to figured out what are the conditions to meet in the >> workflow to fully approve a request (challenge password is Ok but signer >> appears to be “Not trusted and Not authorized”). >> >> Any idea why a request from a Cisco router would be refused by OpenXPKI ? >> >> Release information from my configuration: >> Cisco IOS-XE 17.06.05 >> OpenXPKI v3.24.1 >> >> BR, >> >> >> Damien. >> >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- > Protect your environment - close windows and adopt a penguin! > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
