I ran the test from 23.2.2 and received the following error message on the ‘Get Certificate CA’ portion. Based on the sscep documentation, ‘-i’ is supposed to be the CA identifier. I am not sure what the CA identifier is supposed to be, but I tried the common name of the CA, the thumbprint, and tried using ‘MyPKI’. Both returned the same error. Any ideas?
Another potential issue, does my CA cert need any specific use options set? I only have Server Authentication set on it in the extended usage. user:~$ sscep getca -u http://10.10.10.22/scep/IP-Phone -c ./ca-prefix -i MyPKI -v -d sscep: starting sscep, version 0.9.0 sscep: new transaction sscep: transaction id: SSCEP transactionId sscep: hostname: 10.10.10.22 sscep: directory: scep/IP-Phone sscep: port: 80 sscep: SCEP_OPERATION_GETCAPS sscep: scep request: GET /scep/IP-Phone?operation=GetCACaps HTTP/1.1 Host: 10.10.10.22 Connection: close sscep: server response status code: 200, MIME header: text/plain sscep: scep caps bitmask: 0x04bb sscep: SCEP_OPERATION_GETCA sscep: scep request: GET /scep/IP-Phone?operation=GetCACert&message=MyPKI HTTP/1.1 Host: 10.10.10.22 Connection: close sscep: server response status code: 500, MIME header: text/plain sscep: wrong (or missing) MIME content type sscep: error while sending message From: JUSTIN BISHOP <justin_bis...@ycs.wednet.edu> Sent: Tuesday, February 18, 2025 12:30 PM To: Benn, Davis <db...@claremontsavings.bank> Cc: packetfence-users@lists.sourceforge.net Subject: Re: [External] Re: [PacketFence-users] SCEP Template / URL and MSPKI Questions Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. When in doubt, contact your IT Department Sorry, my operational knowledge is a bit limited. That being said, getting an "operation not implemented" is a step in the right direction - that means that that URL is being "published" by the Packetfence server. Likely meaning the SCEP url is valid. "not implemented" seems to imply that webpage-based certificate enrollment is not enabled on that specific URL, which is expected when using SCEP. You can try sending through the SCEP connection test commands to that URL now, which are in the installation guide, section 23.2.2. Template creation At the bottom of the template creation, there are steps to get the CA cert and perform a request (looks like this: sscep enroll -c ./ca-prefix -k ./private.key -r ./MYCSR.csr -u http://ip_address/scep/template_name -S sha1 -l ./cert.crt) On Thu, Feb 13, 2025 at 9:27 AM Benn, Davis <db...@claremontsavings.bank<mailto:db...@claremontsavings.bank>> wrote: After reboot of the server (for updates) it now displays a black screen with the text ‘operation not implemented’. Prior to the reboot the page would not load. Any ideas about this? I can send screenshots of the configuration or logs if that helps. Thanks. From: Benn, Davis Sent: Tuesday, February 4, 2025 12:48 PM To: JUSTIN BISHOP <justin_bis...@ycs.wednet.edu<mailto:justin_bis...@ycs.wednet.edu>>; packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Subject: RE: [External] Re: [PacketFence-users] SCEP Template / URL and MSPKI Questions Thank you for the response. I added the ‘radius’ listening daemon to the main interface and restarted the services you mentioned. Then I went into the cert template and enabled the scep server ‘null’ and restarted the PKI service. Then I tried the url again, but the page did not respond / refused to connect as per my browser. ‘haproxy-portal’ was enabled, but not running, so I started it. I noticed quite a few services were the same (enabled, but not running), including ones that say they are required for the config. Is that normal / expected? Thanks again. From: JUSTIN BISHOP <justin_bis...@ycs.wednet.edu<mailto:justin_bis...@ycs.wednet.edu>> Sent: Monday, February 3, 2025 12:44 PM To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Cc: Benn, Davis <db...@claremontsavings.bank<mailto:db...@claremontsavings.bank>> Subject: [External] Re: [PacketFence-users] SCEP Template / URL and MSPKI Questions Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. When in doubt, contact your IT Department I can add some suggestions to step 3 you listed, as we have worked through the same issues. Make sure that you add the "radius" listening daemon to your network interface on the PacketFence appliance. This is done via Configuration > Network configuration > interfaces > select Eth0 (assuming this is your main NIC on the appliance) and select these under the "additional listening daemon(s)" dropdown. This will require a restart of the following services: • haproxy-portal • httpd.portal • iptables Your SCEP URL should be http://<ip of PF server>/scep/<template name> - looks like you have that right. Make sure your SCEP server is enabled under Configuration > Integration (PKI) > SCEP servers We use the "null" entry (127.0.0.1) and make sure the shared secret matches the secret entered into the SCEP template. On Fri, Jan 31, 2025 at 6:44 PM Benn, Davis via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: Hello. I have been tinkering around with PacketFence and have some questions relating to PKI and SCEP. For information, PacketFence is on version 14. It is not inline and it only has one network port configured at the moment. 1. As per the documentation (23.1), I have configured NDES to work with PacketFence. It seems like this only works for wireless networks? Is there a way to do anything else with this or the MSPKI integration in general? If not, I think for me it makes more sense to just make PacketFence a subordinate CA of my Windows CA. 1. How does the SCEP proxy work mentioned in the documentation (right before the SCEP test section of 23.2.2)? Is it for configuring a SCEP server to proxy to PacketFence? What standalone SCEP servers exist that could be used with this? 1. I signed a CSR from the PacketFence server using my Windows CA as per (23.2.1). I was configuring a template named IP-Phone using this CA and tried following the documentation (23.2.2), but there were a bunch of options that did not match up such as requiring an email in the template. In the template I enabled SCEP and configured a challenge password, but I have no idea what the correct url should be. I tried http://<ipaddress>/scep/IP-Phone and that did not work. D<http://P-Phone%20and%20that%20did%20not%20work.%20D>o I need to enable something, or configure some sort of responder on the packetfence network interface? I only have it set to Management at the moment. Thank you. _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
