Hi Christina, Thanks for getting back to me.
At the time, I thought this was a Dogtag issue but I have since discovered that it appears to be solely an issue on the Certmonger side and is being tracked at https://pagure.io/certmonger/issue/93. Also, thanks for jumping in on the Dogtag AES patch, getting that in place will be great. Trevor On Wed, Feb 7, 2018 at 7:40 PM, Christina Fu <[email protected]> wrote: > Hi Trevor, > > I'll need a bit of clarification and some info... > > On 01/31/2018 10:52 AM, Trevor Vaughan wrote: > > Hi All, > > I've hit a bit of a roadblock with debugging SCEP enrollment from > certmonger to Dogtag and I'm hoping that someone can help. > > I am attempting to register with a subordinate CA that has a KRA set up > and will successfully sign certificate requests from certmonger. > > Unfortunately, there is an issue with receiving the signed certificate and > I've been unable to figure out how to successfully debug the issue. > > So, the scep client has issue receiving the scep response from the > server? And you have determined that the response is indeed a signed > certificate (like, not error response)? > > > > The error that is returned is "Error: failed to verify signature on server > response." and is triggered from https://pagure.io/certmonger/ > blob/master/f/src/pkcs7.c#_1065. > > > Is your scep client trusting the subordinate ca's scep signing cert? > > > I've tried dumping the p7 data but, from what I can tell, the response is > empty in that block of code and I'm not quite sure where to go from there. > > > Wait, so the received response is empty? > > If the scep response from the subCA is not empty, could you show the > Base64 encoded response and maybe I can take a look? > > Also, if you could attach relevant portion of the sub-CA's debug log it > might be helpful. > > > Any assistance is appreciated. > > Thanks, > > Trevor > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 <(410)%20541-6699> > > -- This account not approved for unencrypted proprietary information -- > > > _______________________________________________ > Pki-devel mailing > [email protected]https://www.redhat.com/mailman/listinfo/pki-devel > > > > _______________________________________________ > Pki-devel mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pki-devel > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
