Trevor Vaughan via FreeIPA-users wrote:
Hi All,
I have a setup where I have a root CA and a sub CA and the sub CA is set up with a KRA and SCEP enabled.
I've fired up certmonger and added the SCEP CA.
When I attempt to request a certificate, the enrollment completes successfully per the Dogtag side of the equation but the response from the server cannot be decrypted by the client and I get the following error in the certmonger debug log:
2018-01-29 23:56:43 [5396] Child output: "Error: failed to verify signature on server response. " 2018-01-29 23:56:43 [5396] Error: failed to verify signature on server response.
The following commands were used for server addition and certificate registration.
getcert add-scep-ca -c Site_CA -u https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe -R /etc/pki/site-pki.pem
getcert request -c Site_CA -k /etc/pki/my_cert.pem -f /etc/pki/my_cert.pub -I Host_Cert -R -w -L password
Looking at the certmonger code, it looks like it is completely skipping all of the case statements and simply dropping down to the 'goto:' https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889 https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
I've tried recompiling certmonger with some debug statements but I haven't managed to suss out what's going on. If someone could tell me how to print the actual response from the server, it would be appreciated.
It certainly feels like the SCEP support has taken a back seat to the CMC features but the CMC features just aren't ready to replace SCEP at this time and, of course, can't support a lot of hardware requirements.
A couple of things to try:
- look in the dogtag debug log (/var/log/pki-tomcat/somewhere). It may have the raw PKCS#7 data to poke at - stop the certmonger service and start it in a terminal with certmonger -d 9 -n 2>&1 | tee /path/to/some/log and then redo the request. Again, you may be able to get some data out of it.
I haven't tried SCEP with a subCA. It could be there is some disagreement about who is actually signing the response.
rob