[Pki-users] SCEP enrollment: No such algorithm: SHA1/RSA for provider Mozilla-JSS

2024-04-11 Thread Project Administrtor 
Let's summarize:

1. update-crypto-policies --set DEFAULT:SHA1  
make set of SCEP security, described in 5.8.2. Configuring Security
Settings for SCEP
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide/index#renewing-certificates

2. With last generation Cisco devices - all correct with SCEP enrolment
and Dogtag 11.8.4, optionally 
- crypto pki trustpool import clean [terminal | url url]
- crypto pki trustpool import {terminal} {url url | ca-bundle} {vrf
vrf-name | source interface
interface-name}
- chain-validation stop 
- password [stroke]
- hash sha256
- rsakeypair [key-label key-size encryption-key-size]
not work with eckeypair [label], no any csr request, with error: not
found private key for eckeypair :(

3. Router(config)# crypto ca auth [trustpoint name]

4. Unmark UID: and PWD in flatfile.txt, set UID:ip_addr_of_router and
PWD:[stroke], then, with debug 
  Crypto PKI Msg debugging is on
  Crypto PKI Trans debugging is on
  Crypto PKI Certificate Server debugging is on
  Crypto PKI SCEP Messages debugging is on

Router(config)# crypto pki enroll [trustpoint name]
 Insert serial number(yes/no)?
 Request certificate from CA(yes/no)?
All done.

5. Unfortunately, the old Cisco hardware with IOS >=12.X and SHA-1
cannot request certs, due Subj. 

___
Pki-users mailing list -- users@lists.dogtagpki.org
To unsubscribe send an email to users-le...@lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[Pki-users] SCEP enrollment: No such algorithm: SHA1/RSA for provider Mozilla-JSS

2024-04-08 Thread Project Administrator 
Dear colleagues,

Dogtah version - 11.8.4, a lot of old cisco devices should be supported, and we 
got this message on pkic-tomcat server when
tried to 
(configure) crypto pki enroll PKI.LVM

2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for 
servlet [caDynamicProfileSCEP] in context with path
[/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not unwrap 
PKCS10 blob: no such algorithm: SHA1/RSA for
provider Mozilla-JSS]

Prerequisites: all parameters for SCEP Security was enabled:

ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.nickname=Server-Cert
ca.scep.nonceSizeLimit=20

___
Pki-users mailing list -- users@lists.dogtagpki.org
To unsubscribe send an email to users-le...@lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s