Trevor Vaughan via FreeIPA-users wrote: > Hi All, > > I have a setup where I have a root CA and a sub CA and the sub CA is set > up with a KRA and SCEP enabled. > > I've fired up certmonger and added the SCEP CA. > > When I attempt to request a certificate, the enrollment completes > successfully per the Dogtag side of the equation but the response from > the server cannot be decrypted by the client and I get the following > error in the certmonger debug log: > > 2018-01-29 23:56:43 [5396] Child output: > "Error: failed to verify signature on server > response. > " > 2018-01-29 23:56:43 [5396] Error: failed to verify signature on server > response. > > The following commands were used for server addition and certificate > registration. > > getcert add-scep-ca -c Site_CA -u > https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe> -R > /etc/pki/site-pki.pem > > getcert request -c Site_CA -k /etc/pki/my_cert.pem -f > /etc/pki/my_cert.pub -I Host_Cert -R -w -L password > > Looking at the certmonger code, it looks like it is completely skipping > all of the case statements and simply dropping down to the 'goto:' > https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889 > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889> > > I've tried recompiling certmonger with some debug statements but I > haven't managed to suss out what's going on. If someone could tell me > how to print the actual response from the server, it would be appreciated. > > It certainly feels like the SCEP support has taken a back seat to the > CMC features but the CMC features just aren't ready to replace SCEP at > this time and, of course, can't support a lot of hardware requirements.
A couple of things to try: - look in the dogtag debug log (/var/log/pki-tomcat/somewhere). It may have the raw PKCS#7 data to poke at - stop the certmonger service and start it in a terminal with certmonger -d 9 -n 2>&1 | tee /path/to/some/log and then redo the request. Again, you may be able to get some data out of it. I haven't tried SCEP with a subCA. It could be there is some disagreement about who is actually signing the response. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org