Nilgiris BlueMountain wrote:
I did a cvs update today and the segmentation fault persists. Here is
how I invoked sscep:
./sscep enroll -c ca.crt -k local.key -r local.csr -l local.crt -u
http://caserver/cgi-bin/scep/scep
./sscep: sending certificate request
./sscep: valid response from server
Segmentation fault
yeah, looks like u send a wrong request - and sscep can't decode the
wrong answer... if u use the scep interface - this is usally like an
ra/ca case in scep language... since at least i use extra certificates
for the scep interface
so ur call above implies a direct connection to the ca - this isn't
the case with common openca-scep installation
i also recommend to use a conf file - like the example sscep.conf
u just have to adopt to match ur setup...
and than call like:
./sscep getca -f my.conf
./sscep enroll -f my.conf
this is mutch easier to handle and to reproduce ;o)
i have added an example configuration of mine
u shouldt adoppt the paths at least - everything else
should be fine... maybe the name of the files generated
by mkrequest ;o)
the -0 and -1 are correct - since sscep creates two ca-files
when it gets more than one... should just work like setup otherwise
you have to change the 0 and the 1...
i just tested this - with not the newest sscep client
but actual cvs code - just works fine
For sscep operations, my order of operation was:
1. getca
2. enroll
this lookes fine ;o)
greetings
dalini
#
# sscep.conf -- configuration file for SSCEP
#
# All configuration options are key-value pairs separated with one
# or more space characters:
#
# "Key" [spaces] "Value"
#
# Quotation marks are optional - they are needed only if the value contains
# space characters (space or tab). Quotation marks inside the value string
# must be escaped using a backslash:
#
# "Key" [spaces] "Value \"containing quotation marks\""
#
# Comment lines (lines starting with '#') and empty lines are discarded.
#
#
# Common options for all operations
#
# URL of the SCEP server.
URL http://10.128.2.5/pki/ra-001/cgi-bin/scep/scep
# Use HTTP proxy server
#Proxy localhost:8080
# This is one is needed with all operations.
CACertFile /usr/local/pki/tools/sscep/cacert.crt-1
# Possible values: yes or no.
Verbose yes
Debug yes
#
# Options for getca
#
# Some CAs require you to define this
#CAIdentifier "CA Identifier"
# Display fingerprint algorithm (md5/sha1)
FingerPrint md5
#
# Common options for enroll, getcert and getcrl
#
# Private key created with mkrequest
PrivateKeyFile /usr/local/pki/tools/sscep/local.key
# Where to write successfully enrolled certificate
LocalCertFile /usr/local/pki/tools/sscep/local.crt
# If your CA/RA uses a different certificates for encyption
# and signing, define this
EncCertFile /usr/local/pki/tools/sscep/cacert.crt-0
# PKCS#7 encryption/signing
# Note: this could be very misleading, current SCEP draft provides no
# mechanism to "negotiate" the algorithm - even if you send 3des, reply
# might be des.
# Encryption algorithm: des, 3des or blowfish. Default: des
#EncAlgorithm 3des
# Signature algorithm: md5 or sha1. Default: md5
#SigAlgorithm sha1
#
# Options for enroll
#
# Certificate request file created with mkrequest
CertReqFile /usr/local/pki/tools/sscep/local.csr
# Write optionally the selfsigned certificate in file
#SelfSignedFile ./selfsigned.crt
# Poll periodically for pending certificate (seconds)
PollInterval 5
# Maximum polling time
MaxPollTime 28800
# Maximum polling count
MaxPollCount 256
#
# Options for getcert
#
# Certificate serial number (decimal)
GetCertSerial 1
# Write certificate as
GetCertFile /usr/local/pki/tools/sscep/cert.crt
#
# Options for getcrl
#
# Write CRL as
GetCrlFile /usr/local/pki/tools/sscep/crl.crl
