[Openca-Users] SCEP with a unix client

[Buchan Milne]

One of the things I would like to do with my OpenCA is automate certificate 
management on some of our unix (Linux/Solaris) servers.

The OpenCA installation (Mandriva 2006.0 using packages in the distribution) 
is working fine, and I have issued certs for VPN access etc using it.

openca-scep doesn't seem the best tool to use for this (it seems that a lot of 
scripting would be required). I tried with autosscep 
(http://autosscep.spe.net/), which has apparently been tested with OpenCA in 
the past, and it seems (mostly) to succeed:


# autosscep autosscep.conf
autosscep: Reading config file
        host: ra.telkomsa.net
        port: 80
        dir: /cgi-bin/openca/scep/scep
autosscep: cannot open local file: '/etc/ssl/cacert.pem'
autosscep: CA file missing, trying request reom server
autosscep: requesting CA certificate
autosscep: scep msg: 
GET /cgi-bin/openca/scep/scep?operation=GetCACert&message=CAIdentifier 
HTTP/1.0
Host: ra.telkomsa.net

autosscep: server returned status code 200
autosscep: MIME header: application/x-x509-ca-ra-cert
autosscep: valid response from server (reply: 3)

autosscep: n.0 -> found certificate with
  subject: /C=ZA/O=TelkomInternet/OU=Build Team/CN=TelkomInternet Root 
CA/[EMAIL PROTECTED]
autosscep: cannot open local file: '/etc/ssl/certs/jabber.pem'
Certificate Sign, CRL Signautosscep: Checking config file values
autosscep: Signature algorithm specified: sha1
autosscep: starting autoscep, version 0.9.28b  20 September 2004
autosscep: Checking certificate -- > jabber.pem
autosscep: Certificate jabber.pem is going to expire (or is missing)
autosscep: Looking for the CA data
autosscep: CA founded!!
autosscep: Starting certificate enrollment for -- > jabber.pem
autosscep: New request
autosscep: Creating request FROM CONFIG FILE DATA data for 'jabber.pem'
Certificate Request:
    Data:
        Version: 3 (0x3)
        Subject: C=ZA, ST=Gauteng, L=Centurion, O=Telkom Internet, OU=Build 
Team, CN=telkomsa.net/[EMAIL PROTECTED]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d8:3b:34:00:9e:2b:9a:29:f9:b7:e5:a9:1b:57:
                    0e:3e:54:b4:bd:d4:8f:4a:0f:47:c0:13:a7:2f:2f:
                    b4:57:4a:73:0a:ce:ed:e0:be:23:d8:c6:24:e5:18:
                    4d:3b:bc:e8:09:da:a8:86:4f:52:e9:f1:5f:b6:7b:
                    11:49:97:c8:73:ca:34:ba:de:6b:83:ab:b1:24:36:
                    cd:2f:b2:53:c5:4a:e2:51:e4:5c:ca:40:f7:46:93:
                    37:5d:53:63:47:2d:0c:9e:78:b6:bd:b0:48:80:85:
                    64:33:80:f6:1f:3e:08:dd:c5:a2:bb:87:d6:e7:42:
                    d6:1c:b1:85:9a:c0:77:d9:c9
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            Netscape Comment:
                Web Server
    Signature Algorithm: sha1WithRSAEncryption
        7d:df:c9:b5:8f:82:48:aa:c2:d5:25:c8:6d:3d:c3:f5:e2:5f:
        44:1a:1b:f8:4c:fc:bf:ad:fa:10:3e:ef:1e:89:56:4c:e4:a3:
        fd:90:86:c8:c5:b9:38:60:b3:49:7a:8d:5c:97:1d:28:ae:a8:
        4d:b6:15:70:3d:a1:4c:9f:f1:57:04:54:3c:09:b3:3d:27:0e:
        60:0e:7a:cb:65:14:d9:6d:f6:4a:61:a7:79:25:c8:11:f3:e1:
        e7:78:4a:a3:b9:95:d0:f8:da:8b:67:0c:4d:f1:65:15:62:dc:
        00:92:e9:9f:f6:4f:f4:e1:13:92:20:8d:ec:29:5f:3c:72:a7:
        1f:42
autosscep: generating selfsigned certificate
autosscep: sending certificate request
autosscep: transaction_ID = 9ED1FF2A39914185BDCE81FC8AD0F232
autosscep: creating inner PKCS#7
autosscep: data payload size: 598 bytes
Segmentation fault (core dumped)




When I log into the CA interface, I don't see the request. I have seen 
requests arrive in the CSR page, but in that case the requests don't seem to 
have any of the information (eg subjectDN) that is present in the .csr file 
on the client (generated by autosscep).

Has anyone got this setup working?

Current versions:
openca-common-0.9.2.2-2mdk
openca-doc-0.9.2.2-2mdk
openca-ocspd-1.0.3-3mdk
openca-scep-0.9.2-4mdk
openca-sv-0.9.94-6mdk
openca-web-interfaces-ca-0.9.2.2-2mdk
openca-web-interfaces-ldap-0.9.2.2-2mdk
openca-web-interfaces-node-0.9.2.2-2mdk
openca-web-interfaces-pub-0.9.2.2-2mdk
openca-web-interfaces-ra-0.9.2.2-2mdk
openca-web-interfaces-scep-0.9.2.2-2mdk
perl-OpenCA-AC-0.9.60.2.3-2mdk
perl-OpenCA-Configuration-1.5.3-4mdk
perl-OpenCA-CRL-0.9.24-2mdk
perl-OpenCA-Crypto-0.9.14-2mdk
perl-OpenCA-DB-2.0.5-5mdk
perl-OpenCA-DBI-0.9.115.2.5-2mdk
perl-OpenCA-LDAP-0.9.11-2mdk
perl-OpenCA-Log-0.9.14-2mdk
perl-OpenCA-OpenSSL-0.9.135.2.4-2mdk
perl-OpenCA-PKCS7-0.9.19-3mdk
perl-OpenCA-REQ-0.9.61-3mdk
perl-OpenCA-Session-0.9.7-2mdk
perl-OpenCA-StateMachine-0.9.6-5mdk
perl-OpenCA-Tools-0.4.3-5mdk
perl-OpenCA-TRIStateCGI-1.5.5-5mdk
perl-OpenCA-UI-HTML-0.9.23-2mdk
perl-OpenCA-X509-0.9.57-2mdk
perl-OpenCA-XML-Cache-0.9.14-2mdk



Regards,
Buchan


-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

pgpVLgOywWPv3.pgp
Description: PGP signature