John,
attached is my expierence... and a first test-script. I would love to
see some open source implementation of SCEP and even are willing to
provide some funds to get this done...
regards,
Janus Liebregts
SURFnet
John Douglass wrote:
>
> Anyone have any experience using OpenSSL to do SCEP?
> (Simple Certificate Enrollment Protocol)
>
> Primarily I'm trying to decode these SCEP messages
> from a Cisco Box so I can write the proper PERL
> scripts to respond.
>
> Thanks,
> - John Douglass
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
Hi Massimiliano,
> I am interested in your work as I think could be handy to add it to the Project
> (obviously if you intend to...).
I'm currently implementing SCEP using OpenCA/OpenSSL and some
self-written scripts, which I will post in the OpenCA-project. I have
done some testing with a cisco-router and my scripts.
I did manage to get the CA's certificate in the router using these
scripts. Now I am trying to process the cisco's certificate request, I
did manage to extract the pkcs#10-request from the signed and encrypted
blob. I have ran into some ASN.1 (OpenSSL)-parsing problems which I have
to investigate. After that I have to send back a signed status...
attached is a sample of the script and its configuration file
Don't look a the programming techniques, this is only a working
test-script ;-)
to make a SCEP enroll request this url is used by the cisco:
http://testca.surfnet.nl/cgi-bin/pkiclient.exe?operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDjAMBggqhkiG9w0CBQUAMIAGCSqGSIb3DQEH
AaCAJIAEggM9MIAGCSqGSIb3DQEHA6CAMIACAQAxgDCCAR8CAQAwgYcwgYExJTAj
BgkqhkiG9w0BCQEWFkphbnVzLkxpZWJyZWd0c0BzZWMubmwxGDAWBgNVBAMTD1Rl
c3RDQTEgQ2xhc3MgMTEfMB0GA1UECxMWRXhwZXJpbWVudGVsZSBEaWVuc3RlbjEQ
MA4GA1UEChMHU1VSRm5ldDELMAkGA1UEBhMCbmwCAQAwDQYJKoZIhvcNAQEBBQAE
gYAw0JRDN8ja0WqPkrWSL2qH/z+vMo0+xqxLN1f39WPQrgTeX3ZwNJzEPTb8gtB4
I7elZkQACXj7xap3FjeGSo6+4MZ6/JhDR7h+EZCB2ScO6OC+DESiIo/IfOwih2Yl
B3+eRqqc5ZBKcJyE3Ft9tLEvtwwRt451LygamRWbfv8VGAAAMIAGCSqGSIb3DQEH
ATARBgUrDgMCBwQIVo9mAxmBUPiggASCAciBV6e9J1XfI3NVoYVbZ0G72DSbSSaU
vUaeSslbz1N8dCNShcmrtI0dPTEOIYjql3OPpB5G9tzq/0q1EstJIpHL4wrSx0V5
ydxRKg3V18npMfuxEEjoyXkrauQ5TzqKrGiw16FFUv1dkVs7XiYf+bDXm+GZV/8B
EEhVcjrcELzCNZT+Kgy9gvenLQeii1NL9RiaazEwDCdf/CqYqO4UgLvdCnbxqTiH
xcnISsH8zmXydCda9nobc27dbme84F9qCykbBrNPHzfAUoPKQxNpdWgprBfas2kF
tPyfMWh6v8GQy309YK7JPNnOyTMM/5CfreckHNy0FEXltUHUOlxEQM8AY4HpQs3D
uN3sAPidEqUdEFPBOo5DXUVQXv+BMoYfAGtwtqwPTrGKAr/3WTxisPpR9Cyo72ks
otV3MIrsHveWn7uorJNXjVSbAwqH0GBbZgtn5iMOH0Me6mxOd0RETT7ECPOiXKeO
OeLtYxYRpg//AtdgFtiT3a9xoy/30fy2x3PZhskE6UwIAaFeqwReo42avZpiTgu3
r8t8QfHg47JwDRv3lNKc+6NOGy2PXO5tVbUOoKuaaHt+VxdTwamQrgsl79WbfotD
UGAECKkwqv1I4nJPAAAAAAAAAAAAAAAAAAAAAKCAMIIB0DCCATkCIEIxRUU0NTBE
NjFEQzEwNEUyQ0M0RDQ4NUZGRkM5RDM5MA0GCSqGSIb3DQEBBAUAMCExHzAdBgkq
hkiG9w0BCQIWEGJpbm5lbi5pcC5zZWMubmwwHhcNMDAwMzIwMTYxNjQzWhcNMTAw
MzE4MTYxNjQzWjAhMR8wHQYJKoZIhvcNAQkCFhBiaW5uZW4uaXAuc2VjLm5sMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDORSY8ADnNhK4WMYhAhzoNd07uTxfK
xvA5AkIxWjVY8Ui1XRupYs3bhNoAn3pM4i4Bk9bI/ygNhe
for SCEP see also:
http://www.ietf.org/internet-drafts/draft-nourse-scep-02.txt
and
http://www.cisco.com/warp/public/cc/cisco/mkt/security/tech/scep_wp.htm
> Keep in contact, best regards,
>
> Massimiliano Pala ([EMAIL PROTECTED])
regards,
janus
http://www.sec.nl/persons/janus
pkiclient.exe
## Configuration File for SCEP pkiclient Utility
## (c) 2000 by Janus Liebregts - All Rights Reserved
## LDAP Section:
## =============
##
## As this SCEP Manager has the need to interact with ldap server,
## it is important ( for administrative porpouses ) you can have
## privileged access to directory.
## LDAP Server Name
ldapserver ldap.gigacorp.nl
## LDAP Port Number ( defaults to 389 )
ldapport 389
## LDAP Maximum number of records returned by a query
ldaplimit 100
## Now the LDAP default base dn
basedn "o=GigaCorp, c=nl"
## Let's define the privileged Account Allowed to Modify the LDAP entries
ldaproot "cn=root, o=GigaCorp, c=nl"
ldappwd "digIDx509v3"
## Let's define some Directory Env
## supposed to find there the bin/, sbin/ directory
ldapbasedir "/usr/local/ldap"
## SSLeay Section
## ==============
ssleay "/usr/local/ssl/bin/openssl"
openssl "/usr/local/ssl/bin/openssl"
sslbasedir "/usr/local/ssl"
## General Section
## ===============
basedir "/usr/local/apache/htdocs/OpenCA/cgi-secure"
ServerDir "/usr/local/apache/htdocs/htdocs-secure"
pendingreqs "/usr/local/RAServer/reqs/pending/"
pendingbasesheet "sheets/pending_reqs.html"
ViewRequestSheet "sheets/view_req.html"
ApproveRequestSheet "sheets/app_req.html"
approvedreqs "/usr/local/RAServer/reqs/approved"
approvedbasesheet "sheets/approved_reqs.html"
archiviedreqs "/usr/local/RAServer/reqs/archivied"
archiviedbasesheet "sheets/archivied_reqs.html"
ViewarchiviedSheet "sheets/view_arc.html"
certsdir "/usr/local/RAServer/certs"
certsbasesheet "sheets/certslist.html"
viewcertsheet "sheets/viewcert.html"
tmpcertsdir "/tmp"
## Certificates and CRLs Section
## =============================
CACertificate "/usr/local/RAServer/cacert.pem"
CACertsDir "/usr/local/apache/htdocs/OpenCA/cgi-secure/"
CRLDir "/usr/local/apache/htdocs/OpenCA/htdocs-secure/crl"
## Mail Section
## ============
##
## The RA Manager program needs to send an e-mail to each user when he
## certificate has been successuffly published. Because of this you
## have to configure the sendmail program to use the right server.
## Watch out for mail attacs. Secure yourself.
## Do you want to send mail when certificate is published ?
warnuser yes
## Now let's define the command line for the sendmail with right options
mailcommand "/usr/lib/sendmail -n -t -di "
mailsendername "Janus Liebregts"
mailsenderaddress "[EMAIL PROTECTED]"
basemailfile "certsMail.txt"
## Archivier Section
## =================
## The $dest and $orig will be replaced by the given values
## in the In/Out section and in the ExportDev/ImportDev keywords.
##
## For UnpackArchive the $orig is taken from the ImportDev
## and the $dest from the TmpCertsDir keyword.
##
## For CreateArchive the $dest is taken from the ExportDev
CreateArchive "/bin/tar cvfp $dest "
UnpackArchive "/bin/tar xvf $orig -C $dest"
TestArchive "/bin/tar tvf $dest"
## In/Out Section
## ==============
##
## The used ExportDest and ImportOrig are files used to export and/or
## import archive of Certification Requests and Issued Certificates
## (it can be used a device as well such as /dev/fd0 on a Linux
## or, if you use it on a Solaris an you want to avoid disabling
## the volume manager, use the PreIOExec and PostIOExec with a
## sequence of volcheck/mount/etc...
ImportDev "/tmp/openca-outca.tar"
ExportDev "/tmp/openca-inca.tar"
#ImportDev "/dev/floppy"
#ExportDev "/dev/floppy"
## Commands to be executed before and/or after the importing process
## or exporting process. You can Omit theese lines as if they are not
## present will be ignored.
## You can use theese keywords to simply make a 'volcheck -v' or
## 'eject floppy' on Sun to easily manage theese operations. Please
## take note that you'll need to use a block device, such as
## /vol/dev/rdsk/... *Actually not implemented*
## PreIOExec ""
## PostIOExec ""
## If you need a backup copy
ExportBackup "/usr/local/RAServer/Backup"
##
## Revokation Requests Section
## ---------------------------
## Revocation Requests Dir
RevReqDir "/usr/local/RAServer/crl/pending"
## revreq Section
AppRevSuccessPage "messages/apprevreq_success.html"
AppRevErrorPage "messages/apprevreq_error.html"
VerifyPath "/usr/local/ssl/bin/verify"
## viewCrl Section
## ImportCRLDev "/tmp/openca-crl.tar"
crlfile "/usr/local/RAServer/crl/cacrl.pem"
viewCrlPage "sheets/viewcrl.html"
RevReqDir "/usr/local/RAServer/crl/pending"
RevPendform "forms/revpend.form"
#Added by Janus Liebregts for SCEP pkiclient
CACert "/usr/local/RAServer/cacert.der"
