Hello Ana, > ~# sscep enroll -u http://$MYIP:8080/scep/scep -k tmp/scep-test.key -r > tmp/scep-test.csr -c ca.crt-1 -l tmp/scep-test.crt -t 10 -n 1 -v
You must encrpyt the request using the SCEP RA certificate - this should be ca.crt-0. Can you please check and rerun this command. If this does not success, check if the SCEP RA key is available by running "openxpkicli get_token_info --realm democa --arg alias=scep-1". Oliver Am 27.08.20 um 14:37 schrieb Ana Peric: > Hi openxpki team, > > I hope someone could help me as at this point even google can't :). > Having issues running sscep enroll with sscep version 0.7.1 (the latest) > and openxpki 3.6.1. > > 1. sscep getca request works properly (gets ca.crt-1 and ca.crt-0). > ca.crt-1 is Signing ca for democa realm. > 2. sscep enroll does not and fails with: "SCEP Response was empty" > (response 500 from the server) and "*ERROR LibSCEP.xs:339: Reading > private key failed" * > 3. Using Web portal signing of certificates (TLS/sub-ca/ or any > profile) *works without any issues,* SCEP does not work. > > The same happens when we try to enroll using an already signed cert and > key (enrolled using web) who's CN matches the rules inside the scep > profile / *authorized_signe*r section. > > ~# sscep enroll -u http://$MYIP:8080/scep/scep -k tmp/scep-test.key -r > tmp/scep-test.csr -c ca.crt-1 -l tmp/scep-test.crt -t 10 -n 1 -v > > sscep: starting sscep, version 0.7.ipv6.1 > sscep: new transaction > sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E > sscep: hostname: $MYIP > sscep: directory: scep/scep > sscep: port: 8080 > sscep: Read request with transaction id: 444F1BA8C5262E5F5E8424AC850A388B > sscep: generating selfsigned certificate > sscep: SCEP_OPERATION_ENROLL > sscep: sending certificate request > sscep: creating inner PKCS#7 > sscep: inner PKCS#7 in mem BIO > sscep: request data dump > -----BEGIN CERTIFICATE REQUEST----- > SNIP > -----END CERTIFICATE REQUEST----- > sscep: data payload size: 692 bytes > sscep: successfully encrypted payload > sscep: envelope size: 1082 bytes > sscep: creating outer PKCS#7 > sscep: signature added successfully > sscep: adding signed attributes > sscep: adding string attribute transId > sscep: adding string attribute messageType > sscep: adding octet attribute senderNonce > sscep: PKCS#7 data written successfully > sscep: applying base64 encoding > sscep: base64 encoded payload size: 3494 bytes > sscep: server returned status code 500 > sscep: mime_err: HTTP/1.1 500 Internal Server Error > Date: Thu, 27 Aug 2020 12:07:46 GMT > Server: Apache/2.4.38 (Debian) > Connection: close > Content-Type: text/plain; charset=ISO-8859-1 > > *SCEP Response was empty > sscep: wrong (or missing) MIME content type > sscep: error while sending message* > > > *### /var/log/openxpki/openxpki.log* > > At the same time openxpki.log shows: > > /var/log/openxpki# tail -f /var/log/openxpki/openxpki.log > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: > 139687353561536:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 > cipherfinal error:../crypto/pkcs12/p12_decr.c:63: > 139687353561536:error:2306A075:PKCS12 > routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt > error:../crypto/pkcs12/p12_decr.c:94: > 139687353561536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 > lib:../crypto/pem/pem_pkey.c:88: > [pid=23413|sid=O29r] > > *2020/08/27 12:22:21 ERROR LibSCEP.xs:339: Reading private key failed* > > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: > 139687353561536:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 > cipherfinal error:../crypto/pkcs12/p12_decr.c:63: > 139687353561536:error:2306A075:PKCS12 > routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt > error:../crypto/pkcs12/p12_decr.c:94: > 139687353561536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 > lib:../crypto/pem/pem_pkey.c:88: > [pid=23428|sid=BRLr] > *2020/08/27 12:22:21 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; > __COMMAND__ => OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, > __ERRVAL__ => LibSCEP.xs:339: Reading private key failed* > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: > 139687353561536:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 > cipherfinal error:../crypto/pkcs12/p12_decr.c:63: > 139687353561536:error:2306A075:PKCS12 > routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt > error:../crypto/pkcs12/p12_decr.c:94: > 139687353561536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 > lib:../crypto/pem/pem_pkey.c:88: > [pid=23428|sid=BRLr] > 2020/08/27 12:22:21 ERROR Error executing SCEP command 'PKIOperation': > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => > LibSCEP.xs:339: Reading private key failed > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:0D06407A:asn1 encoding > routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: > 139687353561536:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: > 139687353561536:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 > cipherfinal error:../crypto/pkcs12/p12_decr.c:63: > 139687353561536:error:2306A075:PKCS12 > routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt > error:../crypto/pkcs12/p12_decr.c:94: > 139687353561536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 > lib:../crypto/pem/pem_pkey.c:88: > [pid=23428|sid=BRLr] > > *## More detailed Setup description* > * > * > Running openxpki-docker (OpenXPKI Version: 3.6.1) and trying to make the > following structure: > > The CA/Sub-Ca stricture is as follows: > > *- Root CA* > - realm democa: issuing CA 01 > - realm: tenant02: issuing CA tenant02 > - realm: in the future more realms will be created and issuing CS created > > - The first realm / init I did using the* sampleconfig.sh*. > - The second realm I did create some of the files manually, but the > signing CA is signed by the "Root CA". > > In essence the idea is that root CA signs signing-CA for each realm, > that represent subordinate CAs. > Furtheron, based on the scep profile inside the scep request, one will > choose a corresponding scep profile (realm/server-name and with that a > certificate profile to use). > > Now this works for now properly: > > *### democa realm alias output* > > ``` > ~# openxpkiadm alias --realm democa > === functional token === > vault (datasafe): > Alias : vault-1 > Identifier: 4FB18exc8E2cFnZVKL19yb2UM6Y > NotBefore : 2020-08-19 17:17:46 > NotAfter : 2030-08-22 17:17:46 > > ca-signer (certsign): > Alias : ca-signer-2 > Identifier: uMfcGV5v8pLJyqLkt5UscPQk1Gs > NotBefore : 2020-08-20 13:27:56 > NotAfter : 2025-07-25 13:27:56 > > scep (scep): > Alias : scep-2 > Identifier: 6MhZl8OPyC2M6XL1LdHCGnyyhNw > NotBefore : 2020-08-20 14:27:51 > NotAfter : 2023-12-03 14:27:51 > > === root ca === > current root ca: > Alias : root-1 > Identifier: 3JG0DNiOYkWu-wBY72-uLn5uWho > NotBefore : 2020-08-19 17:17:44 > NotAfter : 2030-08-22 17:17:44 > > upcoming root ca: > not set > ``` > * > * > *### tenant02 realm alias output* > > ``` > # openxpkiadm alias --realm tenant02 > === functional token === > ca-signer (certsign): > Alias : ca-signer-3 > Identifier: 4w7iVcx9Kc-dUXgM3wUg3o4mRks > NotBefore : 2020-08-25 11:15:03 > NotAfter : 2025-08-27 11:15:03 > > scep (scep): > Alias : scep-1 > Identifier: sIL5JDpRRIIWYrm8kxNvlrkaB20 > NotBefore : 2020-08-25 11:15:04 > NotAfter : 2021-08-25 11:15:04 > > vault (datasafe): > Alias : vault-3 > Identifier: Erri6kfvzgy-T_aDp5RHMwZ_zCI > NotBefore : 2020-08-25 11:15:03 > NotAfter : 2030-08-28 11:15:03 > > === root ca === > current root ca: > Alias : root-2 > Identifier: *3JG0DNiOYkWu-wBY72-uLn5uWho* > NotBefore : 2020-08-19 17:17:44 > NotAfter : 2030-08-22 17:17:44 > > upcoming root ca: > not set > ``` > > *## SCEP implementation* > > Each of the realms will have the scep profile inside /etc/openxpki/scep > so we are able to choose the profile based on the SCEP URI > (http:/myserver:8080/scep/mystring), where mystring is name of the > config file inside /etc/openxpki/scep (mystring.conf, or default.conf if > not provided / found). > > Based on the *servername* and *realm* parameters of the global SCEP > profile, then a corresponding yaml profile is chosen from: > /etc/openxpki/config.d/realm/$realmname/scep/ folder. > > This seems to work (choosing the profile part only), but enroll still > fails miserably as above stated. > > Thank you & best regards, > Ana > > -- > *Ana Perić* > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
