update:
When I try and re-add the alias/token it tells me that it already exists.
I tried to add the keys and get an SQL error:
Error: Database error: execution of SQL query failed
details:
openxpkicli set_data_pool_entry --arg namespace=sys.crypto.keys --arg
key=scep-1 --arg encrypt=1 --filearg
value=/usr/local/etc/openxpki/ssl/dzsec/scep2.pem --authstack
DZsec_Operator --authuser dzsecop --authpass <very long complex pass>
--debug
Log4perl: Seems like no initialization happened. Forgot to call init()?
2021/06/21 16:13:49 [DEBUG] Socketfile: /var/openxpki/openxpki.socket
2021/06/21 16:13:50 [DEBUG] Session id: ru+w9N3S6xGF4iqMjmfNZQ==
2021/06/21 16:13:50 [DEBUG] $VAR1 = {
'PARAMS' => {
'AUTHENTICATION_STACKS' => {
'DZsec_CA' => {
'LABEL' => 'DZsec_CA',
'NAME'
=> 'DZsec_CA',
'DESCRIPTION' => undef
},
'DZsec_User' => {
'LABEL' => 'DZsec_User',
'NAME' => 'DZsec_User',
'DESCRIPTION' => 'I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_USER'
},
'DZsec_RA' => {
'NAME'
=> 'DZsec_RA',
'DESCRIPTION' => undef,
'LABEL' => 'DZsec_RA'
},
'_System' => {
'DESCRIPTION' => undef,
'NAME'
=> '_System',
'LABEL'
=> '_System'
},
'DZsec_Operator' => {
'LABEL' => 'DZsec_Operator',
'DESCRIPTION' => undef,
'NAME' => 'DZsec_Operator'
}
}
},
'SERVICE_MSG' => 'GET_AUTHENTICATION_STACK'
};
2021/06/21 16:13:50 [DEBUG] $VAR1 = {
'SERVICE_MSG' => 'GET_PASSWD_LOGIN',
'PARAMS' => {
'DESCRIPTION' =>
'I18N_OPENXPKI_CONFIG_AUTH_HANDLER_DESCRIPTION_PASSWORD',
'NAME' => 'Operator Password'
}
};
2021/06/21 16:13:50 [DEBUG] $VAR1 = {
'SERVICE_MSG' => 'SERVICE_READY'
};
Error: Database error: execution of SQL query failed
On Mon, Jun 21, 2021 at 3:59 PM, Nick Dawson <[email protected]>
wrote:
> Thanks gents
> I saw that commit and have been anxious to try to see if adding the
> keyusage bits will help.
>
> Well, now I've broken it further :)
> TL;DR I cannot import the new SCEP cert and key into the datastore.
> 2021/06/21 15:52:51 Initialization failed - message is ERROR
> Initialization failed. Stopped at /usr/local/lib/perl5/site_perl/OpenXPKI/
> Client/Simple.pm line 310.
>
>
> I started with checking the new stuff in git and adding the following to
> my openssl.cnf
> [ v3_scep_reqexts ]
> subjectKeyIdentifier = hash
> [ v3_scep_extensions ]
> subjectKeyIdentifier = hash
> keyUsage = digitalSignature, keyEncipherment
> basicConstraints = CA:FALSE
> authorityKeyIdentifier = keyid,issuer
>
> Then I removed the existing token
>
> openxpkiadm alias --realm dzsec --remove --alias scep-1
>
> I generated a new CSR for a new SCEP cert
>
> openssl req -verbose -config "openssl.cnf" -reqexts v3_scep_reqexts -batch
> -newkey rsa:2048 -passout pass:<long complex pass> -keyout "scep2.pem"
> -subj "/DC=DZsec/DC=net/CN=scep2" -out "scep.csr"
> Using configuration from openssl.cnf
> Generating a RSA private key
> ...........................................+++++
>
> ..............................................................................................................................................................................+++++
> writing new private key to 'scep2.pem'
> -----
>
> I verified it is using a new subject name, but I don't see the key usage
> flags reflected...
>
> openssl req -text -noout -verify -in ./scep.csr
>
> verify OK
> Certificate Request:
> Data:
> Version: 1 (0x0)
> Subject: DC = DZsec, DC = net, CN = scep2
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (2048 bit)
> Modulus:
>
> Attributes:
> Requested Extensions:
> X509v3 Subject Key Identifier:
>
> I signed the CSR and generated a new cert
>
> openssl ca -in scep.csr -config openssl.cnf -extensions
> v3_scep_extensions -keyfile "$BASE/ca-root-1.pem" -cert
> "$BASE/ca-root-1.crt" -out "$BASE/ca-one-scep-2.crt" -batch -passin
> pass:<long complex pass> -outdir ./
> Using configuration from openssl.cnf
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> domainComponent :IA5STRING:'DZsec'
> domainComponent :IA5STRING:'net'
> commonName :ASN.1 12:'scep2'
> Certificate is to be certified until Jan 7 21:52:35 2023 GMT (565 days)
>
> Write out database with 1 new entries
> Data Base Updated
>
> I tried to import into OpenXPKI but it fails. I've verified file
> ownerships and paths.
>
> openxpkiadm alias --realm dzsec --token scep --file
> /usr/local/etc/openxpki/ssl/dzsec/ca-one-scep-2.crt --key
> /usr/local/etc/openxpki/ssl/dzsec/scep2.pem
>
> 2021/06/21 15:52:51 Initialization failed - message is ERROR
> Initialization failed. Stopped at /usr/local/lib/perl5/site_perl/OpenXPKI/
> Client/Simple.pm line 310.
>
>
>
>
> On Sun, Jun 20, 2021 at 2:11 AM, Oliver Welter <[email protected]> wrote:
>
> Hi Nick,
>
> Michal created a ticket https://github.com/openxpki/openxpki-config/
> issues/14 saying that SCEP on Apple expects the proper keyUsage bits set
> which we did not on older sample configs, so might this be the problem in
> your setup, too?
>
> Oliver
>
> Am 18.06.21 um 18:54 schrieb Nick Dawson:
>
> Thanks gents!
> I'm finding some interesting things on different platforms.
>
> Summary: MacOS 11 reports a security error after it retrieves the SCEP and
> CA certs. iOS 14 simply fails. iOS 15 a little more descriptive "The
> Registration Authority’s response is invalid" and MacOS 12 fails with the
> same error as MacOS11.
>
> OpenXPKI SCEP log:
> 2021/06/18 10:51:04 DEB Config for service scep loaded [pid=30304]
> 2021/06/18 10:51:04 INF SCEP handler initialized [pid=30304]
> 2021/06/18 10:51:04 INF Incoming request from 10.15.1.153 with GetCACaps
> [pid=30304]
> 2021/06/18 10:51:04 DEB Response send [pid=30304]
> 2021/06/18 10:51:05 DEB Config for service scep loaded [pid=30306]
> 2021/06/18 10:51:05 INF SCEP handler initialized [pid=30306]
> 2021/06/18 10:51:05 INF Incoming request from 10.15.1.153 with GetCACert
> [pid=30306]
> 2021/06/18 10:51:05 DEB Response send [pid=30306]
>
>
> MacOS:
> default 10:37:47.912045-0600 CertificateService
> [1366478549:Cert_PI:HTTPUtil:<0x66d303>] >>>>> Sending HTTP request (GET)
> [SCEP:GetCACert] >>>>>
> default 10:37:48.661191-0600 CertificateService
> [1366478549:Cert_PI:HTTPUtil:<0x66d303>] <<<<< Received HTTP response (200)
> [SCEP:GetCACert] <<<<<
> default 10:37:48.661886-0600 CertificateService ProcessGetCACertResponse:
> Content-Type: 'application/x-x509-ca-ra-cert'
> default 10:37:48.661978-0600 CertificateService ProcessGetCACertResponse:
> application/x-x509-ca-ra-cert; err = errSecCertificateCannotOperate
> default 10:37:48.662168-0600 CertificateService ProcessGetCACertResponse:
> CFArrayGetCount(returnedCerts) > 1
> default 10:37:48.662254-0600 CertificateService SortAndSetCACertificates:
> (CFArrayGetCount(returnedCerts) = 3
> default 10:37:48.662409-0600 CertificateService SortAndSetCACertificates:
> use heuristics to determine which is which, namely find the encryption and
> signature certificates
> default 10:37:48.662482-0600 CertificateService SortAndSetCACertificates:
> certs[0]
> default 10:37:48.666002-0600 CertificateService SortAndSetCACertificates:
> certs[1]
> default 10:37:48.666450-0600 CertificateService SortAndSetCACertificates:
> certs[2]
> error 10:37:48.666852-0600 CertificateService ProcessGetCACertResponse:
> session->caCert == NULL
> error 10:37:48.667010-0600 CertificateService [ERROR] <: [MDM_SCEP_Enroll]
> Calling SCEPGetCACert. CA Ident: CA One --> <NSOSStatusErrorDomain:-67817>
> error 10:37:48.820130-0600 com.apple.preferences.configurationprofiles.
> remoteservice [ERROR] Profile installation (scep test
> (andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2:361796F2-11EC-41D8-8F2C-E9648FE4EF1E))
> ( <NSOSStatusErrorDomain:-67817>)
> default 10:37:49.443017-0600 AssetCache Notification user info: {
> ProfileAction = Remove;
> ProfileTypes = (
> "com.apple.security.scep"
> );
> ProfileUUID = "361796F2-11EC-41D8-8F2C-E9648FE4EF1E";
> ProfileUserUID = 1366478549;
> ProfileUsername = ndawson;
> }
> default 10:49:53.207134-0600 Finder Trying to issue sandbox extension for
> /Users/ndawson/Library/Mobile
> Documents/iCloud~com~apple~configurator~ui/Documents/scep test.mobileconfig
> default 10:49:53.207235-0600 Finder Successfully issued sandbox extension
> for /Users/ndawson/Library/Mobile
> Documents/iCloud~com~apple~configurator~ui/Documents/scep test.mobileconfig
>
>
>
> iOS:
>
> error 10:31:21.622518-0600 profiled Cannot retrieve SCEP identity: NSError:
> Desc : The Registration Authority’s response is invalid.
> US Desc: The Registration Authority’s response is invalid.
> Domain : MCSCEPErrorDomain
> Code : 22003
> Type : MCFatalError
> error 10:31:21.622745-0600 profiled Installation of profile
> “andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2” failed with error: NSError:
> Desc : The profile “scep test” could not be installed.
> Sugg : The Registration Authority’s response is invalid.
> US Desc: The profile “scep test” could not be installed.
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCProfileErrorDomain
> Code : 1009
> Type : MCFatalError
> Params : (
> "scep test"
> )
> ...Underlying error:
> NSError:
> Desc : The Registration Authority’s response is invalid.
> US Desc: The Registration Authority’s response is invalid.
> Domain : MCSCEPErrorDomain
> Code : 22003
> Type : MCFatalError
> Extra info:
> {
> isPrimary = 1;
> }
> error 10:31:21.623296-0600 profiled Profile
> “andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2” failed to install with
> error: NSError:
> Desc : Profile Failed to Install
> Sugg : The Registration Authority’s response is invalid.
> US Desc: Profile Failed to Install
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCInstallationErrorDomain
> Code : 4001
> Type : MCFatalError
> ...Underlying error:
> NSError:
> Desc : The profile “scep test” could not be installed.
> Sugg : The Registration Authority’s response is invalid.
> US Desc: The profile “scep test” could not be installed.
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCProfileErrorDomain
> Code : 1009
> Type : MCFatalError
> Params : (
> "scep test"
> )
> ...Underlying error:
> NSError:
> Desc : The Registration Authority’s response is invalid.
> US Desc: The Registration Authority’s response is invalid.
> Domain : MCSCEPErrorDomain
> Code : 22003
> Type : MCFatalError
> Extra info:
> {
> isPrimary = 1;
> }
> error 10:31:21.667570-0600 profiled Installation failed. Error: NSError:
> Desc : Profile Installation Failed
> Sugg : The Registration Authority’s response is invalid.
> US Desc: Profile Installation Failed
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCInstallationErrorDomain
> Code : 4001
> Type : MCFatalError
> ...Underlying error:
> NSError:
> Desc : Profile Failed to Install
> Sugg : The Registration Authority’s response is invalid.
> US Desc: Profile Failed to Install
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCInstallationErrorDomain
> Code : 4001
> Type : MCFatalError
> ...Underlying error:
> NSError:
> Desc : The profile “scep test” could not be installed.
> Sugg : The Registration Authority’s response is invalid.
> US Desc: The profile “scep test” could not be installed.
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCProfileErrorDomain
> Code : 1009
> Type : MCFatalError
> Params : (
> "scep test"
> )
> ...Underlying error:
> NSError:
> Desc : The Registration Authority’s response
>
>
>
>
> On Fri, Jun 18, 2021 at 12:46 AM, Michal Moravec <michal.moravec@
> logicworks.cz> wrote:
>
> Hey Nick,
>
> do you have this problem with iOS or macOS?
>
> I spent a lot of time this year trying use SCEP directly between Apple
> systems and OpenXPKI.
>
> There are bugs in macOS 11 and earlier preventing this.
> Apple fixed all of the bugs I reported in macOS 12. I’ve tested with first
> beta and can confirm.
>
> I was unable to persuade iOS SCEP client to accept CA certificates from
> OpenXPKI.
> SCEP client bailed out before even trying to request the certificate.
> Apple also stated they fixed this problem but currently I don’t have a iOS
> device to run beta iOS so I can’t test.
>
> Michal Moravec
> Sent from my iPhone
>
> On 17. 6. 2021, at 23:50, Nick Dawson <[email protected]> wrote:
>
>
> hey OpenXPKI friends,
> I've been struggling with SCEP and could use some help. I have SCEP set up
> using the default config. When I use sscep I can get the capabilities and
> get the CA certs. sscep downloads 3 certs (the scep cert, the CA cert, and
> the root cert). I have fullchain set in the config so that seems correct.
>
> On Apple devices, I'm attempting to install a profile. On OpenXPKI, the
> logs show the apple devices trying to get the CA. The server sends the
> certs. And then the apple devices fail.
>
> Specifically, apple devices return: errSecCertificateCannotOperate
> (which is error: -67817).
>
> I've tried capturing the exact url queries from the webserver's access
> logs. When I paste them into a browser, it downloads a file called
> "untitled". When I examine untitled with OpenSSL, I can see that it is a
> pkcs7 bundle of the three certs.
>
> Could it be as simple as needed a better filename like untiled.p7 ? And,
> if so, where would I set that in OpenXPKI's config files? I didnt see
> anything in scep or enrollment files.
>
> Or, might this be a different issue? Does anyone have experience with
> Apple devices and OpenXPKI's SCEP implementation? Any tips or tricks?
>
> thanks!
>
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
