Could you post you mobileconfig file, All CA certificates currently in use and you OpenXPKI configuration?
MM On 22. 6. 2021, at 22:37, Nick Dawson <[email protected]<mailto:[email protected]>> wrote: Thanks! That helped and I learned a lot about the datapool and keys. update: Success with SSCEP. It worked. Apple devices now fail with an invalid CSR error. sscep: Apple devices: openxpki.log 2021/06/22 14:28:46 ERROR Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => message_static_functions.c:238: Not valid CSR after decrpytion LibSCEP.xs:1197: scep_unwrap failed 34370961408:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: 34370961408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, Type=X509_NAME_ENTRY 34370961408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: 34370961408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: 34370961408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, Type=X509_REQ_INFO 34370961408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, Type=X509_REQ [pid=57435|sid=aCoa] I captured the CSR in scep.log and decoded it: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, C=US Validity Not Before: Jun 22 20:18:47 2021 GMT Not After : Jun 22 20:18:47 2022 GMT Subject: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: Truncated Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Client Authentication Signature Algorithm: sha256WithRSAEncryption Truncated -----BEGIN CERTIFICATE----- Truncated -----END CERTIFICATE----- My rules in generic.yaml workflow: type: certificate_enroll param: # key: name in workflow context, value: parameter from scep wrapper # server and interface are always set, the mapping below is # the default set that is used when no map is given transaction_id: transaction_id signer_cert: signer_cert pkcs10: pkcs10 _url_params: url_params #_pkcs7: pkcs7 authorized_signer: rule1: # Full DN #subject: CN=.+:pkiclient,.* subject: .*,CN=US rule2: # Full DN subject: CN=my.scep.enroller.com<http://cn=my.scep.enroller.com/>:generic,.* rule3: #Attempt match on Apple CSRs subject: CN=MDM.+.* policy: allow_man_authen: 1 allow_anon_enroll: 0 allow_man_approv: 1 allow_eligibility_recheck: 0 approval_points: 0 max_active_certs: 1 auto_revoke_existing_certs: 1 allow_replace: 1 On Mon, Jun 21, 2021 at 11:57 PM, Oliver Welter <[email protected]<mailto:[email protected]>> wrote: Hi Nick, Am 22.06.21 um 03:08 schrieb Nick Dawson: If I ra | issuer: endentity or chain, I get an SSL error. BUT scep.log looks like it can interpret the request Openxpki.log: ERROR Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => 34370961408:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/usr/src/crypto/openssl/crypto/x509/x509_cmp.c:297: 34370961408:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does not match certificate:/usr/src/crypto/openssl/crypto/pkcs7/pk7_smime.c:495: message_static_functions.c:221: decryption failed LibSCEP.xs:1197: scep_unwrap failed this sounds as you now finally broke your SCEP setup - if you really ignored the SQL errors (and have created a new key) then your Cert and Key does not match so you get a crypto error. All logs you have shown are far away from an enrollment request where we have to work around the "signer cert" problem. I suggest you just create a new token (key and cert) and import it again, this should create a new SCEP Token alias with a new generation number. Make sure your DataVault token ist operational before you try loading the key! Oliver -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
