Workspace ONE problem? Check this out: - https://github.com/openxpki/libscep/pull/5 - https://github.com/openssl/openssl/issues/14927
M > On 23. 6. 2021, at 14:12, Claas Hilbrecht <[email protected]> > wrote: > > Hi, > > I've struggled with this a year ago. You need to change some settings in > different files to make it work. If time permits I will try later today to > collect everything I remember. > > BTW, if you try this with Workspace ONE it fails since 24.03.2021 because of > a breaking change made by vmware. I still try to figure out what exactly has > changed. > >> Could you post you mobileconfig file, All CA certificates currently in use >> and you OpenXPKI configuration? >> >> MM >> >> >> On 22. 6. 2021, at 22:37, Nick Dawson >> <[email protected]<mailto:[email protected]>> wrote: >> >> Thanks! That helped and I learned a lot about the datapool and keys. >> >> update: >> Success with SSCEP. It worked. Apple devices now fail with an invalid CSR >> error. >> >> sscep: >> >> Apple devices: >> openxpki.log >> >> 2021/06/22 14:28:46 ERROR Error executing SCEP command 'PKIOperation': >> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => >> OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => >> message_static_functions.c:238: Not valid CSR after decrpytion >> LibSCEP.xs:1197: scep_unwrap failed >> 34370961408:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid >> object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: >> 34370961408:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, >> Type=X509_NAME_ENTRY >> 34370961408:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: >> 34370961408:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: >> 34370961408:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, >> Type=X509_REQ_INFO >> 34370961408:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, >> Type=X509_REQ >> [pid=57435|sid=aCoa] >> >> I captured the CSR in scep.log and decoded it: >> >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 1 (0x1) >> Signature Algorithm: sha256WithRSAEncryption >> Issuer: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, C=US >> Validity >> Not Before: Jun 22 20:18:47 2021 GMT >> Not After : Jun 22 20:18:47 2022 GMT >> Subject: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, C=US >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (2048 bit) >> Modulus: >> Truncated >> Exponent: 65537 (0x10001) >> X509v3 extensions: >> X509v3 Key Usage: critical >> Digital Signature, Key Encipherment >> X509v3 Extended Key Usage: critical >> TLS Web Client Authentication >> Signature Algorithm: sha256WithRSAEncryption >> Truncated >> -----BEGIN CERTIFICATE----- >> Truncated >> -----END CERTIFICATE----- >> >> My rules in generic.yaml >> >> workflow: >> type: certificate_enroll >> param: >> # key: name in workflow context, value: parameter from scep wrapper >> # server and interface are always set, the mapping below is >> # the default set that is used when no map is given >> transaction_id: transaction_id >> signer_cert: signer_cert >> pkcs10: pkcs10 >> _url_params: url_params >> #_pkcs7: pkcs7 >> >> authorized_signer: >> rule1: >> # Full DN >> #subject: CN=.+:pkiclient,.* >> subject: .*,CN=US >> rule2: >> # Full DN >> subject: >> CN=my.scep.enroller.com<http://cn=my.scep.enroller.com/>:generic,.* >> rule3: >> #Attempt match on Apple CSRs >> subject: CN=MDM.+.* >> policy: >> >> allow_man_authen: 1 >> allow_anon_enroll: 0 >> allow_man_approv: 1 >> allow_eligibility_recheck: 0 >> approval_points: 0 >> max_active_certs: 1 >> auto_revoke_existing_certs: 1 >> allow_replace: 1 >> >> >> On Mon, Jun 21, 2021 at 11:57 PM, Oliver Welter >> <[email protected]<mailto:[email protected]>> wrote: >> >> Hi Nick, >> >> Am 22.06.21 um 03:08 schrieb Nick Dawson: >> >> If I ra | issuer: endentity or chain, I get an SSL error. BUT scep.log looks >> like it can interpret the request >> >> Openxpki.log: >> >> ERROR Error executing SCEP command 'PKIOperation': >> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => >> OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => >> 34370961408:error:0B080074:x509 certificate >> routines:X509_check_private_key:key values >> mismatch:/usr/src/crypto/openssl/crypto/x509/x509_cmp.c:297: >> 34370961408:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does not >> match >> certificate:/usr/src/crypto/openssl/crypto/pkcs7/pk7_smime.c:495: >> message_static_functions.c:221: decryption failed >> LibSCEP.xs:1197: scep_unwrap failed >> >> this sounds as you now finally broke your SCEP setup - if you really ignored >> the SQL errors (and have created a new key) then your Cert and Key does not >> match so you get a crypto error. All logs you have shown are far away from >> an enrollment request where we have to work around the >> "signer cert" problem. >> >> I suggest you just create a new token (key and cert) and import it again, >> this should create a new SCEP Token alias with a new generation number. Make >> sure your DataVault token ist operational before you try loading the key! >> >> Oliver >> >> -- >> Protect your environment - close windows and adopt a penguin! >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected]<mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected]<mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
