I know I'm asking for a lot of help lately. My intention is to help write some docs and a blog post once I get this all sorted. I hope that's a good way to help :)
I'm going back to basics Simple question this time: what's the best way to re-cert and re-key my SCEP? I've tried: 0. echo $BASE /usr/local/etc/openxpki/ssl/dzsec/ #All files owned by openxpki and relative to $BASE 1. creating a new CSR with the new key usage flags & a new key.pem 2. creating a new cert signed by my CA from the key and CSR 3. removing the old alias for scep-1 4. removing the old key from sys.crypto.keys 5. adding a new alias with: openxpkiadm alias --realm dzsec --token scep --file ca-one-scep-7.crt --key scep7.pem 6. adding a new datapool key with: openxpkicli set_data_pool_entry --arg namespace=scep.cache.getca --arg key="generic:scep-1:ca-signer-1" --arg value="" --arg force=1 --authstack DZsec_Operator --authuser <user> --authpass <randomlongpass> 7. openxpkicli set_data_pool_entry --arg namespace=scep.cache.getca --arg key="generic:scep-1:ca-signer-1" --arg value="" --arg force=1 --authstack DZsec_Operator --authuser <user> --authpass <randomlongpass> 8. openxpkiadm alias --realm dzsec === functional token === scep (scep): Alias : scep-1 Identifier: A RANDOM ID NotBefore : 2021-06-28 02:47:16 NotAfter : 2023-01-14 02:47:16 9. service restart 10. system reboot Wondering if I re-certied/re-keyed incorrectly. Thanks Oliver and team!!! -N On Sun, Jun 27, 2021 at 1:55 AM, Oliver Welter <[email protected]> wrote: > Hi Nick, > > a valid SCEP message has a PKCS10 formated CSR that is wrapped in two > PKCS7 containers, one encrypted with the certificate of the SCEP server and > one signed by the client. Most MDMs allow to import a so called "on behalf" > certificate/key for signing which can than be used on the RA to validate > the origin of the request. We saw in several MDM projects that the MDM > server just creates a certificate "on the fly" for this signature which > looks like the cert you have posted below. > > > LibSCEP.xs:1197: scep_unwrap failed > > Does very likely mean that the SCEP server was not able to unwarp the > encrypted container. OpenXPKI always sends the to-be-used RA certificate as > first item in the GetCA response and most clients use this. We have also > seen clients that take the "wrong" certificate from the list, usually the > CA signer certificate. The best way to track this down is to capture the > PKCS7 data send and use "openssl asn1parse" to see whats in there. You can > find the PKCS7 in the apache log file as the value of the "message" > parameter in the query string or in the scep.log file of OpenXPKI with > loglevel DEBUG. > > Oliver > > > Am 27.06.21 um 02:49 schrieb Nick Dawson: > > The more I look at this log: > > LibSCEP.xs:1197: scep_unwrap failed > 34370961408:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid > object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, > Type=X509_NAME_ENTRY > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, > Type=X509_REQ_INFO > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, > Type=X509_REQ > [pid=54863|sid=rnuS] > > and compare it to the SCEP request: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN=MDM SCEP SIGNER C066EE1B-43F7-4B92-A19C-REDACTED, C=US > Validity > Not Before: Jun 27 00:40:50 2021 GMT > Not After : Jun 27 00:40:50 2022 GMT > Subject: CN=MDM SCEP SIGNER C066EE1B-43F7-4B92-A19C-REDACTED, C=US > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > REDACTED > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: critical > TLS Web Client Authentication > > the more I wonder: > > - is Apple not sending an X509 name and info segment? I see the subject > name for the issuing CSR, but not the the cert itself. > > > On Sat, Jun 26, 2021 at 6:35 PM, Nick Dawson <[email protected]> > wrote: > > Happy to post my mobileconfig file (below). > > My environment is in production…. Guess it shows my naiveté (which I'm > sure is obvious, although I'm learning quite a lot here lately!) , I know > posting certs is, in theory, safe (with the keys being safely held). Is > there any thing I should be careful to redact from the OpenXPKI files > besides secrets? > > Mobileconfig: > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple. > com/DTDs/PropertyList-1.0.dtd"> > <plist version="1.0"> > <dict> > <key>PayloadContent</key> > <array> > <dict> > <key>PayloadContent</key> > <dict> > <key>CAFingerprint</key> > <data> > REDACTED > </data> > <key>Challenge</key> > <string>REDACTED</string> > <key>Key Type</key> > <string>RSA</string> > <key>Key Usage</key> > <integer>5</integer> > <key>Keysize</key> > <integer>2048</integer> > <key>Name</key> > <string>scep4</string> #my active SCEP cert name > <key>Retries</key> > <integer>3</integer> > <key>RetryDelay</key> > <integer>10</integer> > <key>Subject</key> > <array> > <array> > <array> #THIS AREA LOOKS PROBLEMATIC, ALSO TRIED /notation > <string>CN</string> > <string>MyDeviceName,DC</string> > </array> > </array> > <array> > <array> > <string>DZSEC,DC</string> > <string>NET</string> > </array> > </array> > </array> > <key>URL</key> > <string>http://scep.dzsec.net/scep/</string> > </dict> > <key>PayloadDescription</key> > <string>Configures SCEP settings</string> > <key>PayloadDisplayName</key> > <string>SCEP</string> > <key>PayloadIdentifier</key> > <string>com.apple.security.scep.1959D1B9-6DD9-4C56-9B5F-65ED4494853D > <http://com.apple.security.scep.1959d1b9-6dd9-4c56-9b5f-65ed4494853d/> > </string> > <key>PayloadType</key> > <string>com.apple.security.scep</string> > <key>PayloadUUID</key> > <string>1959D1B9-6DD9-4C56-9B5F-REDACTED</string> > <key>PayloadVersion</key> > <integer>1</integer> > </dict> > </array> > <key>PayloadDescription</key> > <string>this is a test of the DZsec SCEP deployment</string> > <key>PayloadDisplayName</key> > <string>scep test</string> > <key>PayloadIdentifier</key> > <string>MyHostName.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2</string> > <key>PayloadOrganization</key> > <string>DZsec</string> > <key>PayloadRemovalDisallowed</key> > <false/> > <key>PayloadType</key> > <string>Configuration</string> > <key>PayloadUUID</key> > <string>F1949DEA-FF3E-4EA2-8BFC-7D3EBAA31BB2</string> > <key>PayloadVersion</key> > <integer>1</integer> > </dict> > </plist> > > > > On Tue, Jun 22, 2021 at 2:50 PM, Michal Moravec <michal.moravec@ > logicworks.cz> wrote: > > Could you post you mobileconfig file, All CA certificates currently in use > and you OpenXPKI configuration? > > MM > > > On 22. 6. 2021, at 22:37, Nick Dawson <[email protected]> wrote: > > Thanks! That helped and I learned a lot about the datapool and keys. > > update: > Success with SSCEP. It worked. Apple devices now fail with an invalid CSR > error. > > sscep: > > Apple devices: > openxpki.log > > 2021/06/22 14:28:46 ERROR Error executing SCEP command 'PKIOperation': > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => > message_static_functions.c:238: Not valid CSR after decrpytion > LibSCEP.xs:1197: scep_unwrap failed > 34370961408:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid > object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, > Type=X509_NAME_ENTRY > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, > Type=X509_REQ_INFO > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, > Type=X509_REQ > [pid=57435|sid=aCoa] > > I captured the CSR in scep.log and decoded it: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, > C=US > Validity > Not Before: Jun 22 20:18:47 2021 GMT > Not After : Jun 22 20:18:47 2022 GMT > Subject: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, > C=US > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > Truncated > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: critical > TLS Web Client Authentication > Signature Algorithm: sha256WithRSAEncryption > Truncated > -----BEGIN CERTIFICATE----- > Truncated > -----END CERTIFICATE----- > > My rules in generic.yaml > > workflow: > type: certificate_enroll > param: > # key: name in workflow context, value: parameter from scep wrapper > # server and interface are always set, the mapping below is > # the default set that is used when no map is given > transaction_id: transaction_id > signer_cert: signer_cert > pkcs10: pkcs10 > _url_params: url_params > #_pkcs7: pkcs7 > > authorized_signer: > rule1: > # Full DN > #subject: CN=.+:pkiclient,.* > subject: .*,CN=US > rule2: > # Full DN > subject: CN=my.scep.enroller.com > <http://cn=my.scep.enroller.com/>:generic,.* > rule3: > #Attempt match on Apple CSRs > subject: CN=MDM.+.* > policy: > > allow_man_authen: 1 > allow_anon_enroll: 0 > allow_man_approv: 1 > allow_eligibility_recheck: 0 > approval_points: 0 > max_active_certs: 1 > auto_revoke_existing_certs: 1 > allow_replace: 1 > > > On Mon, Jun 21, 2021 at 11:57 PM, Oliver Welter <[email protected]> wrote: > > Hi Nick, > > Am 22.06.21 um 03:08 schrieb Nick Dawson: > > If I ra | issuer: endentity or chain, I get an SSL error. BUT scep.log > looks like it can interpret the request > > Openxpki.log: > > ERROR Error executing SCEP command 'PKIOperation': > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => > 34370961408:error:0B080074:x509 certificate > routines:X509_check_private_key:key values > mismatch:/usr/src/crypto/openssl/crypto/x509/x509_cmp.c:297: > 34370961408:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does > not match > certificate:/usr/src/crypto/openssl/crypto/pkcs7/pk7_smime.c:495: > message_static_functions.c:221: decryption failed > LibSCEP.xs:1197: scep_unwrap failed > > this sounds as you now finally broke your SCEP setup - if you really > ignored the SQL errors (and have created a new key) then your Cert and Key > does not match so you get a crypto error. All logs you have shown are far > away from an enrollment request where we have to work around the > "signer cert" problem. > > I suggest you just create a new token (key and cert) and import it again, > this should create a new SCEP Token alias with a new generation number. > Make sure your DataVault token ist operational before you try loading the > key! > > Oliver > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > _______________________________________________ > OpenXPKI-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
