"We're not in windows" :) :) :) I'll be delighted to work on some usecases if I ever get this working :) Thanks for the continued help!
I've updated everything to the latest versions of OpenXPKI and dependencies. I thought I'd found a breakthrough hint here: https://support.apple.com/en-us/HT210176 So I made yet another new scep cert/key with the DNS names in the SAN field. Still no luck. I'm starting to think, unless anyone has demonstrated otherwise, that the way apple handles SCEP is just not compatible. One other curiosity: Apple requires an SHA1 or MD5 fingerprint of the SCEP cert. Makes sense. I've been using sscep getca to see what openxpi is sending and I have been using the MD5 fingerprint from the SCEP cert from that output. Any reason that would be an incorrect process? I've also used openssl x509 -noout -fingerprint -inform pem -in $BASE/ca-one-scep-10.crt -md5 here's the request, as decoded from the scep.log file (not sure how to change log level to debug) cat request.txt | perl -pe 'use MIME::Base64;s/%([0-9a-f]{2})/sprintf("%s",pack("H2",$1))/eig;$_=MIME::Base64::decode($_);' | openssl pkcs7 -inform DER -print_certs -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=MDM SCEP SIGNER 5F5F2473-A66C-441A-ACCA-1F1E3FDCEACE, C=US Validity Not Before: Jun 28 16:48:39 2021 GMT Not After : Jun 28 16:48:39 2022 GMT Subject: CN=MDM SCEP SIGNER 5F5F2473-A66C-441A-ACCA-1F1E3FDCEACE, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a4:55:34:04:af:d9:5e:17:f2:33:24:f8:cb:5d: 66[image: 🆎]c3:a3:99:89:3d:a8:88:a9:fb:13:54:3c:60: c0:91:43:58:e2:92:95:a9:77:58:72[image: 🆎]6a:8c:ca: TRUNCATED Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Client Authentication Signature Algorithm: sha256WithRSAEncryption 3a:23:b4:e8:cf:1f:67:73:b7:3c:b2:6b:63:6f:20:d4:6e:41: 15:0e:e2:33:23:55:df:51:69:8b:1a:81:05:47:ac:74:fe:d8: 21:8a:b6:dc:b2:40:ac:3e:8a:41:20:02:32:f7:cb:5d:78:eb: 48:9a:02:5a:48:5f:c6:27:07:05:15:4e:96:1f:6e:a2:93:73: TRUNCATED -----BEGIN CERTIFICATE----- MIIDPTCCAiWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMT0wOwYDVQQDDDRNRE0g U0NFUCBTSUdORVIgNUY1RjI0NzMtQTY2Qy00NDFBLUFDQ0EtMUYxRTNGRENFQUNF MQswCQYDVQQGEwJVUzAeFw0yMTA2MjgxNjQ4MzlaFw0yMjA2MjgxNjQ4MzlaMEwx TRUNCATED -----END CERTIFICATE----- here's some info on the cert encapsulated in that CSR. Apple is clearly generating their own self-signed certs. ╰─± openssl asn1parse -in ./test.cer 0:d=0 hl=4 l= 829 cons: SEQUENCE 4:d=1 hl=4 l= 549 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 1 prim: INTEGER :01 16:d=2 hl=2 l= 13 cons: SEQUENCE 18:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 29:d=3 hl=2 l= 0 prim: NULL 31:d=2 hl=2 l= 76 cons: SEQUENCE 33:d=3 hl=2 l= 61 cons: SET 35:d=4 hl=2 l= 59 cons: SEQUENCE 37:d=5 hl=2 l= 3 prim: OBJECT :commonName 42:d=5 hl=2 l= 52 prim: UTF8STRING :MDM SCEP SIGNER 5F5F2473-A66C-441A-ACCA-1F1E3FDCEACE 96:d=3 hl=2 l= 11 cons: SET 98:d=4 hl=2 l= 9 cons: SEQUENCE 100:d=5 hl=2 l= 3 prim: OBJECT :countryName 105:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 109:d=2 hl=2 l= 30 cons: SEQUENCE 111:d=3 hl=2 l= 13 prim: UTCTIME :210628164839Z 126:d=3 hl=2 l= 13 prim: UTCTIME :220628164839Z 141:d=2 hl=2 l= 76 cons: SEQUENCE 143:d=3 hl=2 l= 61 cons: SET 145:d=4 hl=2 l= 59 cons: SEQUENCE 147:d=5 hl=2 l= 3 prim: OBJECT :commonName 152:d=5 hl=2 l= 52 prim: UTF8STRING :MDM SCEP SIGNER 5F5F2473-A66C-441A-ACCA-1F1E3FDCEACE 206:d=3 hl=2 l= 11 cons: SET 208:d=4 hl=2 l= 9 cons: SEQUENCE 210:d=5 hl=2 l= 3 prim: OBJECT :countryName 215:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 219:d=2 hl=4 l= 290 cons: SEQUENCE 223:d=3 hl=2 l= 13 cons: SEQUENCE 225:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 236:d=4 hl=2 l= 0 prim: NULL 238:d=3 hl=4 l= 271 prim: BIT STRING 513:d=2 hl=2 l= 42 cons: cont [ 3 ] 515:d=3 hl=2 l= 40 cons: SEQUENCE 517:d=4 hl=2 l= 14 cons: SEQUENCE 519:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 524:d=5 hl=2 l= 1 prim: BOOLEAN :255 527:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 533:d=4 hl=2 l= 22 cons: SEQUENCE 535:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage 540:d=5 hl=2 l= 1 prim: BOOLEAN :255 543:d=5 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070302 557:d=1 hl=2 l= 13 cons: SEQUENCE 559:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 570:d=2 hl=2 l= 0 prim: NULL 572:d=1 hl=4 l= 257 prim: BIT STRING Here's the latest config profile: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " http://www.apple.com/DTDs/PropertyList-1.0.dtd";> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>CAFingerprint</key> <data> orfN6hoFKeKL+QhW/Ho0Lw== </data> <key>Challenge</key> <string>longrandompassword</string> <key>Key Type</key> <string>RSA</string> <key>Key Usage</key> <integer>5</integer> <key>Keysize</key> <integer>2048</integer> <key>Name</key> <string>scep10</string> <key>Retries</key> <integer>3</integer> <key>RetryDelay</key> <integer>10</integer> <key>Subject</key> <array> <array> <array> <string>DC</string> <string>net</string> </array> </array> <array> <array> <string>DC</string> <string>DZsec</string> </array> </array> <array> <array> <string>CN</string> <string>myhostname</string> </array> </array> </array> <key>SubjectAltName</key> <dict> <key>dNSName</key> <string>hostname.dzsec.net <http://andesite.dzsec.net/></string> </dict> <key>URL</key> <string>http://scep.dzsec.net/scep/</string> </dict> <key>PayloadDescription</key> <string>Configures SCEP settings</string> <key>PayloadDisplayName</key> <string>SCEP</string> <key>PayloadIdentifier</key> <string>com.apple.security.scep.1959D1B9-6DD9-4C56-9B5F-65ED4494853D <http://com.apple.security.scep.1959d1b9-6dd9-4c56-9b5f-65ed4494853d/> </string> <key>PayloadType</key> <string>com.apple.security.scep</string> <key>PayloadUUID</key> <string>1959D1B9-6DD9-4C56-9B5F-65ED4494853D</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>this is a test of the DZsec SCEP deployment</string> <key>PayloadDisplayName</key> <string>scep test</string> <key>PayloadIdentifier</key> <string>andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2</string> <key>PayloadOrganization</key> <string>DZsec</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>2244553C-70BC-461F-8770-FEC967089197</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> On Sun, Jun 27, 2021 at 11:57 PM, Oliver Welter <[email protected]> wrote: > Hi Nick, > > Am 28.06.21 um 05:27 schrieb Nick Dawson: > > I know I'm asking for a lot of help lately. My intention is to help write > some docs and a blog post once I get this all sorted. I hope that's a good > way to help :) > > That would be highly appreciated - we can also add a "use case" section on > our read the docs page if you want to contribute it there.... > > I'm going back to basics > > Simple question this time: what's the best way to re-cert and re-key my > SCEP? > > I've tried: > > 0. echo $BASE > /usr/local/etc/openxpki/ssl/dzsec/ > #All files owned by openxpki and relative to $BASE > > 1. creating a new CSR with the new key usage flags & a new key.pem > 2. creating a new cert signed by my CA from the key and CSR > 3. removing the old alias for scep-1 > 4. removing the old key from sys.crypto.keys > 5. adding a new alias with: openxpkiadm alias --realm dzsec --token > scep --file ca-one-scep-7.crt --key scep7.pem > 6. adding a new datapool key with: openxpkicli set_data_pool_entry > --arg namespace=scep.cache.getca --arg key="generic:scep-1:ca-signer-1" > --arg value="" --arg force=1 --authstack DZsec_Operator --authuser <user> > --authpass <randomlongpass> > 7. openxpkicli set_data_pool_entry --arg namespace=scep.cache.getca > --arg key="generic:scep-1:ca-signer-1" --arg value="" --arg force=1 > --authstack DZsec_Operator --authuser <user> --authpass <randomlongpass> > 8. openxpkiadm alias --realm dzsec > > Looks like this should work but you spend way too much ;) > > First - there is no need to remove the old alias and keys, if you run #5 > with the old alias still in place it will use the next free generation > number, this also makes #6 and #7 obsolete as the new generation number > will use an new key that is empty (side note, to remove an entry the > delete_data_pool_item is the more suitable way, but the result is the > same..). In case you did not remove the "System" stack from your setup you > can also run those commands without any auth parameters. > > === functional token === > scep (scep): > Alias : scep-1 > Identifier: A RANDOM ID > NotBefore : 2021-06-28 02:47:16 > NotAfter : 2023-01-14 02:47:16 > > > 9. service restart > 10. system reboot > > When you rollover to a new generation, a service restart is not required > and OpenXPKI never requires a system reboot (we are not in Windows...) > > Oliver > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
