Hi Michal, I have tried with Big Sur (11.6) and ipados and iOS version 15.1 Public Beta.
The profile looks like this. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " http://www.apple.com/DTDs/PropertyList-1.0.dtd";> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>AllowAllAppsAccess</key> <true/> <key>CAFingerprint</key> <data> /vc/hash= </data> <key>Challenge</key> <string>abc123</string> <key>Key Type</key> <string>RSA</string> <key>Key Usage</key> <integer>5</integer> <key>Keysize</key> <integer>2048</integer> <key>Subject</key> <array> <array> <array> <string>C</string> <string>DK</string> </array> </array> <array> <array> <string>O</string> <string>Arendtsen</string> </array> </array> <array> <array> <string>CN</string> <string>%HostName%</string> </array> </array> <array> <array> <string>UID</string> <string>%HostName%</string> </array> </array> </array> <key>URL</key> <string>http://ca01.internal.arendtsen.dk/scep/devices</string> </dict> <key>PayloadDisplayName</key> <string>Machine cert</string> <key>PayloadIdentifier</key> <string>com.apple.security.scep.4215BC32-F502-4A4A-9231-F840659210FF</string> <key>PayloadType</key> <string>com.apple.security.scep</string> <key>PayloadUUID</key> <string>CFFA083A-FB90-41E7-A77C-0A5DC5B7B457</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDisplayName</key> <string>SCEP device cert</string> <key>PayloadIdentifier</key> <string>dk.arendtsen.05B40876-7162-4AAC-B62A-783AC22E1514</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>ED433394-E66F-45E0-B325-6FA550FB4AFA</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> With the response from the server I’d think you are right. It’s something about the formatting somewhere. /Martin On 25 Oct 2021 at 11.24.03, Michal Moravec <[email protected]> wrote: > Hey, > > which Apple OS are you using in this test? > Have you ever had a working configuration with any Apple SCEP client > during you testing? > > My guess here is that you problem is not with the "trust" part of OpenXPKI > configuration but rather with the content of the SCEP message client is > sending to the server. > Could you share your (redacted) .mobileconfig file? > > Michal Moravec > > On 24. 10. 2021, at 20:09, Martin Arendtsen <[email protected]> > wrote: > > Hi > > I have been reading on the ML about this problem but I’m not able to fix > it with the commit ( > https://github.com/openxpki/openxpki-config/commit/802162e6d4ae719c0728ddc392be7f76de1d7815 > ) > > When trying to retrieve a certificate by SCEP I get this error. > > 2021/10/24 19:46:16 openxpki.system.ERROR message_static_functions.c:249: > Not valid CSR after decrpytion > LibSCEP.xs:1197: scep_unwrap failed > 34374492160:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid > object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, > Type=X509_NAME_ENTRY > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, > Type=X509_REQ_INFO > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, > Type=X509_REQ > [pid=80956|sid=Sonc] > 2021/10/24 19:46:16 openxpki.system.ERROR > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => > message_static_functions.c:249: Not valid CSR after decrpytion > LibSCEP.xs:1197: scep_unwrap failed > 34374492160:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid > object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, > Type=X509_NAME_ENTRY > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, > Type=X509_REQ_INFO > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, > Type=X509_REQ > [pid=80956|sid=Sonc] > 2021/10/24 19:46:16 openxpki.system.ERROR Error executing SCEP command > 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => > message_static_functions.c:249: Not valid CSR after decrpytion > LibSCEP.xs:1197: scep_unwrap failed > 34374492160:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid > object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, > Type=X509_NAME_ENTRY > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, > Type=X509_REQ_INFO > 34374492160:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, > Type=X509_REQ > [pid=80956|sid=Sonc] > > I have added the fix as linked above but it still gives me that error. > sscep works like a charm. > > So I need a hint to what I have missed - any ideas? > > Best regards > Martin Arendtsen > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
