Re: [OpenXPKI-users] OpenXPKI request CRL with SSCEP

Fri, 01 Dec 2023 23:57:19 -0800 

Hi Eddy,
the reason for this is just that this functionality is partially missing :( The SCEP code can handle the request but we never implemented the workflow in the backend to fetch the CRL. The main reason for this lacking functionality is, that the GetCRL command via SCEP is marked as deprecated and we never saw a use case for this. 


If you need it, you can implement the scep_getcrl workflow yourself and 
deploy this via the workflow engine.


Oli

On 01.12.23 12:08, Eddy BODIN via OpenXPKI-users wrote:


Hello,


For a few days, I've been trying to request the OpenXPKI CRL using the 
SCEP GetCrl with SSCEP operation but without success ☹.


I used:

  * OpenXPKI Community Edition v3.26.1
  * Sscep version: 0.10.0

1 –


First, I start with getca to retrieve the PKI chain : */sscep getca -c 
pki.crt -u http://192.168.1.91:80/scep <http://192.168.1.91:80/scep> 
-v -d/*


the script return:

  * pki.crt-0 : ra-scep certificate
  * pki.crt-1 : Issuing certificate
  * pki.crt-2 : Root certificate

2 –


Next, I tried to enroll my certificate : */sscep enroll -u 
http://192.168.1.91:80/scep <http://192.168.1.91:80/scep> -v -d -c 
pki.crt-0 -k local.key -r local.csr -l local.crt/*//


/The script return: a signed certificate/

/.../

sscep: decrypting inner PKCS#7

sscep: PKCS#7 payload size: 2684 bytes

write_local_cert(): found 2 cert(s)

sscep: found certificate with

  subject: '/C=FR/OU=RnD/CN=20231123-1001'

  issuer: /C=DE/O=OpenXPKI/OU=PKI/CN=OpenXPKI Demo Issuing CA 20230814

request_subject: '/C=FR/OU=RnD/CN=20231123-1001'

Subject of the returned certificate: /C=FR/OU=RnD/CN=20231123-1001

Subject of the request: /C=FR/OU=RnD/CN=20231123-1001

CN's of request and certificate matched!

sscep: certificate written as local.crt

...

3 –


And I continued with getcrl : *sscep getcrl -c pki.crt-0 -k local.key 
-l local.crt -w pki.crl -u http://192.168.1.91:80/scep 
<http://192.168.1.91:80/scep> -v -d***


But the getcrl failed with the error:

...

sscep: server response status code: 500, MIME header: text/html

sscep: wrong (or missing) MIME content type

sscep: error while sending message

Maybe I forgot something ? Can you help me please!

Thanks.

*_Full SSCEP debug_*

*__*

sscep: starting sscep, version 0.10.0

sscep: new transaction

sscep: transaction id: SSCEP transactionId

sscep: hostname: 192.168.1.91

sscep: directory: scep

sscep: port: 80

sscep: SCEP_OPERATION_GETCAPS

sscep: scep request:

GET /scep?operation=GetCACaps HTTP/1.1

Host: 192.168.1.91

Connection: close

sscep: connecting to 192.168.1.91:80

sscep: server response status code: 200, MIME header: text/plain

Renewal

POSTPKIOperation

SHA-512

SHA-384

SHA-256

SHA-224

SHA-1

DES3

AES

sscep: scep caps bitmask: 0x03fb


sscep: requesting crl for serial number 
300182766324721378942348060366172347826210546539 and issuer 
/CN=debian:scep-ra


sscep: SCEP_OPERATION_GETCRL

sscep: requesting crl

sscep: request data dump

-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----

sscep: data payload size: 51 bytes

sscep: hexdump request payload

303130193117301506035504030c0e64656269616e3a736365702d7261021434ffffff94ffffffa92912ffffff81ffffffb9ffffffe0114b722b1affffffe71e19ffffffd9ffffff8f236b

sscep: hexdump payload 51

sscep: successfully encrypted payload

sscep: envelope size: 666 bytes

sscep: printing PEM fomatted PKCS#7

-----BEGIN PKCS7-----

-----END PKCS7-----

sscep: creating outer PKCS#7

sscep: signature added successfully

sscep: adding signed attributes

sscep: adding string attribute transId

sscep: adding string attribute messageType

sscep: adding octet attribute senderNonce

sscep: PKCS#7 data written successfully

sscep: printing PEM fomatted PKCS#7

-----BEGIN PKCS7-----

-----END PKCS7-----

sscep: payload size: 2809 bytes

sscep: scep request:

POST /scep?operation=PKIOperation HTTP/1.1

Host: 192.168.1.91

Connection: close

Content-Length: 2809

0

[1]      *H

0

10  `He

------------------------------------------------------------------------
------------------------------------------------------------------------
[1]
------------------------------------------------------------------------
sscep: connecting to 192.168.1.91:80

sscep: server response status code: 500, MIME header: text/html

sscep: wrong (or missing) MIME content type

sscep: error while sending message


General



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users



--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to