Re: [openssl-users] Reg : SCEP using OPENSSL
If it fits your needs, you may want to look into using EST (RFC 7030) instead of SCEP. EST is the replacement for SCEP. The SCEP draft was never ratified. The libest open source project implements RFC 7030 and uses OpenSSL. It's available at https://github.com/cisco/libest. On 03/17/2015 12:01 AM, Sindhu S. (sins) wrote: Hi all, I need guidance in understanding as to how SCEP server can be used integrated with OpenSSL. My understanding is that SCEP can be used to enroll devices then it communicates to Certificate Authority that generate certificates. Can some one point me in right direction ? Basically i am trying to achieve following: Using SCEP to enroll devices then generate Certificates usingCA. Any reference to opensource SCEP will be helpful… I’m also exploring few opensource SCEP implementation, like openscep, sscep, autosscep.. etc…. https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif Thanks, Sindhu ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Reg : SCEP using OPENSSL
Hi all, I need guidance in understanding as to how SCEP server can be used integrated with OpenSSL. My understanding is that SCEP can be used to enroll devices then it communicates to Certificate Authority that generate certificates. Can some one point me in right direction ? Basically i am trying to achieve following: Using SCEP to enroll devices then generate Certificates usingCA. Any reference to opensource SCEP will be helpful... I'm also exploring few opensource SCEP implementation, like openscep, sscep, autosscep.. etc Thanks, Sindhu ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
can openssl command line tool be used to create a SCEP cgi?
Hi there We're looking at introducing Mobile Device Management into our organization and we have a home-built PKI based around openssl command line tools and a bunch of shell scripts. Works well, very bespoke - moving away from it would be a major drama (ie changing to a better PKI that had built-in support for SCEP is further down the track) Anyway, it doesn't support SCEP and I am trying to see if I can implement it myself. I have got a scep client to create a PKCS#7 container submission, upload it to my stub SCEP CGI, and can get interesting details out via openssl asn1parse -in scep-request.pem openssl pkcs7 -in scep-request.pem -print_certs openssl smime -verify -in scep-request.pem -inform pem -CAfile CA-pubkey.pem -noverify My reading of the SCEP RFC tells me that PKCS#7 file actually contains a PKCS#10 encrypted request, but how do I get that out, convert it back into a normal CSR for openssl ca to sign, then bundle it appropriately up for delivery back to the SCEP client? Is that even possible with command line tools, or is this exclusively the realm of actual PKI products? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: application/x-x509-ca-ra-cert (SCEP Enrollment)
From: owner-openssl-us...@openssl.org On Behalf Of Santhosh Kokala Sent: Wednesday, 20 February, 2013 19:33 I get this error when I try to convert it to PEM format. [~]$ openssl pkcs7 -in ca_ra_cert.bin -print_certs unable to load PKCS7 object 140065214732104:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: PKCS7 See below. [~]$ openssl asn1parse -in ca_ra_cert.bin -inform der -strparse 0 -out test | less -strparse 0 -out $file is silly, that just copies the (valid) file you already have. See below. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Wednesday, February 20, 2013 3:51 PM snip Or openssl asn1parse, likely available to anyone asking here even on non-Linux; with -inform der if applicable which it is here (easily determinable with any kind of octal or hex dump or a good guess for anything that doesn't look like base64). snip openssl pkcs7 -in $file -print_certs displays the three certs (each) in PEM, which you can cut apart with any reasonable editor. The two child certs may or may not be useful; the CA cert apparently won't. Sorry I left it out, but you might have put 2 and 2 torgether; openssl pkcs7 like asn1parse needs -inform der if the file is DER, which yours is. Or less convenient you can use openssl asn1parse -in $file -inform der -strparse $offsetpercert -out $derfilepercert to get each cert in DER in a file, and then use openssl x509 -in $certder -inform der -out $certpem to convert each to PEM. With the same results. For the three certs in yhour message the -strparse offsets would be 45 1523 2983 . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: application/x-x509-ca-ra-cert (SCEP Enrollment)
Use the dumpasn1 utility on it, it's in almost every Linux distro, or from its website: http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c Matthew. On Wed, Feb 20, 2013 at 07:54:00PM +, Santhosh Kokala wrote: Hi All, I am unable to identify the certificate format that I received during SCEP enrollment. I am attaching a copy of the cert chain that I received. Can someone please let me know how to convert the above attached certificate to PEM format? Santhosh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
application/x-x509-ca-ra-cert (SCEP Enrollment)
Hi All, I am unable to identify the certificate format that I received during SCEP enrollment. I am attaching a copy of the cert chain that I received. Can someone please let me know how to convert the above attached certificate to PEM format? Santhosh ca_ra_cert.bin Description: ca_ra_cert.bin
RE: application/x-x509-ca-ra-cert (SCEP Enrollment)
From: owner-openssl-us...@openssl.org On Behalf Of Matthew Hall Sent: Wednesday, 20 February, 2013 15:05 Use the dumpasn1 utility on it, it's in almost every Linux distro, or from its website: http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c Or openssl asn1parse, likely available to anyone asking here even on non-Linux; with -inform der if applicable which it is here (easily determinable with any kind of octal or hex dump or a good guess for anything that doesn't look like base64). Matthew. On Wed, Feb 20, 2013 at 07:54:00PM +, Santhosh Kokala wrote: Hi All, I am unable to identify the certificate format that I received during SCEP enrollment. I am attaching a copy of the cert chain that I received. Can someone please let me know how to convert the above attached certificate to PEM format? Santhosh And to answer the question, it's a trivial PKCS#7, sometimes used to carry only (desired) certs and/or CRLs, and usually indicated by extension .p7b or .p7c. But it's not a chain; it's *two* end-entity certs, for different RSA keys, one for (particular?) signing and one for (particular?) encryption; then one CA (root) cert whose *name* matches the issuer of the children but SKI (and actual key) doesn't match child AKI, and thus is not the correct CA cert for these children. openssl pkcs7 -in $file -print_certs displays the three certs (each) in PEM, which you can cut apart with any reasonable editor. The two child certs may or may not be useful; the CA cert apparently won't. Or less convenient you can use openssl asn1parse -in $file -inform der -strparse $offsetpercert -out $derfilepercert to get each cert in DER in a file, and then use openssl x509 -in $certder -inform der -out $certpem to convert each to PEM. With the same results. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: application/x-x509-ca-ra-cert (SCEP Enrollment)
On Wed, Feb 20, 2013 at 06:51:12PM -0500, Dave Thompson wrote: Or openssl asn1parse, likely available to anyone asking here even on non-Linux; with -inform der if applicable which it is here (easily determinable with any kind of octal or hex dump or a good guess for anything that doesn't look like base64). Yeah, that works also. But the output is harder to read than that of dumpasn1. Matthew. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: application/x-x509-ca-ra-cert (SCEP Enrollment)
I get this error when I try to convert it to PEM format. [~]$ openssl pkcs7 -in ca_ra_cert.bin -print_certs unable to load PKCS7 object 140065214732104:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: PKCS7 [~]$ openssl asn1parse -in ca_ra_cert.bin -inform der -strparse 0 -out test | less 0:d=0 hl=4 l=3936 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT:pkcs7-signedData 15:d=1 hl=4 l=3921 cons: cont [ 0 ] 19:d=2 hl=4 l=3917 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :01 26:d=3 hl=2 l= 0 cons: SET 28:d=3 hl=2 l= 11 cons: SEQUENCE 30:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data 41:d=3 hl=4 l=3893 cons: cont [ 0 ] 45:d=4 hl=4 l=1474 cons: SEQUENCE 49:d=5 hl=4 l=1194 cons: SEQUENCE 53:d=6 hl=2 l= 3 cons: cont [ 0 ] 55:d=7 hl=2 l= 1 prim: INTEGER :02 58:d=6 hl=2 l= 10 prim: INTEGER :610962F6002A 70:d=6 hl=2 l= 13 cons: SEQUENCE 72:d=7 hl=2 l= 9 prim: OBJECT:sha1WithRSAEncryption 83:d=7 hl=2 l= 0 prim: NULL 85:d=6 hl=2 l= 79 cons: SEQUENCE 87:d=7 hl=2 l= 21 cons: SET 89:d=8 hl=2 l= 19 cons: SEQUENCE 91:d=9 hl=2 l= 10 prim: OBJECT:domainComponent 103:d=9 hl=2 l= 5 prim: IA5STRING :local 110:d=7 hl=2 l= 23 cons: SET 112:d=8 hl=2 l= 21 cons: SEQUENCE 114:d=9 hl=2 l= 10 prim: OBJECT:domainComponent 126:d=9 hl=2 l= 7 prim: IA5STRING :southey 135:d=7 hl=2 l= 29 cons: SET 137:d=8 hl=2 l= 27 cons: SEQUENCE 139:d=9 hl=2 l= 3 prim: OBJECT:commonName 144:d=9 hl=2 l= 20 prim: PRINTABLESTRING :southey-DBN-DC-01-CA 166:d=6 hl=2 l= 30 cons: SEQUENCE 168:d=7 hl=2 l= 13 prim: UTCTIME :130103123245Z 183:d=7 hl=2 l= 13 prim: UTCTIME :150103123245Z 198:d=6 hl=3 l= 163 cons: SEQUENCE 201:d=7 hl=2 l= 11 cons: SET 203:d=8 hl=2 l= 9 cons: SEQUENCE 205:d=9 hl=2 l= 3 prim: OBJECT:countryName 210:d=9 hl=2 l= 2 prim: PRINTABLESTRING :ZA 214:d=7 hl=2 l= 21 cons: SET 216:d=8 hl=2 l= 19 cons: SEQUENCE 218:d=9 hl=2 l= 3 prim: OBJECT:stateOrProvinceName 223:d=9 hl=2 l= 12 prim: PRINTABLESTRING :KwazuluNatal 237:d=7 hl=2 l= 15 cons: SET 239:d=8 hl=2 l= 13 cons: SEQUENCE 241:d=9 hl=2 l= 3 prim: OBJECT:localityName 246:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Durban 254:d=7 hl=2 l= 25 cons: SET 256:d=8 hl=2 l= 23 cons: SEQUENCE 258:d=9 hl=2 l= 3 prim: OBJECT:organizationName 263:d=9 hl=2 l= 16 prim: PRINTABLESTRING :Southey Holdings 281:d=7 hl=2 l= 11 cons: SET 283:d=8 hl=2 l= 9 cons: SEQUENCE 285:d=9 hl=2 l= 3 prim: OBJECT:organizationalUnitName 290:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IT 294:d=7 hl=2 l= 27 cons: SET 296:d=8 hl=2 l= 25 cons: SEQUENCE 298:d=9 hl=2 l= 3 prim: OBJECT:commonName 303:d=9 hl=2 l= 18 prim: PRINTABLESTRING :DBN-DC-01-MSCEP-RA 323:d=7 hl=2 l= 39 cons: SET 325:d=8 hl=2 l= 37 cons: SEQUENCE -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Wednesday, February 20, 2013 3:51 PM To: openssl-users@openssl.org Subject: RE: application/x-x509-ca-ra-cert (SCEP Enrollment) From: owner-openssl-us...@openssl.org On Behalf Of Matthew Hall Sent: Wednesday, 20 February, 2013 15:05 Use the dumpasn1 utility on it, it's in almost every Linux distro, or from its website: http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c Or openssl asn1parse, likely available to anyone asking here even on non-Linux; with -inform der if applicable which it is here (easily determinable with any kind of octal or hex dump or a good guess for anything that doesn't look like base64). Matthew. On Wed, Feb 20, 2013 at 07:54:00PM +, Santhosh Kokala wrote: Hi All, I am unable to identify the certificate format that I received during SCEP enrollment. I am attaching a copy of the cert chain that I received. Can someone please let me know how to convert the above attached certificate to PEM format? Santhosh And to answer the question, it's a trivial PKCS#7, sometimes used to carry only (desired) certs and/or CRLs, and usually indicated by extension .p7b or .p7c. But it's not a chain; it's *two* end-entity certs, for different RSA keys, one for (particular?) signing and one for (particular?) encryption; then one CA (root) cert whose *name* matches the issuer of the children but SKI (and actual key) doesn't match child AKI, and thus is not the correct CA cert for these children. openssl pkcs7 -in $file -print_certs displays the three certs (each) in PEM, which you can cut apart with any reasonable editor. The two child certs may or may not be useful; the CA cert apparently won't. Or less convenient you can use
free SCEP implementation
Hello everyone, thanks to OpenSSL, I was able to hack up something that looks like an implementation of the simple certificate enrollment pro- tocol SCEP. If you are interested in helping to debug the beast, please have a look at http://openscep.othello.ch. So far, I've been able to compile it on Linux and Solaris. Any feedback wel- come. Mit herzlichem Gruss Andreas Mueller Dr. Andreas Mueller Beratung und Entwicklung Bubental 53, CH - 8852 Altendorf[EMAIL PROTECTED] Voice: +41 55 462 1483 Fax/Data: +41 55 462 1485 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SCEP Server??
Hi all, Iam trying to implement the SCEP client protocol. I would like to test it against a known server. Can any one help me where I can find a server with which I can test my client implementation. Any directions and help is very much appreciated... Regards Suram
SCEP?
Anyone have any experience using OpenSSL to do SCEP? (Simple Certificate Enrollment Protocol) Primarily I'm trying to decode these SCEP messages from a Cisco Box so I can write the proper PERL scripts to respond. Thanks, - John Douglass __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SCEP?
John, attached is my expierence... and a first test-script. I would love to see some open source implementation of SCEP and even are willing to provide some funds to get this done... regards, Janus Liebregts SURFnet John Douglass wrote: Anyone have any experience using OpenSSL to do SCEP? (Simple Certificate Enrollment Protocol) Primarily I'm trying to decode these SCEP messages from a Cisco Box so I can write the proper PERL scripts to respond. Thanks, - John Douglass __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Hi Massimiliano, I am interested in your work as I think could be handy to add it to the Project (obviously if you intend to...). I'm currently implementing SCEP using OpenCA/OpenSSL and some self-written scripts, which I will post in the OpenCA-project. I have done some testing with a cisco-router and my scripts. I did manage to get the CA's certificate in the router using these scripts. Now I am trying to process the cisco's certificate request, I did manage to extract the pkcs#10-request from the signed and encrypted blob. I have ran into some ASN.1 (OpenSSL)-parsing problems which I have to investigate. After that I have to send back a signed status... attached is a sample of the script and its configuration file Don't look a the programming techniques, this is only a working test-script ;-) to make a SCEP enroll request this url is used by the cisco: http://testca.surfnet.nl/cgi-bin/pkiclient.exe?operation=PKIOperationmessage=MIAGCSqGSIb3DQEHAqCAMIACAQExDjAMBggqhkiG9w0CBQUAMIAGCSqGSIb3DQEH AaCAJIAEggM9MIAGCSqGSIb3DQEHA6CAMIACAQAxgDCCAR8CAQAwgYcwgYExJTAj BgkqhkiG9w0BCQEWFkphbnVzLkxpZWJyZWd0c0BzZWMubmwxGDAWBgNVBAMTD1Rl c3RDQTEgQ2xhc3MgMTEfMB0GA1UECxMWRXhwZXJpbWVudGVsZSBEaWVuc3RlbjEQ MA4GA1UEChMHU1VSRm5ldDELMAkGA1UEBhMCbmwCAQAwDQYJKoZIhvcNAQEBBQAE gYAw0JRDN8ja0WqPkrWSL2qH/z+vMo0+xqxLN1f39WPQrgTeX3ZwNJzEPTb8gtB4 I7elZkQACXj7xap3FjeGSo6+4MZ6/JhDR7h+EZCB2ScO6OC+DESiIo/IfOwih2Yl B3+eRqqc5ZBKcJyE3Ft9tLEvtwwRt451LygamRWbfv8VGAAAMIAGCSqGSIb3DQEH ATARBgUrDgMCBwQIVo9mAxmBUPiggASCAciBV6e9J1XfI3NVoYVbZ0G72DSbSSaU vUaeSslbz1N8dCNShcmrtI0dPTEOIYjql3OPpB5G9tzq/0q1EstJIpHL4wrSx0V5 ydxRKg3V18npMfuxEEjoyXkrauQ5TzqKrGiw16FFUv1dkVs7XiYf+bDXm+GZV/8B EEhVcjrcELzCNZT+Kgy9gvenLQeii1NL9RiaazEwDCdf/CqYqO4UgLvdCnbxqTiH xcnISsH8zmXydCda9nobc27dbme84F9qCykbBrNPHzfAUoPKQxNpdWgprBfas2kF tPyfMWh6v8GQy309YK7JPNnOyTMM/5CfreckHNy0FEXltUHUOlxEQM8AY4HpQs3D uN3sAPidEqUdEFPBOo5DXUVQXv+BMoYfAGtwtqwPTrGKAr/3WTxisPpR9Cyo72ks otV3MIrsHveWn7uorJNXjVSbAwqH0GBbZgtn5iMOH0Me6mxOd0RETT7ECPOiXKeO OeLtYxYRpg//AtdgFtiT3a9xoy/30fy2x3PZhskE6UwIAaFeqwReo42avZpiTgu3 r8t8QfHg47JwDRv3lNKc+6NOGy2PXO5tVbUOoKuaaHt+VxdTwamQrgsl79WbfotD UGAECKkwqv1I4nJPAKCAMIIB0DCCATkCIEIxRUU0NTBE NjFEQzEwNEUyQ0M0RDQ4NUZGRkM5RDM5MA0GCSqGSIb3DQEBBAUAMCExHzAdBgkq hkiG9w0BCQIWEGJpbm5lbi5pcC5zZWMubmwwHhcNMDAwMzIwMTYxNjQzWhcNMTAw MzE4MTYxNjQzWjAhMR8wHQYJKoZIhvcNAQkCFhBiaW5uZW4uaXAuc2VjLm5sMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDORSY8ADnNhK4WMYhAhzoNd07uTxfK xvA5AkIxWjVY8Ui1XRupYs3bhNoAn3pM4i4Bk9bI/ygNhe for SCEP see also: http://www.ietf.org/internet-drafts/draft-nourse-scep-02.txt and http://www.cisco.com/warp/public/cc/cisco/mkt/security/tech/scep_wp.htm Keep in contact, best regards, Massimiliano Pala ([EMAIL PROTECTED]) regards, janus http://www.sec.nl/persons/janus pkiclient.exe ## Configuration File for SCEP pkiclient Utility ## (c) 2000 by Janus Liebregts - All Rights Reserved ## LDAP Section: ## = ## ## As this SCEP Manager has the need to interact with ldap server, ## it is important ( for administrative porpouses ) you can have ## privileged access to directory. ## LDAP Server Name ldapserver ldap.gigacorp.nl ## LDAP Port Number ( defaults to 389 ) ldapport 389 ## LDAP Maximum number of records returned by a query ldaplimit 100 ## Now the LDAP default base dn basedn "o=GigaCorp, c=nl" ## Let's define the privileged Account Allowed to Modify the LDAP entries ldaproot "cn=root, o=GigaCorp, c=nl" ldappwd "digIDx509v3" ## Let's define some Directory Env ## supposed to find there the bin/, sbin/ directory ldapbasedir "/usr/local/ldap" ## SSLeay Section ## == ssleay "/usr/local/ssl/bin/openssl" openssl "/usr/local/ssl/bin/openssl" sslbasedir "/usr/local/ssl" ## General Section ## === basedir "/usr/local/apache/htdocs/OpenCA/cgi-secure" ServerDir "/usr/local/apache/htdocs/htdocs-secure" pendingreqs "/usr/local/RAServer/reqs/pending/" pendingbasesheet "sheets/pending_reqs.html" ViewRequestSheet "sheets/view_req.html" ApproveRequestSheet "sheets/app_req.html" approvedreqs "/usr/local/RAServer/reqs
Delivery error re: Re: SCEP?
This message was rejected by the mail hub at The University of Birmingham (bham.ac.uk) because it has an apparently executable attachment "pkiclient.exe". The email rejected was not delivered to the following recipients: [EMAIL PROTECTED] Executable attachments are not being accepted at The University if Birmingham because they have been used by recent viruses such as that described in http://www.fsecure.com/v-descs/love.htm and http://vil.nai.com/vil/dispVirus.asp?virus_k=98797 Regrettably, it is possible that some legitimate communications could be refused by this measure and we apologise for any inconvenience caused. If this was a legitimate communication concerning University business please contact [EMAIL PROTECTED] for advice with a full explanation about the nature of the communication. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Delivery error re: Re: SCEP?
Dear firewall, it's just a perl-script using the .exe extension required by SCEP! open in in you favorite (text)-editor. regards, janus Mail Delivery System wrote: This message was rejected by the mail hub at The University of Birmingham (bham.ac.uk) because it has an apparently executable attachment "pkiclient.exe". The email rejected was not delivered to the following recipients: [EMAIL PROTECTED] Executable attachments are not being accepted at The University if Birmingham because they have been used by recent viruses such as that described in http://www.fsecure.com/v-descs/love.htm and http://vil.nai.com/vil/dispVirus.asp?virus_k=98797 Regrettably, it is possible that some legitimate communications could be refused by this measure and we apologise for any inconvenience caused. If this was a legitimate communication concerning University business please contact [EMAIL PROTECTED] for advice with a full explanation about the nature of the communication. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Delivery error re: Re: SCEP?
Janus Liebregts wrote: it's just a perl-script using the .exe extension required by SCEP! open in in you favorite (text)-editor. 1) Don't send executable attachments. Perl scripts are, to the best of my recollection, human readable... 2) The list should definitely filter (to /dev/null) automated virus warnings, along with any other response from non-subscribers. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Delivery error re: Re: SCEP?
The point here is that the CGI called by the Cisco routers is named 'pkiclient.exe', whatever the web server is hosting it. This pkiclient.exe can be a Java app, a Perl script, a VB app, whatever you want. The name *must* be 'pkiclient.exe'. On Wed, 10 Jan 2001, Michael Sierchio wrote: Janus Liebregts wrote: it's just a perl-script using the .exe extension required by SCEP! open in in you favorite (text)-editor. 1)Don't send executable attachments. Perl scripts are, to the best of my recollection, human readable... 2)The list should definitely filter (to /dev/null) automated virus warnings, along with any other response from non-subscribers. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 -- What we have here is a failure to communicate. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [Q] Dealing with Cisco SCEP (Simple Certificate Enrollment Protocol)
Hi Dave, any progress on your SCEP- project? I am also planning to implement SCEP using OpenSSL and do not want ro re-invent the wheel ;-) regards, janus dave madden wrote: Hi. I'm trying to use OpenSSL to create certificates for a Cisco PIX firewall/vpn box. I've been able to download my CA cert to the PIX, and (thanks to Matt Burgoon!) I've extracted the PIX's certificate request from the PKCS7 object it sends when you tell it to acquire a cert. However, the protocol for returning a certificate to the PIX differs somewhat from the way a Cisco router works, so I don't believe Matt's trick of simply typing in the hex-ified certificate will work. In addition, I'd really prefer to put together a cleaner solution with a nice web interface, since I have a bunch of PIXes to set up and none-too-technical people to help me. So, I need to create several PKCS7 messages, which I will BER-encode and return to the PIX when it submits a request. I've been rooting around in apps/pkcs7.c, but it appears to be exclusively an unpacking tool; I don't understand how to go from a list of stuff I want to pack, to a PKCS7 message containing all the stuff. Can anyone suggest a useful example to follow, or (even better) a procedure for using the existing tools to interact with the PIX? (The Cisco docs at http://www.cisco.com/warp/public/cc/cisco/mkt/security/tech/scep_wp.htm describe the protocol I hope to implement.) Thanks, d. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] S/MIME Cryptographic Signature