Hi, on the OpenCA mailing list there have been several discussions about compatibility between Netscreen and OpenCA's SCEP server. Just as a summary for people who want to get this going I'd like to summarize my findings.
When trying to enroll a Netscreen 5GT (ScreenOS 5.3) we had a similar problem like the ones already mentioned on the list: ## 2006-06-28 12:09:03 : lib=33 func=109 reason=111 file=../../pkcs7/ pk7_doit.c line=670 ## 2006-06-28 12:09:03 : PKI: The device cannot decrypt SCEP data in outer PKCS7 envelope. The reason seams to be that OpenCA SCEP sends 3DES encrypted SCEP messages - which ScreenOS cannot handle properly. When I modified the SCEP server to use only DES it worked without problems. The SCEP draft specifies that DES should be used, so Netscreen is technically correct (but essentially being a smart alec) in rejecting 3DES. Currently the OpenCA SCEP server does not support setting the encryption algorithm explicitly, but there is a (very dirty) workaround: In scep.conf.template add "-des" to the scepPath variable, e. g. scepPath "/usr/local/bin/openca-scep -des" Don't forget to rerun configure_etc. Note that this is a hack but should work properly until a corrected version is published. cu Martin Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
