Discussion:
[Openca-Users] cannot decrypt SCEP data in outer PKCS7
Paul Charles
2004-09-07 08:01:03 UTC
Permalink
Hi Everybody,

I am trying to use OpenCA's SCEP interface with Netscreen NS208 boxes. I
am using OpenCA 0.9.2-RC6 and ScreenOS 5.0.0r8.0.

The CSR is correctly generated and received by the OpenCA server.
However after the request is approved and the certificate issued the
Netscreen box does not retrieve the certificate.

The first error was an incorrect 'Content-type' response from the SCEP
interface. The file /opt/OpenCA/lib/servers/scep/cmds/scepPKIOperation
was sending : "Content-type: x-pki-message\n\n" instead of
"Content-type: application/x-pki-message\n\n".

Now that I have modified this I get the following error:
## 10:10:14 : PKCS7: envoloped.
## 10:10:14 : lib=33 func=109 reason=111 file=../../pkcs7/pk7_doit.c
line=670
## 10:10:14 : PKI: The device cannot decrypt SCEP data in outer PKCS7
envelope.

Any idea of what could cause this error.

If you want I can send you the complete netscreen debug file.

Many thanks,
Paul.
Michael Bell
2004-09-08 06:11:09 UTC
Permalink
Hi Paul,
Post by Paul Charles
I am trying to use OpenCA's SCEP interface with Netscreen NS208 boxes. I
am using OpenCA 0.9.2-RC6 and ScreenOS 5.0.0r8.0.
The CSR is correctly generated and received by the OpenCA server.
However after the request is approved and the certificate issued the
Netscreen box does not retrieve the certificate.
The first error was an incorrect 'Content-type' response from the SCEP
interface. The file /opt/OpenCA/lib/servers/scep/cmds/scepPKIOperation
was sending : "Content-type: x-pki-message\n\n" instead of
"Content-type: application/x-pki-message\n\n".
I fixed this in CVS. So next snapshots and 0.9.2.0 will include the
correct content type. The interesting question is why do the cisco boxes
work with a wrong content type?
Post by Paul Charles
## 10:10:14 : PKCS7: envoloped.
## 10:10:14 : lib=33 func=109 reason=111 file=../../pkcs7/pk7_doit.c
line=670
## 10:10:14 : PKI: The device cannot decrypt SCEP data in outer PKCS7
envelope.
We had this problem to when we test ns208/ns500 series. The problem with
our box was that OpenCA stores the used self-signed certificate of the
SCPE box. This self-signed cert is used by SCEP boxes to sign their
messages and this cert is used by SCEP responder to encrypt the sent
messages. This means after the first sended request for a certificate
this cert should never be changed. The surprising thing is that this
cert/key can change on a netscreen box. We had this problem if we
request a cert, patch the box and then we try to download the cert
again. After the patching the used key of the box changed!

NetScreen was never able to explain this. Their only comment was to not
patch the box during SCEP handling - but this we know after our test by
ourselves.

So it is a good idea to always take a look at key before doing
something. If the key changed then you can start from scratch (only the
cert/key stuff).

I mean with a key the following:
Concepts & Examples ScreenOS Reference Guide: Vol 5, VPNs
--> Public Key Cryptography
--> Obtaining a local certificate automatically
--> WebUI
--> after the second step NetScreen Screen 5.0 displays a key and
sometimes this key changes which means that all stuff is lost

Actually I have no NetScreen box to create an appropriate screenshot. So
perhaps you must search a little bit on the webinterface to find the
used key for the SCEP communication.

Michael
--
-------------------------------------------------------------------
Michael Bell Email: ***@cms.hu-berlin.de
ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482
(Computing Centre) Fax: +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin Email (private): ***@web.de
Germany http://www.openca.org
dalini
2004-09-08 07:16:03 UTC
Permalink
Post by Michael Bell
I fixed this in CVS. So next snapshots and 0.9.2.0 will include the
correct content type. The interesting question is why do the cisco boxes
work with a wrong content type?
its not only cisco working with it...
reason may be that the just check the most right value
but actually it should deny data with wrong content type


greetings
dalni
Paul Charles
2004-09-08 21:06:01 UTC
Permalink
Hi Michael,

Thanks for the answer. However I do not think it is the same issue you
faced for a couple of reasons:

1) I am issuing the certificate right after the request is received
2) According to the finger print the pending certificate is not changed

When you mention a self signed certificate, what should be the authority
that signs the certificate ? According to the netscreen box the pending
certificate is signed by my CA even though I haven't issued the
certificate yet.

Currently, I have two different certificates on the netscreen box:
1) the CA certificate
2) the SCEP certificate

It seems that the certificate that is used to communicate with the SCEP
interface is the CA certificate. Could that be the issue ?

Here is a more complete log message from the netscreen:

## 23:39:33 : scep_rsp_cmd: p_scep_context = 66648e8
## 23:39:33 : scep_rsp_pkioperation: SCEP_SUCCESS
## 23:39:33 : scep_rsp_pkioperation_success: p_scep_context = 66648e8
<056e4540>
## 23:39:33 : scep_transaction_id: len = 4 72d7f2bc 56946530 e3aecc71
16e1c0dc
## 23:39:33 : X509_new <02082a18>.
## 23:39:33 : PKCS7: envoloped.
## 23:39:33 : lib=33 func=109 reason=111 file=../../pkcs7/pk7_doit.c
line=670
## 23:39:33 : PKI: The device cannot decrypt SCEP data in outer PKCS7
envelope.## 23:39:33 : X509_free <02082a18>.
## 23:39:33 : X509_free:
CN=test,CN=test.atriumnetwork.com,CN=rsa-key,CN=0043112003000176,CN=192.168.10.12,OU=AT Network,O=Atrium Network,L=
## 23:39:33 : X509_free real free.
## 23:39:33 : scep_rsp_pkioperation_success: p_scep_context = 66648e8
<056e4540>
## 23:39:33 : scep_rsp_pkioperation: PKCS7 data is not degenerated
## 23:39:33 : X509_free <0208140c>.

Thanks for your support,
Paul.
Post by Michael Bell
Hi Paul,
Post by Paul Charles
I am trying to use OpenCA's SCEP interface with Netscreen NS208 boxes. I
am using OpenCA 0.9.2-RC6 and ScreenOS 5.0.0r8.0.
The CSR is correctly generated and received by the OpenCA server.
However after the request is approved and the certificate issued the
Netscreen box does not retrieve the certificate.
The first error was an incorrect 'Content-type' response from the SCEP
interface. The file /opt/OpenCA/lib/servers/scep/cmds/scepPKIOperation
was sending : "Content-type: x-pki-message\n\n" instead of
"Content-type: application/x-pki-message\n\n".
I fixed this in CVS. So next snapshots and 0.9.2.0 will include the
correct content type. The interesting question is why do the cisco boxes
work with a wrong content type?
Post by Paul Charles
## 10:10:14 : PKCS7: envoloped.
## 10:10:14 : lib=33 func=109 reason=111 file=../../pkcs7/pk7_doit.c
line=670
## 10:10:14 : PKI: The device cannot decrypt SCEP data in outer PKCS7
envelope.
We had this problem to when we test ns208/ns500 series. The problem with
our box was that OpenCA stores the used self-signed certificate of the
SCPE box. This self-signed cert is used by SCEP boxes to sign their
messages and this cert is used by SCEP responder to encrypt the sent
messages. This means after the first sended request for a certificate
this cert should never be changed. The surprising thing is that this
cert/key can change on a netscreen box. We had this problem if we
request a cert, patch the box and then we try to download the cert
again. After the patching the used key of the box changed!
NetScreen was never able to explain this. Their only comment was to not
patch the box during SCEP handling - but this we know after our test by
ourselves.
So it is a good idea to always take a look at key before doing
something. If the key changed then you can start from scratch (only the
cert/key stuff).
Concepts & Examples ScreenOS Reference Guide: Vol 5, VPNs
--> Public Key Cryptography
--> Obtaining a local certificate automatically
--> WebUI
--> after the second step NetScreen Screen 5.0 displays a key and
sometimes this key changes which means that all stuff is lost
Actually I have no NetScreen box to create an appropriate screenshot. So
perhaps you must search a little bit on the webinterface to find the
used key for the SCEP communication.
Michael
Michael Bell
2004-09-09 10:13:13 UTC
Permalink
Hi Paul,
Post by Paul Charles
When you mention a self signed certificate, what should be the authority
that signs the certificate ?
The certificate itself, therefore it is called self-signed. If you use
SCEP then your client generates a selfsigned cert to sign it's PKCS#7
container and the SCEP server uses this certificate to encrypt the ansers.
Post by Paul Charles
1) the CA certificate
2) the SCEP certificate
This is correct.
Post by Paul Charles
It seems that the certificate that is used to communicate with the SCEP
interface is the CA certificate. Could that be the issue ?
The certificate which is used with the SCEP interface must be the SCEP
certificate (the most installation instructions call this certificate
the "RA certificate").
Post by Paul Charles
## 23:39:33 : scep_rsp_cmd: p_scep_context = 66648e8
## 23:39:33 : scep_rsp_pkioperation: SCEP_SUCCESS
## 23:39:33 : scep_rsp_pkioperation_success: p_scep_context = 66648e8
<056e4540>
## 23:39:33 : scep_transaction_id: len = 4 72d7f2bc 56946530 e3aecc71
16e1c0dc
## 23:39:33 : X509_new <02082a18>.
## 23:39:33 : PKCS7: envoloped.
## 23:39:33 : lib=33 func=109 reason=111 file=../../pkcs7/pk7_doit.c
line=670
Cool, NetScreen uses OpenSSL :)

lib=33 --> ERR_LIB_PKCS7
func=109 --> PKCS7_F_PKCS7_SET_CONTENT
reason=111 --> PKCS7_R_UNSUPPORTED_CIPHER_TYPE

This means that the OpenSSL on the netscreen box cannot decrypt the
message because it does not know the used cipher. We use 3DES by
default. Cisco's testequipment cannot handle strong ciphers by default.
Perhaps NetScreen has the same problem (our testequipment had no such
problems).

BTW it is not a good idea to put a phone numberinto the CN of a request.

Michael

P.S. you can find pk7_doit.c in the OpenSSL source code
(crypto/pkcs7/pk7_doit.c).
--
-------------------------------------------------------------------
Michael Bell Email: ***@cms.hu-berlin.de
ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482
(Computing Centre) Fax: +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin Email (private): ***@web.de
Germany http://www.openca.org
Ives Steglich
2005-04-13 14:08:37 UTC
Permalink
Post by Michael Bell
Post by Paul Charles
When you mention a self signed certificate, what should be the authority
that signs the certificate ?
The certificate itself, therefore it is called self-signed. If you use
SCEP then your client generates a selfsigned cert to sign it's PKCS#7
container and the SCEP server uses this certificate to encrypt the ansers.
well, it uses the public key from the netscreen, send in a selfsigned
cert - but i think this isn't our problem actually ;(
Post by Michael Bell
The certificate which is used with the SCEP interface must be the SCEP
certificate (the most installation instructions call this certificate
the "RA certificate").
right - i don't know if you may be able to set somewhere at netscreen
something like: i'm talking to a ca or an ra (like cisco calls it, if
you communicate directly with the ca or with an intermediary interface,
the ra)
Post by Michael Bell
lib=33 --> ERR_LIB_PKCS7
func=109 --> PKCS7_F_PKCS7_SET_CONTENT
reason=111 --> PKCS7_R_UNSUPPORTED_CIPHER_TYPE
This means that the OpenSSL on the netscreen box cannot decrypt the
message because it does not know the used cipher. We use 3DES by
default. Cisco's testequipment cannot handle strong ciphers by default.
Perhaps NetScreen has the same problem (our testequipment had no such
problems).
but the cipher is described in the standard, it should be supported,
this is strange...

what key sizes are used? for the ca/ra keys?
cisco can only work with up to 2048, maybe netscreen has a similar
problem... but since it could send the request - i'm not sure about here...
Post by Michael Bell
P.S. you can find pk7_doit.c in the OpenSSL source code
(crypto/pkcs7/pk7_doit.c).
but it may be difficult to fix it on the netscreen - or? ;)
if there would be a problem...


greetings
dalini
t***@mails.at
2005-04-14 03:47:26 UTC
Permalink
After a long way, i am now on the same point as Paul.
My sscep Client is working, but the netscreen isnt too.
Here the log from netscreen.
this is the response to which command at netscreen?
i can\'t see it? ;)
greetings
dalini
Sorry,

ok this is the log after retrieving a pending cert ( The exact command is \"exec pki x509 scep cert (id of cert)\"). This command is necessary after issuing cert on ca, to get cert.

Below you can see the corresponding lines retrieving a cert from Microsoft ca via netscreen.

---------------------------------------------------
GET request: len=3150
## 14:39:54 : openHttpConnection: convert the host name 172.16.98.92.
## 14:39:54 : server IP 172.16.98.92
## 14:39:54 : Trying to connect host 172.16.98.92 port 80
## 14:39:54 : Trying to send to socket 543
## 14:39:54 : openHttpConnection: done <0>.
## 14:39:54 : scep_rsp_ca_ra: done, p_scep_context = 2178428
## 14:39:54 : updateCertFile: Update the cert files.
## 14:39:54 : PKI: opened file for write, product<9>.
## 14:40:05 : http socket <543> got data <06e30198> len <2619> byte.
## 14:40:05 : pkiExec: got content <application/x-pki-messag>, data <6e3023d> da
ta len <2454>
## 14:40:05 : pkiExec: in_process = 0
## 14:40:05 : Got buf=6e3023d len=2454 context 2178428 contentType=application/x
-pki-messag contentTypeLen=25
## 14:40:05 : scep_server_rsp: sub command <13>
## 14:40:05 : scep_server_rsp: (SCEP) Got PKI operation response
## 14:40:05 : scep_rsp_pkioperation: p_scep_context = 2178428
## 14:40:05 : scep_rsp_cmd: p_scep_context = 2178428
## 14:40:05 : scep_rsp_pkioperation: SCEP_SUCCESS
## 14:40:05 : scep_rsp_pkioperation_success: p_scep_context = 2178428 <057b9ea0>
## 14:40:05 : scep_transaction_id: len = 4 57b7bd80 38ea0793 45df07fa 8dd9f895
## 14:40:05 : PKI: no FQDN available when requesting certificate.
## 14:40:05 : scep_rsp_pkioperation_success: p_scep_context = 2178428 <057b9ea0>
## 14:40:05 : SCEP received certificate: CN=mscep1,CN=calinux,CN=rsa-key,CN=677,
CN=0029072002000255,CN=172.16.104.6,OU=RD,O=Bintec,ST=Germany,C=DE,
## 14:40:05 : set_obj_attrs: found the RSA/DSA key pair.
## 14:40:05 : NEW local X509 name: CN=mscep1,CN=calinux,CN=rsa-key,CN=677,CN=002
9072002000255,CN=172.16.104.6,OU=RD,O=Bintec,ST=Germany,C=DE,
## 14:40:05 : put_x509_object_to_store->
## 14:40:05 : device id <0000b960>
## 14:40:05 : PKI: X.509 pending certificate has been deleted.
## 14:40:05 : ha_sync_pki_object: op<1> attr<0000f002>
## 14:40:05 : updateCertFile: Update the cert files.
## 14:40:05 : PKI: opened file for write, product<9>.
## 14:40:12 : scep_done: p_scep_context = 2178428
## 14:40:12 : PKI: The SCEP certificate request has been completed successfully.
## 14:40:12 : pki_is_pkcs_ca_cert_ready: success.
-----------------------------------------------------------------------

greetings

timtom
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Openca-Users mailing list
https://lists.sourceforge.net/lists/listinfo/openca-users
www.mails.at - Der kostenlose E-Mail Anbieter
t***@mails.at
2005-04-14 05:23:44 UTC
Permalink
Hi,

now i try to use a CA certificate 2048bit and and a RA certificate 1024bit.

=> Same behaviour as with the CA 4096bit certificate!

Timtom

www.mails.at - Der kostenlose E-Mail Anbieter
Ives Steglich
2005-04-14 06:17:25 UTC
Permalink
Post by t***@mails.at
Hi,
now i try to use a CA certificate 2048bit and and a RA certificate 1024bit.
=> Same behaviour as with the CA 4096bit certificate!
hmm, may you try (if you like and can ;) the following test-ca:
http://pki.fem.tu-ilmenau.de/operating/004/scep/scep
(as the scep ra for your netscreen)

i just wanna see more in detail whats going on
and how the request look and so on...

and i wanna make sure, there are no configuration problems or something...

since this system runs at least with cisco routers


thx



greetings
dalini
Ives Steglich
2005-04-14 06:28:39 UTC
Permalink
Post by Ives Steglich
http://pki.fem.tu-ilmenau.de/operating/004/scep/scep
sorry - it should be:
http://pki.fem.tu-ilmenau.de/operating/004/pub/cgi-bin/scep/scep

greetings
dalini
t***@mails.at
2005-04-14 08:19:47 UTC
Permalink
Post by Ives Steglich
Post by Ives Steglich
http://pki.fem.tu-ilmenau.de/operating/004/scep/scep
http://pki.fem.tu-ilmenau.de/operating/004/pub/cgi-bin/scep/scep
greetings
dalini
Oh Thanks a lot,

one question first at all.
Is the certificate issued automaticially by your ca?

Here my trace from Netscreen:

Both traces caused by \"exec pki x509 scep id\" command!!!
Before i get a CA certificate and make a request.

First with my ca:
------------------------------------------------------
## 14:20:50 : exec_scep_auth_cli: id=194380036 which0=13 which1=2 cfg_mode<0> ma
sk<00000000>
## 14:20:50 : webNotifyPki: from<1> wCmd=f00b vSysCtx=2200010
## 14:20:50 : processPkiRequest cmd=a
## 14:20:50 : webReqHandler
## 14:20:50 : scep_start: key_id<194380036> ca_id<-2>
## 14:20:50 : lib=13 func=107 reason=121 file=../../asn1/asn1_lib.c line=106
get subject alt name construct err, len <0>.
## 14:20:50 : lib=13 func=223 reason=101 file=../../x509/x509_ext.c line=263
## 14:20:50 : lib=13 func=107 reason=121 file=../../asn1/asn1_lib.c line=106
get subject alt name construct err, len <0>.
## 14:20:50 : lib=13 func=223 reason=101 file=../../x509/x509_ext.c line=263
## 14:20:50 : PKI SCEP: use default ca-identity <any>, <00000000>.
## 14:20:50 : scep_LDAP_Init: new cookie
## 14:20:50 : new_nonce_hash data = 0 len = 0
## 14:20:50 : scep_start: PLDAP_STATE instance<02178428>
## 14:20:50 : scep_reset_url: CGI_PATH=http://172.16.98.92/cgi-bin/scep/scep
## 14:20:50 : scep_reset_url: RA_CGI_PATH=http://172.16.98.92/cgi-bin/scep/scep
## 14:20:50 : scep_init: p_scep_context = 2178428
## 14:20:50 : pki_x509_req: challenge_password<bintecbintec>.
## 14:20:50 : scep_ca_query: p_scep_context = 2178428
## 14:20:50 : httpUrlParser: Success, port=80:
## 14:20:50 : httpUrlParser: host=<172.16.98.92>
## 14:20:50 : httpUrlParser: urlPath=<GET /cgi-bin/scep/scep>
## 14:20:50 : httpUrlParser: input url=<http://172.16.98.92/cgi-bin/scep/scep>
## 14:20:50 : scep_form_http_req: operCmd=20 context=2178428 len=22
## 14:20:50 : scep_form_http_req: cgi=<GET /cgi-bin/scep/scep>
## 14:20:50 : scep_form_http_req: SCEP_GETCACERT
## 14:20:50 : getcacert_msg: CA-IDENT = any
## 14:20:50 : scep_form_http_req: len = 34 msg_len=3
## 14:20:50 :
GET request: len=54
## 14:20:50 : openHttpConnection: convert the host name 172.16.98.92.
## 14:20:50 : server IP 172.16.98.92
## 14:20:50 : Trying to connect host 172.16.98.92 port 80
## 14:20:50 : Trying to send to socket 526
## 14:20:50 : openHttpConnection: done <0>.
## 14:20:50 : pki mail received.
## 14:20:50 : http socket <526> got data <06e4d5a8> len <3635> byte.
## 14:20:50 : pkiExec: got content <application/x-x509-ca-ra-cer>, data <6e4d6be
Post by Ives Steglich
data len <3357>
## 14:20:50 : pkiExec: in_process = 0
## 14:20:50 : Got buf=6e4d6be len=3357 context 2178428 contentType=application/x
-x509-ca-ra-cer contentTypeLen=29
## 14:20:50 : scep_server_rsp: sub command <80>
## 14:20:50 : scep_server_rsp: (SCEP) Got CA and RA x509 certificates
## 14:20:50 : scep_rsp_ca_ra: p_scep_context = 2178428
## 14:20:50 : scep_rsp_ca_ra: total certs = 2
## 14:20:50 : ns_x509_key_usage: f000
## 14:20:50 : scep_ca_ra_settig: key usage = f000
## 14:20:50 : scep_ca_ra_settig: KU_KEY_ENCIPHERMENT, Signing cert
## 14:20:50 : ns_x509_key_usage: 0600
## 14:20:50 : scep_ca_ra_settig: key usage = 0600
## 14:20:50 : scep_ca_ra_settig: KU_CRL_SIGN, CA cert
## 14:20:50 : pCaCert: Email=***@localhost,CN=root,OU=RD,O=Bintec,C=DE,
## 14:20:50 : pRaSignCert: UNKNOWN=1,CN=scep,OU=Internet,O=Bintec,C=DE,
## 14:20:50 : scep_ca_fingerprint_authenticate: found CA X509 certificate in the
trust store.
## 14:20:50 : scep_get_cert_initial: p_scep_context = 2178428
## 14:20:50 : httpUrlParser: Success, port=80:
## 14:20:50 : httpUrlParser: host=<172.16.98.92>
## 14:20:50 : httpUrlParser: urlPath=<GET /cgi-bin/scep/scep>
## 14:20:50 : httpUrlParser: input url=<http://172.16.98.92/cgi-bin/scep/scep>
## 14:20:50 : scep_form_http_req: operCmd=40 context=2178428 len=22
## 14:20:50 : scep_form_http_req: cgi=<GET /cgi-bin/scep/scep>
## 14:20:50 : scep_form_http_req: SCEP_PKIOPERATION
## 14:20:50 : pkioperation_msg: p_ldap_state=2178428 sub_cmd=14
## 14:20:50 : get certificate for: CN=scep2,CN=calinux,CN=rsa-key,CN=677,CN=0029
072002000255,CN=172.16.104.6,OU=RD,O=Bintec,ST=Germany,C=DE,
## 14:20:50 : pkioperation_msg: SCEP_GETCERTINITIAL
## 14:20:50 : scep_ra_settig: pCaCert = 02163700
## 14:20:50 : scep_ra_settig: reset pRaVerifyCert = 021621c0
## 14:20:50 : SCEP_GETCERTINITIAL: len = 280
## 14:20:50 : scep_wrap_p7: SCEP_GETCERTINITIAL
## 14:20:50 : scep_transaction_id: len = 4 d3574d1a 819a530f 59083bbb 516982a3
## 14:20:50 : PKI: no FQDN available when requesting certificate.
## 14:20:50 : pkioperation_msg: RA: UNKNOWN=1,CN=scep,OU=Internet,O=Bintec,C=DE,
## 14:20:50 : new_nonce_hash data = 590c700 len = 595
## 14:20:50 : new_nonce_hash data = 0 len = 0
## 14:20:50 : scep_transaction_id: len = 4 d3574d1a 819a530f 59083bbb 516982a3
## 14:20:50 : PEM_ASN1_write_bio: len<1964>
## 14:20:50 : i<8192> inl<11>
## 14:20:50 : i<8181> inl<5>
## 14:20:50 : i<8176> inl<6>
## 14:20:50 : i<8170> inl<2600>
## 14:20:50 : i<5570> inl<61>
## 14:20:50 : i<5509> inl<9>
## 14:20:50 : i<5500> inl<5>
## 14:20:50 : i<5495> inl<6>
## 14:20:50 : PEM scep p7 len= 2620
## 14:20:50 : scep_form_http_req: len = 34 msg_len=2688
## 14:20:50 :
GET request: len=2742
## 14:20:50 : openHttpConnection: convert the host name 172.16.98.92.
## 14:20:50 : server IP 172.16.98.92
## 14:20:50 : Trying to connect host 172.16.98.92 port 80
## 14:20:50 : Trying to send to socket 527
## 14:20:50 : openHttpConnection: done <0>.
## 14:20:50 : scep_rsp_ca_ra: done, p_scep_context = 2178428
## 14:20:53 : http socket <527> got data <06e4e518> len <4350> byte.
## 14:20:53 : pkiExec: got content <application/x-pki-messag>, data <6e4e62a> da
ta len <4076>
## 14:20:53 : pkiExec: in_process = 0
## 14:20:53 : Got buf=6e4e62a len=4076 context 2178428 contentType=application/x
-pki-messag contentTypeLen=25
## 14:20:53 : scep_server_rsp: sub command <14>
## 14:20:53 : scep_server_rsp: (SCEP) Got PKI operation response
## 14:20:53 : scep_rsp_pkioperation: p_scep_context = 2178428
## 14:20:53 : scep_rsp_cmd: p_scep_context = 2178428
## 14:20:53 : scep_rsp_pkioperation: SCEP_SUCCESS
## 14:20:53 : scep_rsp_pkioperation_success: p_scep_context = 2178428 <057b9ea0>
## 14:20:53 : scep_transaction_id: len = 4 d3574d1a 819a530f 59083bbb 516982a3
## 14:20:53 : PKI: no FQDN available when requesting certificate.
## 14:20:53 : lib=33 func=109 reason=111 file=../../pkcs7/pk7_doit.c line=670
## 14:20:53 : PKI: The device cannot decrypt SCEP data in outer PKCS7 envelope.
## 14:20:53 : scep_rsp_pkioperation_success: p_scep_context = 2178428 <057b9ea0>
## 14:20:53 : scep_rsp_pkioperation: PKCS7 data is not degenerated
## 14:20:53 : updateCertFile: Update the cert files.
## 14:20:53 : PKI: opened file for write, product<9>.
--------------------------------------------------------------


Second with yours:
-------------------------------------------------------------

12:00:26 : exec_scep_auth_cli: id=194380074 which0=13 which1=2 cfg_mode<0> ma
sk<00000000>
## 12:00:26 : webNotifyPki: from<1> wCmd=f00b vSysCtx=2200010
## 12:00:26 : processPkiRequest cmd=a
## 12:00:26 : webReqHandler
## 12:00:26 : scep_start: key_id<194380074> ca_id<-2>
## 12:00:26 : lib=13 func=107 reason=121 file=../../asn1/asn1_lib.c line=106
get subject alt name construct err, len <0>.
## 12:00:26 : lib=13 func=223 reason=101 file=../../x509/x509_ext.c line=263
## 12:00:26 : lib=13 func=107 reason=121 file=../../asn1/asn1_lib.c line=106
get subject alt name construct err, len <0>.
## 12:00:26 : lib=13 func=223 reason=101 file=../../x509/x509_ext.c line=263
## 12:00:26 : PKI SCEP: use default ca-identity <any>, <00000000>.
## 12:00:26 : scep_LDAP_Init: new cookie
## 12:00:26 : new_nonce_hash data = 0 len = 0
## 12:00:26 : scep_start: PLDAP_STATE instance<02179404>
## 12:00:26 : scep_reset_url: CGI_PATH=http://141.24.101.4/operating/004/pub/cgi
-bin/scep/scep
## 12:00:26 : scep_reset_url: RA_CGI_PATH=http://141.24.101.4/operating/004/pub/
cgi-bin/scep/scep
## 12:00:26 : scep_init: p_scep_context = 2179404
## 12:00:26 : pki_x509_req: no challenge_password.
## 12:00:26 : scep_ca_query: p_scep_context = 2179404
## 12:00:26 : httpUrlParser: Success, port=80:
## 12:00:26 : httpUrlParser: host=<141.24.101.4>
## 12:00:26 : httpUrlParser: urlPath=<GET /operating/004/pub/cgi-bin/scep/scep>
## 12:00:26 : httpUrlParser: input url=<http://141.24.101.4/operating/004/pub/cg
i-bin/scep/scep>
## 12:00:26 : scep_form_http_req: operCmd=20 context=2179404 len=40
## 12:00:26 : scep_form_http_req: cgi=<GET /operating/004/pub/cgi-bin/scep/scep>
## 12:00:26 : scep_form_http_req: SCEP_GETCACERT
## 12:00:26 : getcacert_msg: CA-IDENT = any
## 12:00:26 : scep_form_http_req: len = 52 msg_len=3
## 12:00:26 :
GET request: len=72
## 12:00:26 : openHttpConnection: convert the host name 141.24.101.4.
## 12:00:26 : server IP 141.24.101.4
## 12:00:26 : Trying to connect host 141.24.101.4 port 80
## 12:00:26 : Trying to send to socket 277
## 12:00:26 : openHttpConnection: done <0>.
## 12:00:26 : pki mail received.
## 12:00:26 : http socket <277> got data <06e69028> len <3201> byte.
## 12:00:26 : pkiExec: got content <application/x-x509-ca-ra-cer>, data <6e690f0
Post by Ives Steglich
data len <3001>
## 12:00:26 : pkiExec: in_process = 0
## 12:00:26 : Got buf=6e690f0 len=3001 context 2179404 contentType=application/x
-x509-ca-ra-cer contentTypeLen=29
## 12:00:26 : scep_server_rsp: sub command <80>
## 12:00:26 : scep_server_rsp: (SCEP) Got CA and RA x509 certificates
## 12:00:26 : scep_rsp_ca_ra: p_scep_context = 2179404
## 12:00:26 : scep_rsp_ca_ra: total certs = 2
## 12:00:26 : ns_x509_key_usage: f000
## 12:00:26 : scep_ca_ra_settig: key usage = f000
## 12:00:26 : scep_ca_ra_settig: KU_KEY_ENCIPHERMENT, Signing cert
## 12:00:26 : ns_x509_key_usage: c600
## 12:00:26 : scep_ca_ra_settig: key usage = c600
## 12:00:26 : scep_ca_ra_settig: KU_CRL_SIGN, CA cert
## 12:00:26 : pCaCert: Email=***@fem.tu-ilmenau.de,CN=FeM e.V. Testing PKI 02,OU
=Technik,O=FeM e.V.,C=De,
## 12:00:26 : pRaSignCert: UNKNOWN=12,CN=pki.fem.tu-ilmenau.de,OU=Internet,O=FeM
e.V.,C=De,
## 12:00:26 : scep_ca_fingerprint_authenticate: found CA X509 certificate in the
trust store.
## 12:00:26 : scep_get_cert_initial: p_scep_context = 2179404
## 12:00:26 : httpUrlParser: Success, port=80:
## 12:00:26 : httpUrlParser: host=<141.24.101.4>
## 12:00:26 : httpUrlParser: urlPath=<GET /operating/004/pub/cgi-bin/scep/scep>
## 12:00:26 : httpUrlParser: input url=<http://141.24.101.4/operating/004/pub/cg
i-bin/scep/scep>
## 12:00:26 : scep_form_http_req: operCmd=40 context=2179404 len=40
## 12:00:26 : scep_form_http_req: cgi=<GET /operating/004/pub/cgi-bin/scep/scep>
## 12:00:26 : scep_form_http_req: SCEP_PKIOPERATION
## 12:00:26 : pkioperation_msg: p_ldap_state=2179404 sub_cmd=14
## 12:00:26 : get certificate for: CN=illmenau1,CN=calinux,CN=rsa-key,CN=677,CN=
0029072002000255,CN=172.16.104.6,OU=RD,O=privat,ST=Germany,C=DE,
## 12:00:26 : pkioperation_msg: SCEP_GETCERTINITIAL
## 12:00:26 : scep_ra_settig: pCaCert = 021629b8
## 12:00:26 : scep_ra_settig: reset pRaVerifyCert = 0216217c
## 12:00:26 : SCEP_GETCERTINITIAL: len = 320
## 12:00:26 : scep_wrap_p7: SCEP_GETCERTINITIAL
## 12:00:26 : scep_transaction_id: len = 4 66ed61a6 444b6c4b e192efff 825ba946
## 12:00:26 : PKI: no FQDN available when requesting certificate.
## 12:00:26 : pkioperation_msg: RA: UNKNOWN=12,CN=pki.fem.tu-ilmenau.de,OU=Inter
net,O=FeM e.V.,C=De,
## 12:00:26 : new_nonce_hash data = 590d388 len = 670
## 12:00:26 : new_nonce_hash data = 0 len = 0
## 12:00:26 : scep_transaction_id: len = 4 66ed61a6 444b6c4b e192efff 825ba946
## 12:00:26 : PEM_ASN1_write_bio: len<2053>
## 12:00:26 : i<8192> inl<11>
## 12:00:26 : i<8181> inl<5>
## 12:00:26 : i<8176> inl<6>
## 12:00:26 : i<8170> inl<2730>
## 12:00:26 : i<5440> inl<53>
## 12:00:26 : i<5387> inl<9>
## 12:00:26 : i<5378> inl<5>
## 12:00:26 : i<5373> inl<6>
## 12:00:26 : PEM scep p7 len= 2740
## 12:00:26 : scep_form_http_req: len = 52 msg_len=2834
## 12:00:26 :
GET request: len=2906
## 12:00:26 : openHttpConnection: convert the host name 141.24.101.4.
## 12:00:26 : server IP 141.24.101.4
## 12:00:26 : Trying to connect host 141.24.101.4 port 80
## 12:00:26 : Trying to send to socket 278
## 12:00:26 : openHttpConnection: done <0>.
## 12:00:26 : scep_rsp_ca_ra: done, p_scep_context = 2179404
## 12:00:27 : http socket <278> got data <06e1ba68> len <2259> byte.
## 12:00:27 : pkiExec: got content <x-pki-messag>, data <6e1bb36> data len <2053
## 12:00:27 : pkiExec: in_process = 0
## 12:00:27 : Got buf=6e1bb36 len=2053 context 2179404 contentType=x-pki-messag
contentTypeLen=13
## 12:00:27 : scep_server_rsp: sub command <14>
## 12:00:27 : SCEP: bad content type <x-pki-message>
-------------------------------------------

Any ideas
Post by Ives Steglich
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Openca-Users mailing list
https://lists.sourceforge.net/lists/listinfo/openca-users
www.mails.at - Der kostenlose E-Mail Anbieter
Ives Steglich
2005-04-14 10:39:50 UTC
Permalink
Post by t***@mails.at
Oh Thanks a lot,
one question first at all.
Is the certificate issued automaticially by your ca?
no ;) - i do this
Post by t***@mails.at
Both traces caused by \"exec pki x509 scep id\" command!!!
Before i get a CA certificate and make a request.
Any ideas
hmm no - i will just issue a cert now ;)
lets see what happens

greetings
dalini

Loading...