<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body text="#000000" bgcolor="#FFFFFF"> <p>Hi Trevor,</p> <p>I'll need a bit of clarification and some info...<br> </p> <br> <div class="moz-cite-prefix">On 01/31/2018 10:52 AM, Trevor Vaughan wrote:<br> </div> <blockquote type="cite" cite="mid:CANs+FoW+gpdBMxsOEgTy1jFwOdetA+yzDDO9DCOu1B2br6wkLw@mail.gmail.com"> <div dir="ltr"> <div> <div> <div> <div> <div> <div> <div> <div>Hi All,<br> <br> </div> I've hit a bit of a roadblock with debugging SCEP enrollment from certmonger to Dogtag and I'm hoping that someone can help.<br> <br> </div> I am attempting to register with a subordinate CA that has a KRA set up and will successfully sign certificate requests from certmonger.<br> <br> </div> Unfortunately, there is an issue with receiving the signed certificate and I've been unable to figure out how to successfully debug the issue.<br> </div> </div> </div> </div> </div> </div> </blockquote> So, the scep client has issue receiving the scep response from the server? And you have determined that the response is indeed a signed certificate (like, not error response)?<br> <br> <br> <blockquote type="cite" cite="mid:CANs+FoW+gpdBMxsOEgTy1jFwOdetA+yzDDO9DCOu1B2br6wkLw@mail.gmail.com"> <div dir="ltr"> <div> <div> <div> <div> <div><br> </div> The error that is returned is "Error: failed to verify signature on server response." and is triggered from <a href="https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065" moz-do-not-send="true">https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065</a>.<br> </div> </div> </div> </div> </div> </blockquote> <br> Is your scep client trusting the subordinate ca's scep signing cert?<br> <br> <blockquote type="cite" cite="mid:CANs+FoW+gpdBMxsOEgTy1jFwOdetA+yzDDO9DCOu1B2br6wkLw@mail.gmail.com"> <div dir="ltr"> <div> <div> <div> <div><br> </div> I've tried dumping the p7 data but, from what I can tell, the response is empty in that block of code and I'm not quite sure where to go from there.<br> </div> </div> </div> </div> </blockquote> <br> Wait, so the received response is empty?<br> <br> If the scep response from the subCA is not empty, could you show the Base64 encoded response and maybe I can take a look?<br> <br> Also, if you could attach relevant portion of the sub-CA's debug log it might be helpful.<br> <br> <blockquote type="cite" cite="mid:CANs+FoW+gpdBMxsOEgTy1jFwOdetA+yzDDO9DCOu1B2br6wkLw@mail.gmail.com"> <div dir="ltr"> <div> <div> <div><br> </div> Any assistance is appreciated.<br> <br> </div> Thanks,<br> <br> </div> Trevor<br clear="all"> <div> <div> <div> <div> <div> <div> <div> <div> <div> <div><br> -- <br> <div class="gmail_signature"> <div dir="ltr"> <div> <div dir="ltr"> <div>Trevor Vaughan<br> Vice President, Onyx Point, Inc<br> </div> <div>(410) 541-6699 x788<br> </div> <div><br> -- This account not approved for unencrypted proprietary information --</div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Pki-devel mailing list <a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre> </blockquote> <br> </body> </html>