<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Trevor,</p>
<p>I'll need a bit of clarification and some info...<br>
</p>
<br>
<div class="moz-cite-prefix">On 01/31/2018 10:52 AM, Trevor Vaughan
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANs+FoW+gpdBMxsOEgTy1jFwOdetA+yzDDO9DCOu1B2br6wkLw@mail.gmail.com">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hi All,<br>
<br>
</div>
I've hit a bit of a roadblock with debugging SCEP
enrollment from certmonger to Dogtag and I'm
hoping that someone can help.<br>
<br>
</div>
I am attempting to register with a subordinate CA
that has a KRA set up and will successfully sign
certificate requests from certmonger.<br>
<br>
</div>
Unfortunately, there is an issue with receiving the
signed certificate and I've been unable to figure out
how to successfully debug the issue.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
So, the scep client has issue receiving the scep response from the
server? And you have determined that the response is indeed a
signed certificate (like, not error response)?<br>
<br>
<br>
<blockquote type="cite"
cite="mid:CANs+FoW+gpdBMxsOEgTy1jFwOdetA+yzDDO9DCOu1B2br6wkLw@mail.gmail.com">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div><br>
</div>
The error that is returned is "Error: failed to verify
signature on server response." and is triggered from <a
href="https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065"
moz-do-not-send="true">https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065</a>.<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Is your scep client trusting the subordinate ca's scep signing cert?<br>
<br>
<blockquote type="cite"
cite="mid:CANs+FoW+gpdBMxsOEgTy1jFwOdetA+yzDDO9DCOu1B2br6wkLw@mail.gmail.com">
<div dir="ltr">
<div>
<div>
<div>
<div><br>
</div>
I've tried dumping the p7 data but, from what I can tell,
the response is empty in that block of code and I'm not
quite sure where to go from there.<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Wait, so the received response is empty?<br>
<br>
If the scep response from the subCA is not empty, could you show the
Base64 encoded response and maybe I can take a look?<br>
<br>
Also, if you could attach relevant portion of the sub-CA's debug log
it might be helpful.<br>
<br>
<blockquote type="cite"
cite="mid:CANs+FoW+gpdBMxsOEgTy1jFwOdetA+yzDDO9DCOu1B2br6wkLw@mail.gmail.com">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
Any assistance is appreciated.<br>
<br>
</div>
Thanks,<br>
<br>
</div>
Trevor<br clear="all">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><br>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>Trevor Vaughan<br>
Vice President, Onyx Point, Inc<br>
</div>
<div>(410) 541-6699 x788<br>
</div>
<div><br>
-- This account not approved for
unencrypted proprietary
information --</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre>
</blockquote>
<br>
</body>
</html>