<div dir="ltr"><div><div><div><div>Hi Christina,<br><br></div>Thanks for getting back to me.<br><br></div>At the time, I thought this was a Dogtag issue but I have since discovered that it appears to be solely an issue on the Certmonger side and is being tracked at <a href="https://pagure.io/certmonger/issue/93">https://pagure.io/certmonger/issue/93</a>.<br><br></div>Also, thanks for jumping in on the Dogtag AES patch, getting that in place will be great.<br><br></div>Trevor<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 7, 2018 at 7:40 PM, Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi Trevor,</p>
<p>I'll need a bit of clarification and some info...<br>
</p><span class="">
<br>
<div class="m_5656533732128723509moz-cite-prefix">On 01/31/2018 10:52 AM, Trevor Vaughan
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hi All,<br>
<br>
</div>
I've hit a bit of a roadblock with debugging SCEP
enrollment from certmonger to Dogtag and I'm
hoping that someone can help.<br>
<br>
</div>
I am attempting to register with a subordinate CA
that has a KRA set up and will successfully sign
certificate requests from certmonger.<br>
<br>
</div>
Unfortunately, there is an issue with receiving the
signed certificate and I've been unable to figure out
how to successfully debug the issue.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></span>
So, the scep client has issue receiving the scep response from the
server? And you have determined that the response is indeed a
signed certificate (like, not error response)?<span class=""><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div><br>
</div>
The error that is returned is "Error: failed to verify
signature on server response." and is triggered from <a href="https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065" target="_blank">https://pagure.io/certmonger/<wbr>blob/master/f/src/pkcs7.c#_<wbr>1065</a>.<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br></span>
Is your scep client trusting the subordinate ca's scep signing cert?<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div><br>
</div>
I've tried dumping the p7 data but, from what I can tell,
the response is empty in that block of code and I'm not
quite sure where to go from there.<br>
</div>
</div>
</div>
</div>
</blockquote>
<br></span>
Wait, so the received response is empty?<br>
<br>
If the scep response from the subCA is not empty, could you show the
Base64 encoded response and maybe I can take a look?<br>
<br>
Also, if you could attach relevant portion of the sub-CA's debug log
it might be helpful.<br>
<br>
<blockquote type="cite"><span class="">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
Any assistance is appreciated.<br>
<br>
</div>
Thanks,<br>
<br>
</div>
Trevor<br clear="all">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><br>
-- <br>
<div class="m_5656533732128723509gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>Trevor Vaughan<br>
Vice President, Onyx Point, Inc<br>
</div>
<div><a href="tel:(410)%20541-6699" value="+14105416699" target="_blank">(410) 541-6699 x788</a><br>
</div>
<div><br>
-- This account not approved for
unencrypted proprietary
information --</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_5656533732128723509mimeAttachmentHeader"></fieldset>
<br>
</span><pre>______________________________<wbr>_________________
Pki-devel mailing list
<a class="m_5656533732128723509moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com" target="_blank">Pki-devel@redhat.com</a>
<a class="m_5656533732128723509moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/pki-devel</a></pre>
</blockquote>
<br>
</div>
<br>______________________________<wbr>_________________<br>
Pki-devel mailing list<br>
<a href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-devel" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/pki-devel</a><br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Trevor Vaughan<br>Vice President, Onyx Point, Inc<br></div><div>(410) 541-6699 x788<br></div><div><br>-- This account not approved for unencrypted proprietary information --</div></div></div></div></div>
</div>