<div dir="ltr"><div><div><div><div>Hi Christina,<br><br></div>Thanks for getting back to me.<br><br></div>At the time, I thought this was a Dogtag issue but I have since discovered that it appears to be solely an issue on the Certmonger side and is being tracked at <a href="https://pagure.io/certmonger/issue/93">https://pagure.io/certmonger/issue/93</a>.<br><br></div>Also, thanks for jumping in on the Dogtag AES patch, getting that in place will be great.<br><br></div>Trevor<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 7, 2018 at 7:40 PM, Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF"> <p>Hi Trevor,</p> <p>I'll need a bit of clarification and some info...<br> </p><span class=""> <br> <div class="m_5656533732128723509moz-cite-prefix">On 01/31/2018 10:52 AM, Trevor Vaughan wrote:<br> </div> <blockquote type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div> <div> <div> <div>Hi All,<br> <br> </div> I've hit a bit of a roadblock with debugging SCEP enrollment from certmonger to Dogtag and I'm hoping that someone can help.<br> <br> </div> I am attempting to register with a subordinate CA that has a KRA set up and will successfully sign certificate requests from certmonger.<br> <br> </div> Unfortunately, there is an issue with receiving the signed certificate and I've been unable to figure out how to successfully debug the issue.<br> </div> </div> </div> </div> </div> </div> </blockquote></span> So, the scep client has issue receiving the scep response from the server? And you have determined that the response is indeed a signed certificate (like, not error response)?<span class=""><br> <br> <br> <blockquote type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div><br> </div> The error that is returned is "Error: failed to verify signature on server response." and is triggered from <a href="https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065" target="_blank">https://pagure.io/certmonger/<wbr>blob/master/f/src/pkcs7.c#_<wbr>1065</a>.<br> </div> </div> </div> </div> </div> </blockquote> <br></span> Is your scep client trusting the subordinate ca's scep signing cert?<span class=""><br> <br> <blockquote type="cite"> <div dir="ltr"> <div> <div> <div> <div><br> </div> I've tried dumping the p7 data but, from what I can tell, the response is empty in that block of code and I'm not quite sure where to go from there.<br> </div> </div> </div> </div> </blockquote> <br></span> Wait, so the received response is empty?<br> <br> If the scep response from the subCA is not empty, could you show the Base64 encoded response and maybe I can take a look?<br> <br> Also, if you could attach relevant portion of the sub-CA's debug log it might be helpful.<br> <br> <blockquote type="cite"><span class=""> <div dir="ltr"> <div> <div> <div><br> </div> Any assistance is appreciated.<br> <br> </div> Thanks,<br> <br> </div> Trevor<br clear="all"> <div> <div> <div> <div> <div> <div> <div> <div> <div> <div><br> -- <br> <div class="m_5656533732128723509gmail_signature"> <div dir="ltr"> <div> <div dir="ltr"> <div>Trevor Vaughan<br> Vice President, Onyx Point, Inc<br> </div> <div><a href="tel:(410)%20541-6699" value="+14105416699" target="_blank">(410) 541-6699 x788</a><br> </div> <div><br> -- This account not approved for unencrypted proprietary information --</div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <br> <fieldset class="m_5656533732128723509mimeAttachmentHeader"></fieldset> <br> </span><pre>______________________________<wbr>_________________ Pki-devel mailing list <a class="m_5656533732128723509moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com" target="_blank">Pki-devel@redhat.com</a> <a class="m_5656533732128723509moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/pki-devel</a></pre> </blockquote> <br> </div> <br>______________________________<wbr>_________________<br> Pki-devel mailing list<br> <a href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/pki-devel" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/pki-devel</a><br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Trevor Vaughan<br>Vice President, Onyx Point, Inc<br></div><div>(410) 541-6699 x788<br></div><div><br>-- This account not approved for unencrypted proprietary information --</div></div></div></div></div> </div>