<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<tt>Is there anything interesting in your CA debug log file?<br>
Did you verify if your request includes <font size="2"><big>challenge
password attribute?<br>
<br>
Thank you,<br>
Andrew<br>
</big><big></big></font></tt> <br>
<br>
On 04/21/2011 06:00 AM, Jennings, Charles wrote:
<blockquote
cite="mid:F2F18D9E67CC624085F34A28E29D1B28E0C859@EXCHANGEPOST01.its.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="MS Exchange Server version
6.5.7651.59">
<title>Cisco Router and RA SCEP & PIN</title>
<!-- Converted from text/plain format -->
<p><font size="2">Looking for some help:<br>
<br>
I've been beating my head over this for a few days with no
resolve:<br>
<br>
1. Using DCS version 1.3<br>
<br>
2. In RA SSL End User Services, perform a SCEP enrollment
using<br>
following information:<br>
<br>
a. Client IP: a user id<br>
b. Site ID: The IP address of the router<br>
c. Email: My email address<br>
<br>
3. In RA Agent Services, approve the request and note the
PIN that is<br>
assigned.<br>
<br>
4. In router, generate RSA key:<br>
<br>
crypto key gen rsa<br>
Set to 1024 modulus<br>
<br>
5. In router, create the crypto ca trustpoint as follows:<br>
<br>
crypto ca trustpoint CA<br>
enrollment mode ra<br>
enrollment url <a moz-do-not-send="true"
href="http://ra.test.com:12888/ee/scep/pkiclient.cgi">http://ra.test.com:12888/ee/scep/pkiclient.cgi</a><br>
crl optional<br>
<br>
6. In router, obtain CA certificate (with no problem)<br>
<br>
crypto ca authenticate CA<br>
<br>
Certificate has the following attributes:<br>
Fingerprint MD5: blah blah<br>
Fingerprint SHA1: blah blah<br>
%Do you accept this certificate? [yes/no]: yes<br>
Trustpoint CA certificate accepted.<br>
<br>
Here's where it all blows up:<br>
<br>
7. Try to obtain certificate:<br>
<br>
crypto ca enroll CA<br>
%<br>
% Start certificate enrollment .<br>
% Create a challenge password. You will need to verbally
provide this<br>
Password to the CA Administrator in order to revoke
your certificate.<br>
For security reasons you password will not be saved
in the configuration.<br>
Please make a note of it.<br>
<br>
Password: {I've tried the PIN and just any 'ol
password}<br>
Re-enter password:<br>
<br>
% The subject name in the certificate will include:
TEST_HOST.cert-test.net<br>
% Include the router serial number in the subject name?
[yes/no]: no {tried both}<br>
% Include the IP address in the subject name? [no]: no
{tried both}<br>
Request certificate from CA? [yes/no] yes<br>
% Certificate request sent to Certificate Authority<br>
% The 'show crypto ca certificate CA verbose' command
will show the fingerprint<br>
<br>
CRYPTO_PKI: Certificate Request Fingerprint MD5: blah
blah<br>
CRYPTO_PKI: Certificate Request Fingerprint SHA1: blah
blah<br>
<br>
%PKI-6-CERTFAIL: Certificate enrollment failed.<br>
<br>
8. I have turned on debugging and found that everytime it
failed, I<br>
was being told at the end of the debugging that I was
being<br>
redirected with a '302 Moved' to /ee/scep/installer.cgi<br>
<br>
9. So I went in and edited the following file:<br>
<br>
vi ./var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi<br>
<br>
and commented out the following 4 lines in the file:<br>
<br>
# check PIN<br>
if (1) {<br>
my $pin_store = PKI::Base::PinStore->new();<br>
$pin_store->open($cfg);<br>
my $pinref = $pin_store->read_pin($key);<br>
if (defined($pinref) && $pinref->{'pin'} eq
$pin) {<br>
$pin_store->delete($key);<br>
} else {<br>
# $pin_store->close();<br>
# # XXX - return SCEP error<br>
# print $q->redirect("/ee/scep/installer.cgi");<br>
# return;<br>
}<br>
$pin_store->close();<br>
}<br>
<br>
10. I ran thru the whole enrollment process again - and bang:
It works<br>
<br>
<br>
So I know that the issue is that it can't determine the PIN
that was<br>
assigned during the RA enrollment process.<br>
<br>
Does anyone know how I can resolve this so that PIN
authentication works?<br>
<br>
Thanks,<br>
<br>
Charles Jennings<br>
Network Security Engineer | Network Engineering<br>
EarthLink Business<br>
<br>
<br>
E: <a class="moz-txt-link-abbreviated" href="mailto:charles.jennings@corp.earthlink.com">charles.jennings@corp.earthlink.com</a> <<a
moz-do-not-send="true"
href="mailto:charles.jennings@corp.earthlink.com">mailto:charles.jennings@corp.earthlink.com</a>><br>
O: 256-241-4223 | M: 256-689-9741 | F: 256-241-4294<br>
1801 Hillyer Robinson Parkway | Anniston, AL | 36207<br>
Deltacom is now EarthLink Business<br>
<br>
"There is one safeguard known generally to the wise, which is
an advantage and security to all, but especially to
democracies as against despots. What is it? Distrust."<br>
Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic,
sct. 24 (344 B.C.)<br>
<br>
<br>
<br>
<br>
</font>
</p>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a>
</pre>
</blockquote>
<br>
</body>
</html>