[Pki-devel] Issues with certmonger SCEP enrollment with Dogtag

[Christina Fu]

Hi Trevor,

I'll need a bit of clarification and some info...


On 01/31/2018 10:52 AM, Trevor Vaughan wrote:
> Hi All,
>
> I've hit a bit of a roadblock with debugging SCEP enrollment from 
> certmonger to Dogtag and I'm hoping that someone can help.
>
> I am attempting to register with a subordinate CA that has a KRA set 
> up and will successfully sign certificate requests from certmonger.
>
> Unfortunately, there is an issue with receiving the signed certificate 
> and I've been unable to figure out how to successfully debug the issue.
So, the scep client has issue receiving the scep response from the 
server?  And you have determined that the response is indeed a signed 
certificate (like, not error response)?


>
> The error that is returned is "Error: failed to verify signature on 
> server response." and is triggered from 
> https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065.

Is your scep client trusting the subordinate ca's scep signing cert?

>
> I've tried dumping the p7 data but, from what I can tell, the response 
> is empty in that block of code and I'm not quite sure where to go from 
> there.

Wait, so the received response is empty?

If the scep response from the subCA is not empty, could you show the 
Base64 encoded response and maybe I can take a look?

Also, if you could attach relevant portion of the sub-CA's debug log it 
might be helpful.

>
> Any assistance is appreciated.
>
> Thanks,
>
> Trevor
>
> -- 
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 x788
>
> -- This account not approved for unencrypted proprietary information --
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20180207/31977cd4/attachment.htm>