[Pki-devel] Issues with certmonger SCEP enrollment with Dogtag

Trevor Vaughan tvaughan at onyxpoint.com
Thu Feb 8 18:10:31 UTC 2018 

Hi Christina,

Thanks for getting back to me.

At the time, I thought this was a Dogtag issue but I have since discovered
that it appears to be solely an issue on the Certmonger side and is being
tracked at https://pagure.io/certmonger/issue/93.

Also, thanks for jumping in on the Dogtag AES patch, getting that in place
will be great.

Trevor

On Wed, Feb 7, 2018 at 7:40 PM, Christina Fu <cfu at redhat.com> wrote:

> Hi Trevor,
>
> I'll need a bit of clarification and some info...
>
> On 01/31/2018 10:52 AM, Trevor Vaughan wrote:
>
> Hi All,
>
> I've hit a bit of a roadblock with debugging SCEP enrollment from
> certmonger to Dogtag and I'm hoping that someone can help.
>
> I am attempting to register with a subordinate CA that has a KRA set up
> and will successfully sign certificate requests from certmonger.
>
> Unfortunately, there is an issue with receiving the signed certificate and
> I've been unable to figure out how to successfully debug the issue.
>
> So, the scep client has issue receiving the scep response from the
> server?  And you have determined that the response is indeed a signed
> certificate (like, not error response)?
>
>
>
> The error that is returned is "Error: failed to verify signature on server
> response." and is triggered from https://pagure.io/certmonger/
> blob/master/f/src/pkcs7.c#_1065.
>
>
> Is your scep client trusting the subordinate ca's scep signing cert?
>
>
> I've tried dumping the p7 data but, from what I can tell, the response is
> empty in that block of code and I'm not quite sure where to go from there.
>
>
> Wait, so the received response is empty?
>
> If the scep response from the subCA is not empty, could you show the
> Base64 encoded response and maybe I can take a look?
>
> Also, if you could attach relevant portion of the sub-CA's debug log it
> might be helpful.
>
>
> Any assistance is appreciated.
>
> Thanks,
>
> Trevor
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 x788 <(410)%20541-6699>
>
> -- This account not approved for unencrypted proprietary information --
>
>
> _______________________________________________
> Pki-devel mailing listPki-devel at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-devel
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>



-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20180208/833a6b1c/attachment.htm>

More information about the Pki-devel mailing list