[Pki-users] SSCEP client requesting CA cert
Chandrasekar Kannan
ckannan at redhat.com
Thu Apr 23 20:09:53 UTC 2009
On Thu, 2009-04-23 at 13:03 -0700, Chandrasekar Kannan wrote:
> On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote:
> > Thanks to all for your help so far. :)
> >
> > Lately I've been trying to request the CA cert using sscep and using the RA cgi url:
> >
> > http://<fqdn>:12888/ee/scep/pkiclient.cgi
> >
> > I get the following error message:
> >
> > ./sscep: cannot find data from http reply
> >
> > It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas?
> >
> > Additionally all the examples for retrieving the CA are for:
> >
> > http://<fqdn>:9180/ca/cgi.bin
> >
> > I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors:
> >
> > ./sscep: wrong (or missing) MIME content type
> > ./sscep: error while sending message
> >
> > which looks even more hopeless.
> >
> > Any help is appreciated.
>
> Here's a perl module that we use for simple scep testing.
> I'll try to dig out the url and pin soon for a sample ...
some sample results from this. might be useful for you.
##########################################################################
scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l
root /bin/rm -f local.csr
local.key ca.crt cert.crt
scep3 : [2007:5:9 12:44:7] : result =
scep3 : [2007:5:9 12:44:7] : ########################################################
scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/mkrequest
-ip 10.14.1.89 netscape
Generating RSA private key, 1024 bit long modulus
..............++++++
...........++++++
e is 65537 (0x10001)
scep3 : [2007:5:9 12:44:7] : result =
scep3 : [2007:5:9 12:44:7] : ########################################################
scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep getca
-c ca.crt -u http://tank:9007/ca/cgi-bin/pkiclient.exe
scep3 : [2007:5:9 12:44:8] : result = /usr/bin/sscep: requesting CA certificate
/usr/bin/sscep: valid response from server
/usr/bin/sscep: MD5 fingerprint: AC:B6:11:DF:97:8C:E5:77:E2:A8:21:EE:A0:C5:76:D5
/usr/bin/sscep: CA certificate written as ca.crt
scep3 : [2007:5:9 12:44:8] : ########################################################
scep3 : [2007:5:9 12:44:8] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep enroll
-c ca.crt -k local.key -r local.csr -l cert.crt -u
http://tank:9007/ca/cgi-bin/pkiclient.exe
scep3 : [2007:5:9 12:44:9] : result = /usr/bin/sscep: sending certificate request
/usr/bin/sscep: valid response from server
/usr/bin/sscep: pkistatus: SUCCESS
/usr/bin/sscep: certificate written as cert.crt
scep3 : [2007:5:9 12:44:9] : ########################################################
scep3 : [2007:5:9 12:44:9] : TestCaseResult scep3 PASS
##########################################################################
>
>
> ######################################################################
> # This perl module serves as a perl interface for the RHCS
> # SCEP - Enrollment
>
> ######################################################################
> package scep_enroll;
> require Exporter;
> @ISA = qw(Exporter);
> @EXPORT = qw(scep_do_enroll_with_sscep
> );
>
> ######################################################################
> use strict;
> use baserc;
> use baselib;
> use applib;
> #use Net::Telnet::Cisco;
> ######################################################################
> #sub scep_do_enroll
> #{
> # my ($scep_enroll_pin,$scep_enroll_url) = @_;
> #
> # # scep_host/password are hardcoded here.
> # my $scep_host = "scep.dsdev.sjc.redhat.com";
> # my $scep_host_ip = "10.14.1.94";
> # my $scep_password = "netscape";
> # my $scep_ethernet = "Ethernet0/0";
> #
> # my $session = Net::Telnet::Cisco->new(Host => "$scep_host" );
> # $session->login('', "$scep_password");
> # $session->ignore_warnings("1");
> #
> # # Execute a command
> # &message_ts;
> # my @output = $session->cmd('show version');
> # log_entry(@output);
> #
> # # Enable mode
> # if ($session->enable("$scep_password") )
> # {
> # @output = $session->cmd('show privilege');
> # log_entry("My privileges: @output\n");
> # }
> # else
> # {
> # log_entry("Can't enable: " . "$session->errmsg");
> # }
> #
> # # enter conf t mode
> # log_entry("Executing command = conf t\n");
> # @output = $session->cmd("conf t");
> # log_entry("result =@output \n");
> #
> # # perform crypto cleanup first
> # log_entry("Executing command = crypto key zeroize rsa \n");
> # @output = $session->cmd("crypto key zeroize rsa\nyes");
> # log_entry("result = @output\n");
> #
> # log_entry("Executing command = no crypto ca identity CA\n");
> # @output = $session->cmd("no crypto ca identity CA\nyes");
> # log_entry("result = @output\n");
> #
> # # setup CA identity
> # log_entry("Executing command = crypto ca identity CA\n");
> # @output = $session->cmd("crypto ca identity CA");
> # log_entry("result = @output\n");
> #
> # log_entry("Executing command = enrollment url $scep_enroll_url \n");
> # @output = $session->cmd("enrollment url $scep_enroll_url ");
> # log_entry("result = @output\n");
> #
> # log_entry("Executing command = crl optional\n");
> # @output = $session->cmd("crl optional");
> # log_entry("result = @output\n");
> #
> # log_entry("Executing command = exit \n");
> # @output = $session->cmd("exit");
> # log_entry("result = @output\n");
> #
> # # authenticate CA
> # log_entry("Executing command = crypto ca authenticate CA\n");
> # @output = $session->cmd("crypto ca authenticate CA\nyes");
> # log_entry("result = @output\n");
> #
> # log_entry("Executing command = crypto key generate rsa\n");
> # @output = $session->cmd("crypto key generate rsa\n512");
> # log_entry("result = @output\n");
> # sleep(60);
> #
> # log_entry("Executing command = crypto ca enroll CA \n");
> # @output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n
> $scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes");
> # log_entry("result = @output\n");
> #
> # log_entry("Executing command = exit \n");
> # @output = $session->cmd("exit");
> # log_entry("result = @output\n");
> #
> # log_entry("Executing command = show crypto CA certificate\nq\n");
> # @output = $session->cmd("show crypto CA certificate\nq\n");
> # log_entry("result = @output\n");
> #
> # foreach(@output)
> # {
> # if( /$scep_host/ || /Key Usage: General Purpose/ )
> # {
> # return 0;
> # }
> # }
> #
> #
> ##########################################################################
> # # close the session object
> # $session->close;
> #
> # return 1;
> #}
> ######################################################################
> sub scep_do_enroll_with_sscep
> {
> # This sub-routine uses the Simple SCEP client to do scep enrollments.
> # this can be used as an alternative if we don't have the router
> # the scep client is installed on tank.dsdev.sjc.redhat.com
>
> my ($scep_enroll_pin,$scep_enroll_url) = @_;
>
> # scep_host/password are hardcoded here.
> my $scep_host = "tank.dsdev.sjc.redhat.com";
> my $uid = "root";
> my $ipaddress = os_getip();
>
> # clean up
> log_entry("########################################################
> \n");
> log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr
> local.key ca.crt cert.crt \n");
> my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key
> ca.crt cert.crt`;
> log_entry("result = $result\n");
>
> # generate a key
> log_entry("########################################################
> \n");
> log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip
> $ipaddress $scep_enroll_pin \n");
> $result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress
> $scep_enroll_pin `;
> log_entry("result = $result\n");
>
> # get ca cert
> log_entry("########################################################
> \n");
> log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c
> ca.crt -u $scep_enroll_url\n");
> $result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u
> $scep_enroll_url`;
> log_entry("result = $result\n");
>
> # submit enrollment request
> log_entry("########################################################
> \n");
> log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c
> ca.crt -k local.key -r local.csr -l cert.crt -u $scep_enroll_url \n");
> my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k
> local.key -r local.csr -l cert.crt -u $scep_enroll_url `;
> log_entry("result = @output \n");
>
> # parse for success
> log_entry("########################################################
> \n");
> foreach(@output)
> {
> if(/pkistatus: SUCCESS/ || /certificate written as/ )
> {
> return 0;
> }
> }
>
> # failure
> return 1;
> }
> #########################################################################
> >
> >
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan -- ckannan at redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Pki-users
mailing list