[Pki-users] SSCEP client requesting CA cert

Chandrasekar Kannan ckannan at redhat.com
Thu Apr 23 20:09:53 UTC 2009


On Thu, 2009-04-23 at 13:03 -0700, Chandrasekar Kannan wrote:
> On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote:
> > Thanks to all for your help so far. :)
> > 
> > Lately I've been trying to request the CA cert using sscep and using the RA cgi url:
> > 
> >   http://<fqdn>:12888/ee/scep/pkiclient.cgi
> > 
> > I get the following error message:
> > 
> >   ./sscep: cannot find data from http reply
> > 
> > It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas?
> > 
> > Additionally all the examples for retrieving the CA are for:
> > 
> >   http://<fqdn>:9180/ca/cgi.bin
> > 
> > I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors:
> > 
> >   ./sscep: wrong (or missing) MIME content type
> >   ./sscep: error while sending message
> > 
> > which looks even more hopeless.
> > 
> > Any help is appreciated.
> 
> Here's a perl module that we use for simple scep testing.
> I'll try to dig out the url and pin soon for a sample ...


some sample results from this. might be useful for you.
##########################################################################

scep3 : [2007:5:9  12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l
root /bin/rm -f local.csr
	local.key ca.crt cert.crt 
scep3 : [2007:5:9  12:44:7] : result = 
scep3 : [2007:5:9  12:44:7] : ########################################################
scep3 : [2007:5:9  12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/mkrequest
	-ip 10.14.1.89 netscape 
Generating RSA private key, 1024 bit long modulus
..............++++++
...........++++++
e is 65537 (0x10001)
scep3 : [2007:5:9  12:44:7] : result = 
scep3 : [2007:5:9  12:44:7] : ########################################################
scep3 : [2007:5:9  12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep getca
	-c ca.crt -u http://tank:9007/ca/cgi-bin/pkiclient.exe
scep3 : [2007:5:9  12:44:8] : result = /usr/bin/sscep: requesting CA certificate
	/usr/bin/sscep: valid response from server
	/usr/bin/sscep: MD5 fingerprint: AC:B6:11:DF:97:8C:E5:77:E2:A8:21:EE:A0:C5:76:D5
	/usr/bin/sscep: CA certificate written as ca.crt
scep3 : [2007:5:9  12:44:8] : ########################################################
scep3 : [2007:5:9  12:44:8] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep enroll
	-c ca.crt -k local.key -r local.csr  -l cert.crt -u
	http://tank:9007/ca/cgi-bin/pkiclient.exe 
scep3 : [2007:5:9  12:44:9] : result = /usr/bin/sscep: sending certificate request
	 /usr/bin/sscep: valid response from server
	 /usr/bin/sscep: pkistatus: SUCCESS
	 /usr/bin/sscep: certificate written as cert.crt
scep3 : [2007:5:9  12:44:9] : ########################################################
scep3 : [2007:5:9  12:44:9] : TestCaseResult scep3 PASS
##########################################################################


> 
> 
> ######################################################################
> # This perl module serves as a perl interface for the RHCS
> # SCEP - Enrollment
> 
> ######################################################################
> package    scep_enroll;
> require    Exporter;
> @ISA       = qw(Exporter);
> @EXPORT    = qw(scep_do_enroll_with_sscep
> 				);
> 
> ######################################################################
> use strict;
> use baserc;
> use baselib;
> use applib;
> #use Net::Telnet::Cisco;
> ######################################################################
> #sub scep_do_enroll
> #{
> #	my ($scep_enroll_pin,$scep_enroll_url) = @_;
> #
> #	# scep_host/password are hardcoded here. 
> #	my $scep_host = "scep.dsdev.sjc.redhat.com";
> #	my $scep_host_ip = "10.14.1.94";
> #	my $scep_password = "netscape";
> #	my $scep_ethernet = "Ethernet0/0";
> #
> #	my $session = Net::Telnet::Cisco->new(Host => "$scep_host" );
> #	$session->login('', "$scep_password");
> #	$session->ignore_warnings("1");
> #
> #	# Execute a command
> #	&message_ts;
> #	my @output = $session->cmd('show version');
> #	log_entry(@output);
> #
> #	# Enable mode
> #	if ($session->enable("$scep_password") )
> #	{
> #		@output = $session->cmd('show privilege');
> #		log_entry("My privileges: @output\n");
> #	}
> #	else
> #	{
> #		log_entry("Can't enable: " . "$session->errmsg");
> #	}
> #
> #	# enter conf t mode
> #	log_entry("Executing command = conf t\n");
> #	@output = $session->cmd("conf t");
> #	log_entry("result =@output \n"); 
> #
> #	# perform crypto cleanup first
> #	log_entry("Executing command = crypto key zeroize rsa \n");
> #	@output = $session->cmd("crypto key zeroize rsa\nyes");
> #	log_entry("result = @output\n");
> #
> #	log_entry("Executing command = no crypto ca identity CA\n");
> #	@output = $session->cmd("no crypto ca identity CA\nyes");
> #	log_entry("result = @output\n");
> #
> #	# setup CA identity
> #	log_entry("Executing command = crypto ca identity CA\n");
> #	@output = $session->cmd("crypto ca identity CA");
> #	log_entry("result = @output\n");
> #
> #	log_entry("Executing command = enrollment url $scep_enroll_url \n");
> #	@output = $session->cmd("enrollment url $scep_enroll_url ");
> #	log_entry("result = @output\n");
> #
> #	log_entry("Executing command = crl optional\n");
> #	@output = $session->cmd("crl optional");
> #	log_entry("result = @output\n");
> #
> #	log_entry("Executing command = exit \n");
> #	@output = $session->cmd("exit");
> #	log_entry("result = @output\n");
> #
> #	# authenticate CA
> #	log_entry("Executing command = crypto ca authenticate CA\n");
> #	@output = $session->cmd("crypto ca authenticate CA\nyes");
> #	log_entry("result = @output\n");
> #
> #	log_entry("Executing command = crypto key generate rsa\n");
> #	@output = $session->cmd("crypto key generate rsa\n512");
> #	log_entry("result = @output\n");
> #	sleep(60);
> #
> #	log_entry("Executing command = crypto ca enroll CA \n");
> #	@output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n
> $scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes");
> #	log_entry("result = @output\n");
> #
> #	log_entry("Executing command = exit \n");
> #	@output = $session->cmd("exit");
> #	log_entry("result = @output\n");
> #
> #	log_entry("Executing command = show crypto CA certificate\nq\n");
> #	@output = $session->cmd("show crypto CA certificate\nq\n");
> #	log_entry("result = @output\n");
> #
> #	foreach(@output)
> #	{
> #		if( /$scep_host/ || /Key Usage: General Purpose/ )
> #		{
> #			return 0;
> #		}
> #	}
> #
> #
> ##########################################################################
> #	# close the session object
> #	$session->close;
> #
> #	return 1;
> #}
> ######################################################################
> sub scep_do_enroll_with_sscep
> {
> 	# This sub-routine uses the Simple SCEP client to do scep enrollments.
> 	# this can be used as an alternative if we don't have the router
> 	# the scep client is installed on tank.dsdev.sjc.redhat.com
> 
> 	my ($scep_enroll_pin,$scep_enroll_url) = @_;
> 
> 	# scep_host/password are hardcoded here. 
> 	my $scep_host = "tank.dsdev.sjc.redhat.com";
> 	my $uid = "root";
> 	my $ipaddress = os_getip();
> 
> 	# clean up 
> 	log_entry("########################################################
> \n");
> 	log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr
> local.key ca.crt cert.crt \n");
> 	my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key
> ca.crt cert.crt`;
> 	log_entry("result = $result\n");
> 
> 	# generate a key
> 	log_entry("########################################################
> \n");
> 	log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip
> $ipaddress $scep_enroll_pin \n");
> 	$result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress
> $scep_enroll_pin `;
> 	log_entry("result = $result\n");
> 
> 	# get ca cert
> 	log_entry("########################################################
> \n");
> 	log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c
> ca.crt -u $scep_enroll_url\n");
> 	$result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u
> $scep_enroll_url`;
> 	log_entry("result = $result\n");
> 
> 	# submit enrollment request
> 	log_entry("########################################################
> \n");
> 	log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c
> ca.crt -k local.key -r local.csr  -l cert.crt -u $scep_enroll_url \n");
> 	my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k
> local.key -r local.csr  -l cert.crt -u $scep_enroll_url `;
> 	log_entry("result = @output \n");
> 	
> 	# parse for success
> 	log_entry("########################################################
> \n");
> 	foreach(@output)
> 	{
> 		if(/pkistatus: SUCCESS/ || /certificate written as/ )
> 		{
> 			return 0;
> 		}
> 	}
> 	
> 	# failure
> 	return 1;
> }
> #########################################################################
> > 
> > 
> > 
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
-- 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan --  ckannan at redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




More information about the Pki-users mailing list