[Pki-users] SSCEP client requesting CA cert
Chandrasekar Kannan
ckannan at redhat.com
Thu Apr 23 21:07:10 UTC 2009
On Thu, 2009-04-23 at 13:52 -0700, Fortunato wrote:
> Solved.
cool. thanks.
>
> I pointed sscep to the url:
>
> # ./sscep getca -c ca.crt -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe
>
> I know I'll run into issues with the rest... :) but I'll work on those bridges once I cross them.
>
> -----Original Message-----
> >From: Chandrasekar Kannan <ckannan at redhat.com>
> >Sent: Apr 23, 2009 1:09 PM
> >To: Fortunato <fortunato.montresor at earthlink.net>
> >Cc: pki-users at redhat.com
> >Subject: Re: [Pki-users] SSCEP client requesting CA cert
> >
> >On Thu, 2009-04-23 at 13:03 -0700, Chandrasekar Kannan wrote:
> >> On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote:
> >> > Thanks to all for your help so far. :)
> >> >
> >> > Lately I've been trying to request the CA cert using sscep and using the RA cgi url:
> >> >
> >> > http://<fqdn>:12888/ee/scep/pkiclient.cgi
> >> >
> >> > I get the following error message:
> >> >
> >> > ./sscep: cannot find data from http reply
> >> >
> >> > It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas?
> >> >
> >> > Additionally all the examples for retrieving the CA are for:
> >> >
> >> > http://<fqdn>:9180/ca/cgi.bin
> >> >
> >> > I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors:
> >> >
> >> > ./sscep: wrong (or missing) MIME content type
> >> > ./sscep: error while sending message
> >> >
> >> > which looks even more hopeless.
> >> >
> >> > Any help is appreciated.
> >>
> >> Here's a perl module that we use for simple scep testing.
> >> I'll try to dig out the url and pin soon for a sample ...
> >
> >
> >some sample results from this. might be useful for you.
> >##########################################################################
> >
> >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l
> >root /bin/rm -f local.csr
> > local.key ca.crt cert.crt
> >scep3 : [2007:5:9 12:44:7] : result =
> >scep3 : [2007:5:9 12:44:7] : ########################################################
> >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/mkrequest
> > -ip 10.14.1.89 netscape
> >Generating RSA private key, 1024 bit long modulus
> >..............++++++
> >...........++++++
> >e is 65537 (0x10001)
> >scep3 : [2007:5:9 12:44:7] : result =
> >scep3 : [2007:5:9 12:44:7] : ########################################################
> >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep getca
> > -c ca.crt -u http://tank:9007/ca/cgi-bin/pkiclient.exe
> >scep3 : [2007:5:9 12:44:8] : result = /usr/bin/sscep: requesting CA certificate
> > /usr/bin/sscep: valid response from server
> > /usr/bin/sscep: MD5 fingerprint: AC:B6:11:DF:97:8C:E5:77:E2:A8:21:EE:A0:C5:76:D5
> > /usr/bin/sscep: CA certificate written as ca.crt
> >scep3 : [2007:5:9 12:44:8] : ########################################################
> >scep3 : [2007:5:9 12:44:8] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep enroll
> > -c ca.crt -k local.key -r local.csr -l cert.crt -u
> > http://tank:9007/ca/cgi-bin/pkiclient.exe
> >scep3 : [2007:5:9 12:44:9] : result = /usr/bin/sscep: sending certificate request
> > /usr/bin/sscep: valid response from server
> > /usr/bin/sscep: pkistatus: SUCCESS
> > /usr/bin/sscep: certificate written as cert.crt
> >scep3 : [2007:5:9 12:44:9] : ########################################################
> >scep3 : [2007:5:9 12:44:9] : TestCaseResult scep3 PASS
> >##########################################################################
> >
> >
> >>
> >>
> >> ######################################################################
> >> # This perl module serves as a perl interface for the RHCS
> >> # SCEP - Enrollment
> >>
> >> ######################################################################
> >> package scep_enroll;
> >> require Exporter;
> >> @ISA = qw(Exporter);
> >> @EXPORT = qw(scep_do_enroll_with_sscep
> >> );
> >>
> >> ######################################################################
> >> use strict;
> >> use baserc;
> >> use baselib;
> >> use applib;
> >> #use Net::Telnet::Cisco;
> >> ######################################################################
> >> #sub scep_do_enroll
> >> #{
> >> # my ($scep_enroll_pin,$scep_enroll_url) = @_;
> >> #
> >> # # scep_host/password are hardcoded here.
> >> # my $scep_host = "scep.dsdev.sjc.redhat.com";
> >> # my $scep_host_ip = "10.14.1.94";
> >> # my $scep_password = "netscape";
> >> # my $scep_ethernet = "Ethernet0/0";
> >> #
> >> # my $session = Net::Telnet::Cisco->new(Host => "$scep_host" );
> >> # $session->login('', "$scep_password");
> >> # $session->ignore_warnings("1");
> >> #
> >> # # Execute a command
> >> # &message_ts;
> >> # my @output = $session->cmd('show version');
> >> # log_entry(@output);
> >> #
> >> # # Enable mode
> >> # if ($session->enable("$scep_password") )
> >> # {
> >> # @output = $session->cmd('show privilege');
> >> # log_entry("My privileges: @output\n");
> >> # }
> >> # else
> >> # {
> >> # log_entry("Can't enable: " . "$session->errmsg");
> >> # }
> >> #
> >> # # enter conf t mode
> >> # log_entry("Executing command = conf t\n");
> >> # @output = $session->cmd("conf t");
> >> # log_entry("result =@output \n");
> >> #
> >> # # perform crypto cleanup first
> >> # log_entry("Executing command = crypto key zeroize rsa \n");
> >> # @output = $session->cmd("crypto key zeroize rsa\nyes");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = no crypto ca identity CA\n");
> >> # @output = $session->cmd("no crypto ca identity CA\nyes");
> >> # log_entry("result = @output\n");
> >> #
> >> # # setup CA identity
> >> # log_entry("Executing command = crypto ca identity CA\n");
> >> # @output = $session->cmd("crypto ca identity CA");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = enrollment url $scep_enroll_url \n");
> >> # @output = $session->cmd("enrollment url $scep_enroll_url ");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = crl optional\n");
> >> # @output = $session->cmd("crl optional");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = exit \n");
> >> # @output = $session->cmd("exit");
> >> # log_entry("result = @output\n");
> >> #
> >> # # authenticate CA
> >> # log_entry("Executing command = crypto ca authenticate CA\n");
> >> # @output = $session->cmd("crypto ca authenticate CA\nyes");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = crypto key generate rsa\n");
> >> # @output = $session->cmd("crypto key generate rsa\n512");
> >> # log_entry("result = @output\n");
> >> # sleep(60);
> >> #
> >> # log_entry("Executing command = crypto ca enroll CA \n");
> >> # @output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n
> >> $scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = exit \n");
> >> # @output = $session->cmd("exit");
> >> # log_entry("result = @output\n");
> >> #
> >> # log_entry("Executing command = show crypto CA certificate\nq\n");
> >> # @output = $session->cmd("show crypto CA certificate\nq\n");
> >> # log_entry("result = @output\n");
> >> #
> >> # foreach(@output)
> >> # {
> >> # if( /$scep_host/ || /Key Usage: General Purpose/ )
> >> # {
> >> # return 0;
> >> # }
> >> # }
> >> #
> >> #
> >> ##########################################################################
> >> # # close the session object
> >> # $session->close;
> >> #
> >> # return 1;
> >> #}
> >> ######################################################################
> >> sub scep_do_enroll_with_sscep
> >> {
> >> # This sub-routine uses the Simple SCEP client to do scep enrollments.
> >> # this can be used as an alternative if we don't have the router
> >> # the scep client is installed on tank.dsdev.sjc.redhat.com
> >>
> >> my ($scep_enroll_pin,$scep_enroll_url) = @_;
> >>
> >> # scep_host/password are hardcoded here.
> >> my $scep_host = "tank.dsdev.sjc.redhat.com";
> >> my $uid = "root";
> >> my $ipaddress = os_getip();
> >>
> >> # clean up
> >> log_entry("########################################################
> >> \n");
> >> log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr
> >> local.key ca.crt cert.crt \n");
> >> my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key
> >> ca.crt cert.crt`;
> >> log_entry("result = $result\n");
> >>
> >> # generate a key
> >> log_entry("########################################################
> >> \n");
> >> log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip
> >> $ipaddress $scep_enroll_pin \n");
> >> $result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress
> >> $scep_enroll_pin `;
> >> log_entry("result = $result\n");
> >>
> >> # get ca cert
> >> log_entry("########################################################
> >> \n");
> >> log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c
> >> ca.crt -u $scep_enroll_url\n");
> >> $result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u
> >> $scep_enroll_url`;
> >> log_entry("result = $result\n");
> >>
> >> # submit enrollment request
> >> log_entry("########################################################
> >> \n");
> >> log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c
> >> ca.crt -k local.key -r local.csr -l cert.crt -u $scep_enroll_url \n");
> >> my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k
> >> local.key -r local.csr -l cert.crt -u $scep_enroll_url `;
> >> log_entry("result = @output \n");
> >>
> >> # parse for success
> >> log_entry("########################################################
> >> \n");
> >> foreach(@output)
> >> {
> >> if(/pkistatus: SUCCESS/ || /certificate written as/ )
> >> {
> >> return 0;
> >> }
> >> }
> >>
> >> # failure
> >> return 1;
> >> }
> >> #########################################################################
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Pki-users mailing list
> >> > Pki-users at redhat.com
> >> > https://www.redhat.com/mailman/listinfo/pki-users
> >--
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >Chandrasekar Kannan -- ckannan at redhat.com
> >Quality Engineering -- http://www.redhat.com
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan -- ckannan at redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Pki-users
mailing list