[Pki-users] Cisco Router and RA SCEP & PIN

Jennings, Charles Charles.Jennings at corp.earthlink.com
Thu Apr 28 19:48:51 UTC 2011 

I found my issue.  The IP address that was sourcing the request was not
the IP address used in requesting the SCEP.

 

Charles Jennings

Network Security Engineer | Network Engineering

EarthLink Business

 

E: charles.jennings at corp.earthlink.com
<mailto:charles.jennings at corp.earthlink.com> 

O: 256-241-4223 | M: 256-689-9741 | F: 256-241-4294

1801 Hillyer Robinson Parkway | Anniston, AL | 36207 

Deltacom is now EarthLink Business

 

"There is one safeguard known generally to the wise, which is an
advantage and security to all, but especially to democracies as against
despots. What is it? Distrust." 
Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24
(344 B.C.)

 

________________________________

From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
On Behalf Of Andrew Wnuk
Sent: Monday, April 25, 2011 6:02 PM
To: pki-users at redhat.com
Subject: Re: [Pki-users] Cisco Router and RA SCEP & PIN

 

Is there anything interesting in your CA debug log file?
Did you verify if your request includes challenge password attribute?

Thank you,
Andrew
 

On 04/21/2011 06:00 AM, Jennings, Charles wrote: 

Looking for some help:

I've been beating my head over this for a few days with no resolve:

1.    Using DCS version 1.3

2.    In RA SSL End User Services, perform a SCEP enrollment using
      following information:

      a.    Client IP:        a user id
      b.    Site ID:          The IP address of the router
      c.    Email:            My email address

3.    In RA Agent Services, approve the request and note the PIN that is
      assigned.

4.    In router, generate RSA key:

      crypto key gen rsa
      Set to 1024 modulus

5.    In router, create the crypto ca trustpoint as follows:

      crypto ca trustpoint CA
          enrollment mode ra
          enrollment url http://ra.test.com:12888/ee/scep/pkiclient.cgi
          crl optional

6.    In router, obtain CA certificate (with no problem)

      crypto ca authenticate CA

      Certificate has the following attributes:
          Fingerprint MD5: blah blah
          Fingerprint SHA1: blah blah
      %Do you accept this certificate? [yes/no]: yes
      Trustpoint CA certificate accepted.

Here's where it all blows up:

7.    Try to obtain certificate:

      crypto ca enroll CA
      %
      % Start certificate enrollment .
      % Create a challenge password. You will need to verbally provide
this
         Password to the CA Administrator in order to revoke your
certificate.
         For security reasons you password will not be saved in the
configuration.
         Please make a note of it.

      Password:  {I've tried the PIN and just any 'ol password}
      Re-enter password:

      % The subject name in the certificate will include:
TEST_HOST.cert-test.net
      % Include the router serial number in the subject name? [yes/no]:
no {tried both}
      % Include the IP address in the subject name? [no]: no {tried
both}
      Request certificate from CA? [yes/no] yes
      % Certificate request sent to Certificate Authority
      % The 'show crypto ca certificate CA verbose' command will show
the fingerprint

      CRYPTO_PKI:  Certificate Request Fingerprint MD5: blah blah
      CRYPTO_PKI:  Certificate Request Fingerprint SHA1: blah blah

      %PKI-6-CERTFAIL: Certificate enrollment failed.

8.    I have turned on debugging and found that everytime it failed, I
      was being told at the end of the debugging that I was being
      redirected with a '302 Moved' to /ee/scep/installer.cgi

9.    So I went in and edited the following file:

      vi ./var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi

      and commented out the following 4 lines in the file:

     # check PIN
     if (1) {
       my $pin_store = PKI::Base::PinStore->new();
       $pin_store->open($cfg);
       my $pinref = $pin_store->read_pin($key);
       if (defined($pinref) && $pinref->{'pin'} eq $pin) {
         $pin_store->delete($key);
       } else {
      #   $pin_store->close();
      #   # XXX - return SCEP error
      #   print $q->redirect("/ee/scep/installer.cgi");
      #   return;
       }
       $pin_store->close();
     }

10.  I ran thru the whole enrollment process again - and bang: It works


So I know that the issue is that it can't determine the PIN that was
assigned during the RA enrollment process.

Does anyone know how I can resolve this so that PIN authentication
works?

Thanks,

Charles Jennings
Network Security Engineer | Network Engineering
EarthLink Business


E: charles.jennings at corp.earthlink.com
<mailto:charles.jennings at corp.earthlink.com>
O: 256-241-4223 | M: 256-689-9741 | F: 256-241-4294
1801 Hillyer Robinson Parkway | Anniston, AL | 36207
Deltacom is now EarthLink Business

"There is one safeguard known generally to the wise, which is an
advantage and security to all, but especially to democracies as against
despots. What is it? Distrust."
Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24
(344 B.C.)





 
 
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20110428/59908b37/attachment.htm>

More information about the Pki-users mailing list