[Pki-users] Cisco Router and RA SCEP & PIN
Marc Sauton
msauton at redhat.com
Thu Apr 28 19:57:14 UTC 2011
Thanks for the update about the resolution.
M.
On 04/28/2011 12:48 PM, Jennings, Charles wrote:
>
> I found my issue. The IP address that was sourcing the request was
> not the IP address used in requesting the SCEP.
>
> *Charles Jennings***
>
> Network Security Engineer | Network Engineering
>
> *EarthLink Business*
>
> **
>
> *E:*charles.jennings at corp.earthlink.com
> <mailto:charles.jennings at corp.earthlink.com>
>
> *O:* 256-241-4223 | *M:* 256-689-9741 | *F:* 256-241-4294
>
> 1801 Hillyer Robinson Parkway | Anniston, AL | 36207
>
> /Deltacom is now EarthLink Business/
>
> /"There is one safeguard known generally to the wise, which is an
> advantage and security to all, but especially to democracies as
> against despots. What is it? Distrust."
> Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24
> (344 B.C.)/
>
> ------------------------------------------------------------------------
>
> *From:*pki-users-bounces at redhat.com
> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Andrew Wnuk
> *Sent:* Monday, April 25, 2011 6:02 PM
> *To:* pki-users at redhat.com
> *Subject:* Re: [Pki-users] Cisco Router and RA SCEP & PIN
>
> Is there anything interesting in your CA debug log file?
> Did you verify if your request includes challenge password attribute?
>
> Thank you,
> Andrew
>
>
> On 04/21/2011 06:00 AM, Jennings, Charles wrote:
>
> Looking for some help:
>
> I've been beating my head over this for a few days with no resolve:
>
> 1. Using DCS version 1.3
>
> 2. In RA SSL End User Services, perform a SCEP enrollment using
> following information:
>
> a. Client IP: a user id
> b. Site ID: The IP address of the router
> c. Email: My email address
>
> 3. In RA Agent Services, approve the request and note the PIN that is
> assigned.
>
> 4. In router, generate RSA key:
>
> crypto key gen rsa
> Set to 1024 modulus
>
> 5. In router, create the crypto ca trustpoint as follows:
>
> crypto ca trustpoint CA
> enrollment mode ra
> enrollment url http://ra.test.com:12888/ee/scep/pkiclient.cgi
> crl optional
>
> 6. In router, obtain CA certificate (with no problem)
>
> crypto ca authenticate CA
>
> Certificate has the following attributes:
> Fingerprint MD5: blah blah
> Fingerprint SHA1: blah blah
> %Do you accept this certificate? [yes/no]: yes
> Trustpoint CA certificate accepted.
>
> Here's where it all blows up:
>
> 7. Try to obtain certificate:
>
> crypto ca enroll CA
> %
> % Start certificate enrollment .
> % Create a challenge password. You will need to verbally provide
> this
> Password to the CA Administrator in order to revoke your
> certificate.
> For security reasons you password will not be saved in the
> configuration.
> Please make a note of it.
>
> Password: {I've tried the PIN and just any 'ol password}
> Re-enter password:
>
> % The subject name in the certificate will include:
> TEST_HOST.cert-test.net
> % Include the router serial number in the subject name?
> [yes/no]: no {tried both}
> % Include the IP address in the subject name? [no]: no {tried both}
> Request certificate from CA? [yes/no] yes
> % Certificate request sent to Certificate Authority
> % The 'show crypto ca certificate CA verbose' command will show
> the fingerprint
>
> CRYPTO_PKI: Certificate Request Fingerprint MD5: blah blah
> CRYPTO_PKI: Certificate Request Fingerprint SHA1: blah blah
>
> %PKI-6-CERTFAIL: Certificate enrollment failed.
>
> 8. I have turned on debugging and found that everytime it failed, I
> was being told at the end of the debugging that I was being
> redirected with a '302 Moved' to /ee/scep/installer.cgi
>
> 9. So I went in and edited the following file:
>
> vi ./var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi
>
> and commented out the following 4 lines in the file:
>
> # check PIN
> if (1) {
> my $pin_store = PKI::Base::PinStore->new();
> $pin_store->open($cfg);
> my $pinref = $pin_store->read_pin($key);
> if (defined($pinref) && $pinref->{'pin'} eq $pin) {
> $pin_store->delete($key);
> } else {
> # $pin_store->close();
> # # XXX - return SCEP error
> # print $q->redirect("/ee/scep/installer.cgi");
> # return;
> }
> $pin_store->close();
> }
>
> 10. I ran thru the whole enrollment process again - and bang: It works
>
>
> So I know that the issue is that it can't determine the PIN that was
> assigned during the RA enrollment process.
>
> Does anyone know how I can resolve this so that PIN authentication works?
>
> Thanks,
>
> Charles Jennings
> Network Security Engineer | Network Engineering
> EarthLink Business
>
>
> E: charles.jennings at corp.earthlink.com
> <mailto:charles.jennings at corp.earthlink.com>
> <mailto:charles.jennings at corp.earthlink.com>
> O: 256-241-4223 | M: 256-689-9741 | F: 256-241-4294
> 1801 Hillyer Robinson Parkway | Anniston, AL | 36207
> Deltacom is now EarthLink Business
>
> "There is one safeguard known generally to the wise, which is an
> advantage and security to all, but especially to democracies as
> against despots. What is it? Distrust."
> Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24
> (344 B.C.)
>
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20110428/bc6f0f2d/attachment.htm>
More information about the Pki-users
mailing list