[Pki-users] SCEP Enrollment fails with Certificate not found .
Elliott William C OSS sIT
WilliamC.Elliott at s-itsolutions.at
Tue Oct 21 12:54:57 UTC 2014
(sorry for the delay - I was out of the office for some time)
The package version we're trying is pki-ca-9.0.3-32.el6.noarch, on RHEL6 as I said. But since the last email we've also tried 9.0.3-38, with the same result.
We always ran through the wizard panels using all default values, changing nothing, but now we configure the ca with pkisilent with the same default values to make sure the configuration doesn't change from one test to the next.
The only change we make is afterwords to enable scep in the config:
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.enable=true
ca.scep.encryptionAlgorithm=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.nonceSizeLimit=16
The whole thing always works fine when we use the internal token (and with RHEL5/Dogtag 1.3 on the hsm), but throws the exception when the hsm is used as token.
We use sscep to submit requests to the ca.
We had never set the two parameters (scep.nickname, scep.tokenname) you suggested trying.
Here are the results of your suggestions below :
** 1. This is our current configuration which always produces the exception.
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: true
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1'
handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...
** 2. Setting ca.scep.nickname at first produced no discernable change,
other than, requests for the ca cert. with "sscep getca" then fail reliably.
Due to token name not being set:
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name:
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: internal token name: ''
CRSEnrollment: CryptoContext: mNickname: 'caSigningCert cert-pki-testca1'
handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
...
** 3. setting both ca.scep.nickname and ca.scep.tokenname also does not get around the problem.
From debug log:
CRSEnrollment: init: SCEP support is enabled.
CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-testca1
CRSEnrollment: init: CA nickname: osstest:caSigningCert cert-pki-testca1
CRSEnrollment: init: Token name: osstest
CRSEnrollment: init: Is SCEP using CA keys: false
CRSEnrollment: init: mNonceSizeLimit: 16
CRSEnrollment: init: mHashAlgorithm: SHA1
CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512
CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1
CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256
CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512
CRSEnrollment: init: mEncryptionAlgorithm: DES3
CRSEnrollment: init: mEncryptionAlgorithmList: DES3
CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3
CRSEnrollment: init: mProfileId=caRouterCert
...
CRSEnrollment: CryptoContext: token name: osstest' <-- from sscep getca request
CRSEnrollment: CryptoContext: mNickname: 'osstest:caSigningCert cert-pki-testca1'
...
CRSEnrollment: CryptoContext: token name: osstest'
CRSEnrollment: CryptoContext: mNickname: 'osstest:osstest:caSigningCert cert-pki-testca1' <-- from sscep enroll request
handlePKIMessage exception com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: Certificate not found: osstest:caSigningCert cert-pki-testca1
at com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
best regards,
William
-----Original Message-----
From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu
Sent: Donnerstag, 02. Oktober 2014 02:15
To: pki-users at redhat.com
Subject: Re: [Pki-users] SCEP Enrollment fails with Certificate not found . [heur][html-removed]
btw, I'm not suggesting that you need either or both config params.
three sets of config you can try:
1. don't specify either ca.scep.nickname or ca.scep.tokenname
(I think by default it takes the ca signing cert, if that's what you
intend to use anyway)
2. specify nickname only ca.scep.nickname (without the token)
ca.scep.nickname=caSigningCert cert-pki-testca1
(I think by default, if the nickname you specified matches that of the
ca, it will find the token for you)
3. specify both nickname and token:
ca.scep.nickname=caSigningCert cert-pki-testca1
ca.scep.tokenname=osstest
(last resort, because when you do this, it thinks it's not using the ca
signing cert.. )
Let us know.
Christina
On 10/01/2014 05:00 PM, Christina Fu wrote:
> What's your scep config values, specifically:
> ca.scep.nickname
> ca.scep.tokenname
>
> Christina
>
> On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote:
>>
>> Hello,
>>
>> We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs
>> setup for SCEP enrollment. But, no matter whether we try the older
>> HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a
>> successful SCEP request. The following exception occurs in the debug log:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation
>>
>> [29/Sep/2014:13:41:17][http-9180-1]:
>> message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ
>>
>> KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w
>>
>> ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt
>>
>> dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG
>>
>> SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH
>>
>> 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP
>>
>> RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs
>>
>> HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r
>>
>> SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g
>>
>> rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF
>>
>> Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM
>>
>> X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW
>>
>> m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu
>>
>> udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc
>>
>> AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT
>>
>> l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61
>>
>> JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz
>>
>> cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z
>>
>> gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB
>>
>> dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG
>>
>> NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy
>>
>> MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx
>>
>> MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF
>>
>> gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM
>>
>> rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip
>>
>> 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB
>>
>> gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN
>>
>> L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp
>>
>> e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w
>>
>> GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG
>>
>> OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC
>>
>> MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw
>>
>> OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg
>>
>> hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0
>>
>> QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB
>>
>> gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH
>>
>> eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm
>>
>> /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>> at
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>> at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
>> javax.servlet.ServletException: Failed to process message in CEP
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> What stands out is the line with mNickname. After restarting the
>> service, with the first request, the HSM token name appears to be
>> listed twice in the *mNickname* string. Interestingly, with each new
>> request, the number of token names increases by one in the string.
>> i.e. with the 2^nd attempt, the same exception occurs but the token
>> name appears three times:
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> token name: osstest'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext:
>> mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1'
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException:
>> Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026)
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803)
>>
>> at
>> com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297)
>>
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>>
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>>
>> at
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>>
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>>
>> at java.lang.Thread.run(Thread.java:701)
>>
>> [29/Sep/2014:13:41:17][http-9180-1]: ServletException
>> javax.servlet.ServletException: Failed to process message in CEP
>> servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1
>>
>> As mentioned, the exception occurs with both versions 4 and 5 of
>> LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating
>> with SCEP enrollment.) With local tokens, (no HSMs) the error does
>> not occur.
>>
>> Any Ideas, how we can track this down? We definitely need to get this
>> running.
>>
>> Best regards!
>>
>> William Elliott
>>
>> s IT Solutions
>>
>> Open System Services
>>
>> s IT Solutions AT Spardat GmbH
>>
>> A-1110 Wien, Geiselbergstraße 21 - 25
>>
>> Phone: +43 (0)5 0100 - 39376
>>
>> Fax: +43 (0)5 0100 9 - 39376
>>
>> Mobile: +43 (0)5 0100 6 - 39376
>>
>> _mailto:william.elliott at s-itsolutions.at
>> <mailto:william.elliott%20at%20s-itsolutions.at>_
>>
>> www.s-itsolutions.com <http://www.s-itsolutions.com/>
>>
>> Head Office: Vienna Commercial Register No.: 152289f Commercial Court
>> of Vienna
>>
>> This message and any attached files are confidential and intended
>> solely for the addressee(s). Any publication, transmission or other
>> use of the information by a person or entity other than the intended
>> addressee is prohibited. If you receive this in error please contact
>> the sender and delete the material. The sender does not accept
>> liability for any errors or omissions as a result of the transmission.
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list