SCEP certificate enrollment hangs
I successfully retrieved the CA cert. After that, I wanted to enroll for a certificate using the following command
ipsec scepclient --out pkcs1=swanKey.der --out cert==swanCert.der \
--dn ”C=CH, CN=swan” -k 512 -p 93A494CDB03F4CED \
--url http://192.168.56.102/certsrv/mscep/mscep.dll \
--in cacert-enc=caCert.der --in cacert-sig=caCert.der -A
And following happens
| plugin 'curl': loaded successfully
| plugin 'aes': loaded successfully
| plugin 'des': loaded successfully
| plugin 'sha1': loaded successfully
| plugin 'sha2': loaded successfully
| plugin 'md5': loaded successfully
| plugin 'random': loaded successfully
| plugin 'x509': loaded successfully
| plugin 'pkcs1': loaded successfully
| plugin 'pkcs8': loaded successfully
| plugin 'pem': loaded successfully
| plugin 'gmp': loaded successfully
loaded plugins: curl aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pem gmp
it does nothing and stays here. Any suggestion?
#1 Updated by Scep CAfail over 7 years ago
added openssl-devel and this problem is resolved, now following happens
ipsec scepclient --out cert==SSwanCert.der -p F7D28CC7FDED5F2C --url http://192.168.56.102/certsrv/mscep/mscep.dll --in cacert-enc=caCert.der --in cacert-sig=caCert.der
loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pem openssl gmp
transaction ID: 205d3ce2f19698a8dca9b376763dd213
OpenSSL X.509 parsing failed
building CRED_CERTIFICATE - X509 failed, tried 4 builders
error: could not load encryption cacert file '/usr/local/etc/ipsec.d/cacerts/caCert.der'
caCert exists in that location
#2 Updated by Tobias Brunner over 7 years ago
- Status changed from New to Feedback
- Priority changed from High to Normal
Hm, the error message indicates an issue with the file that is located there. Not that it missing, but that it is corrupt or otherwise unreadable.
Try if the following works
openssl x509 -text -inform DER -in /usr/local/etc/ipsec.d/cacerts/caCert.der
#3 Updated by Scep CAfail over 7 years ago
As you anticipated, the cacert is corrupt
openssl x509 -text -inform DER -in /usr/local/etc/ipsec.d/cacerts/caCert.der
unable to load certificate
139913019594568:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
139913019594568:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509_CINF
139913019594568:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:752:Field=cert_info, Type=X509
That brings us to square one, the CA cert retrieval. I deleted cacert file and rerun the folowing command
ipsec scepclient --out caCert --url http://192.168.56.102/certsrv/mscep/mscep.dll -A | plugin 'curl': loaded successfully | plugin 'aes': loaded successfully | plugin 'des': loaded successfully | plugin 'sha1': loaded successfully | plugin 'sha2': loaded successfully | plugin 'md5': loaded successfully | plugin 'random': loaded successfully | plugin 'x509': loaded successfully | plugin 'pkcs1': loaded successfully | plugin 'pkcs8': loaded successfully | plugin 'pem': loaded successfully | plugin 'openssl': loaded successfully | plugin 'gmp': loaded successfully
loaded plugins: curl aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pem openssl gmp | sending scep request to 'http://192.168.56.102/certsrv/mscep/mscep.dll' | sending http request to 'http://192.168.56.102/certsrv/mscep/mscep.dll?operation=GetCACert&message=CAIdentifier'...
written ca cert file '/etc/ipsec.d/cacerts/caCert.der' (2994 bytes)
Worked fine, however as you found out, the file it retrieved is not a valid certificate. You can see it in the attachment. FYI, SCEP server is windows.
Right now the same URL is working with Cisco equipment.
#4 Updated by Tobias Brunner over 7 years ago
The file you receive there is actually in the PKCS#7 format and contains more than just the CA certificate. I don't really know SCEP (or scepclient for that matter) but from the current SCEP draft I get that there are two possible responses to a GetCACert request and scepclient currently handles both the same way, that is, it simply stores the response in the given file, whether it is only the X.509 CA certificate or a PKCS#7 file which additionally contains the Registration Authority (RA) certificate. You could try to extract the certificates from the PKCS#7 file with
openssl pkcs7 -print_certs -in caCert.der -inform derwhich should give you a list of PEM encoded certificates. These you can store in individual files (the
-----END...part of each).
#5 Updated by Scep CAfail over 7 years ago
Do you know of a quick command that would export those 2 certificates in respective folders under ipsec.d? For example for the RA cert, the subject name is appended with mscep-ra word like subject=/C=US/CN=WIN-J348TUGMTQG-MSCEP-RA , so the code which contains mscep-ra in subj name is saved under ipsec.d/racerts/racert.der and the remaining one is saved under /ipsec.d/cacerts/cacert.der
According to http://manpages.ubuntu.com/manpages/karmic/man8/scepclient.8.html , " If more then one CA certificate is returned, store them in files named caCert.der-1’, caCert.der-2’, etc. " and apparently this is not happening.
The behaviour i explained in first paragraph is how cisco handles cert retrieval. Maybe you would like to add this fix for upcoming version.
Thanks for your help!
#6 Updated by Scep CAfail over 7 years ago
I manually imported the ca and ra certs, and tried to enroll for a certificate, but it gives integrity check fail, you can find the error in attachment
After some research, I found out that SCEP server is sending chained certs upon CA cert retrieval request, and this scepclient is storing it in one single file instead of seperating.
For a certificate enrollment, the client should use the RA cert not CA cert, otherwise it gives "invalid signature".
I am following the manpage of this tool but it errors on every single step, although i follow it exactly. Do you know if anyone succeeded to make this scep stuff work? I am working on this for about a week and have to finish till this monday and I really need your help.
#7 Updated by Tobias Brunner over 7 years ago
Hm, scepclient was written 7 years ago and has not gotten much attention since then. From the original documentation (PDF, German) I get that work was based on revision 10 and 11 of the SCEP draft. In that revision RAs are only mentioned as a sidenote (the current revision is more specific) so my guess is that scepclient was never really intended for certificate enrollment via RAs (could be that it wasn't a very common setup at the time). There are currently no plans to do any work on scepclient, unless someone is willing to sponsor the development.
Now your log does not really show what the problem is. The signature and encryption key is clearly provided by the RA certificate. You should perhaps check the Windows Server's event logs to see why it responds with an error message ("badMessageCheck - integrity check failed").
#8 Updated by Tobias Brunner over 7 years ago
- Status changed from Feedback to Resolved
- Target version set to 4.6.4
- Resolution set to Fixed
In the meantime I was able to verify that the error message you received last ("badMessageCheck - integrity check failed") is actually caused by incorrectly encoded PKCS#7 messages and PKCS#10 certificate requests. The integer value
0 was incorrectly encoded as
0200 instead of
020100 in ASN.1 causing Windows to reject the enrollment request. strongSwan did it like this since forever, so I'm not sure how this ever worked - perhaps older versions of Microsoft's and Cisco's implementations weren't as strict.
A fix for this will be included in one of our upcoming releases. If you don't want to wait have a look at commit commit:70a76b00.